Closed Bug 83804 Opened 23 years ago Closed 22 years ago

N621, M098 & Trunk crashes [@ HaveDecodedRow]

Categories

(Core :: Graphics: ImageLib, defect, P1)

Product:
Core
Component:
Graphics: ImageLib
Platform:
x86
All
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.0

People

(Reporter: dbaron, Assigned: nivedita)

References

Details

(Keywords: crash, testcase, topcrash+, Whiteboard: hitchhiker,[needs r=/sr=])

Crash Data

Attachments

(10 files, 3 obsolete files)

move rgb rowbuffer ownership to nsGIFDecoder2
7.94 KB, patch
Details | Diff | Splinter Review
same + switch to nsMemory::Realloc
8.11 KB, patch
Details | Diff | Splinter Review
make sure transparent index is in range
1.20 KB, patch
Details | Diff | Splinter Review
user comments and urls for HaveDecodedRow crashes with N610
9.60 KB, text/plain
Details
Bug notes
101 bytes, text/plain
Details
Updated Bug Notes From Tucson Beta
1.16 KB, text/plain
Details
N621 talkback data for HaveDecodedRow crashes
18.85 KB, text/plain
Details
Patch for crash on http://www.harry.wp.pl/
722 bytes, patch
pavlov
: review+
Details | Diff | Splinter Review
The gif which causes the crash
37 bytes, image/gif
Details
Incorporated the comments given by Tor
5.78 KB, patch
pavlov
: review+
tor
: superreview+
dbaron
: approval+
Details | Diff | Splinter Review 
Talkback is reporting 2 different crashes in HaveDecodedRow (at a number of
different line numbers).  (These are showing up both before and after tor's
changes... I'll give a stack with line numbers for after.)

(was line 470)
HaveDecodedRow
[d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\nsGIFDecoder2.cpp line
505]
output_row [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp
line 211]
do_lzw [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp line 400]
gif_write [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp
line 825]

(was line 382)
HaveDecodedRow
[d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\nsGIFDecoder2.cpp line
413]
output_row [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp
line 211]
do_lzw [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp line 400]
gif_write [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp
line 825]
Keywords: crash
The problems is that GIF2.cpp allocates gs->rgbrow (line 1264)
as 3*width, while nsGIFDecoder2 assumes that the length is
nsImageFrame->GetImageBytesPerRows() (line 505).  The latter
can be bigger because nsImageFrame tries to word align rows.

Another allocation point for gs->rgbrow in GIF2.cpp - line 1304.

Taking bug.
Assignee: pavlov → tor
Status: NEW → ASSIGNED
r=pavlov
+    if (decoder->mRGBLine)
+      nsMemory::Free(decoder->mRGBLine);
+    decoder->mRGBLine = (PRUint8 *)nsMemory::Alloc(bpr);
+

Are you freeing someone else's memory there?  That seems like an odd pattern
there.  Also, is it possible to just re-use the memory if it's the same size or
larger instead of reallocating?

Other than that, sr=blizzard
a=blizzard for 0.9.1 and the trunk for drivers
Blocks: 83989
Checked into trunk and 0.9.1 branch.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
I'm using the 0.9.1 2001060614 build on Win 2000 and I just got this crash going
to a bugscape page.  According to talkback reports there have been 5 crashes (3
trunk and 2 branch) since 6/5 builds which is after this bug was marked fixed. 
So, I'm going to reopen this.  If someone thinks I'm seeing a different bug let
me know and I'll file a new one.  My incident id is (31425983) for those with
access and the stack is:

HaveDecodedRow
[d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\nsGIFDecoder2.cpp,
line 508] 
output_row [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp,
line 210] 
do_lzw [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp, line
399] 
gif_write [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp,
line 823] 
nsGIFDecoder2::ProcessData
[d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\nsGIFDecoder2.cpp,
line 208] 
ReadDataOut
[d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\nsGIFDecoder2.cpp,
line 156] 
nsPipe::nsPipeInputStream::ReadSegments
[d:\builds\seamonkey\mozilla\xpcom\io\nsPipe2.cpp, line 412]
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Too little data, especially since the win32 talkback linenumbers aren't
accurate.  Is there talkback data from a linux or macos crash?  Crasher
URLs?

All of the crashes that occurred after your fix was checked in are on Win32.

Here are the sites mentioned:

2 of them occurred at http://bugscape.com (which are inside the Netscape
firewall so that won't help you out).

and 

www.elkhart.net/websites.html
http://www.plenum.com/
From today's talkback report 

     (31422028) URL: www.elkhart.net/websites.html
     (31406922) URL: http://bugscape.com/
     (31406922) Comments: filing bugs...
     (31382620) URL: http://www.plenum.com/
     (31382620) Comments: Mozilla crashed while downloading graphics
     (31373609) Comments: - www.iltalehti.fi -> crash
     (31257752) URL: www.netscape.com
     (31257752) Comments: Opening the Netscape home page.
     (31246127) URL: www.askmen.com
     (31174628) URL: http://linuxtoday.com
     (31174628) Comments: Scrolling through a webpage
     (31157659) Comments: no clue where/why it crashed...
     (31146747) Comments: crash loading a page
     (31092607) URL: www.usatoday.com
     (31092607) Comments: Clicked on the tech link


Comments from M091 builds

    (31425983) Comments: Went to a bugscape query list
    (31361691) Comments: Crashed after I entered a Bugscape bug
    (31233390) Comments: browsing borland community


Platforms?  Build #s?  Stacks?

Also you can check 
  
http://ftp.mozilla.org/pub/data/crash-data/detailed-crash-analysis-all.html#Have
DecodedRow

  
HaveDecodedRow   24
     First BBID : 
http://climate/reports/stackcommentemail.cfm?dynamicBBID=31092607
     Last BBID  : 
http://climate/reports/stackcommentemail.cfm?dynamicBBID=31422028
     Min Runtime :187
     Max Runtime :534174
     Min seconds since last crash :8
     Max seconds since last crash :441539
     First Appearance Date : 2001-05-30
     Last Appearance Date : 2001-06-06
     First Build ID : 2001052909
     Latest Build ID : 2001060606

Stack Trace: 

         HaveDecodedRow 
[d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\nsGIFDecoder2.cpp  
line 508]
         output_row     
[d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp  line 210]
         do_lzw 
[d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp  line 399]
         gif_write      
[d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp  line 823]
         nsGIFDecoder2::ProcessData     
[d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\nsGIFDecoder2.cpp  
line 208]
         ReadDataOut    
[d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\nsGIFDecoder2.cpp  
line 156]
         nsInputStreamTee::WriteSegmentFun      
[d:\builds\seamonkey\mozilla\xpcom\io\nsInputStreamTee.cpp  line 82]
         nsInputStreamTee::ReadSegments 
[d:\builds\seamonkey\mozilla\xpcom\io\nsInputStreamTee.cpp  line 138]
         nsGIFDecoder2::WriteFrom       
[d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\nsGIFDecoder2.cpp  
line 229]
         imgRequest::OnDataAvailable    
[d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgRequest.cpp  line 741]
         ProxyListener::OnDataAvailable 
[d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgLoader.cpp  line 387]
         nsStreamListenerTee::OnDataAvailable   
[d:\builds\seamonkey\mozilla\netwerk\base\src\nsStreamListenerTee.cpp  line 57]
         nsHttpChannel::OnDataAvailable 
[d:\builds\seamonkey\mozilla\netwerk\protocol\http\src\nsHttpChannel.cpp  line 
2102]
         nsOnDataAvailableEvent::HandleEvent    
[d:\builds\seamonkey\mozilla\netwerk\base\src\nsStreamListenerProxy.cpp  line 
185]
         PL_HandleEvent [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c  
line 591]
         PL_ProcessPendingEvents        
[d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c  line 524]
         _md_EventReceiverProc  
[d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c  line 1072]
         nsAppShellService::Run 
[d:\builds\seamonkey\mozilla\xpfe\appshell\src\nsAppShellService.cpp  line 418]
         netscp6.exe + 0x16b5 (0x004016b5)
         netscp6.exe + 0x11b8 (0x004011b8)
         netscp6.exe + 0x2ecd (0x00402ecd)
         KERNEL32.DLL + 0x17d08 (0x77e97d08)
 


    HaveDecodedRow 28ce7292
        
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif
/nsGIFDecoder2.cpp line 508
        Build: 2001060606 CrashDate: 2001-06-06 UptimeMinutes: 109  Total: 122 
        OS: Windows NT  5.0 build 2195
         Detailed : http://climate/reports/incidenttemplate.cfm?bbid=31422028
         StackTrace: 
http://climate/reports/stackcommentemail.cfm?dynamicBBID=31422028
     (31422028) URL: www.elkhart.net/websites.html

    HaveDecodedRow 6974c0fc
        
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif
/nsGIFDecoder2.cpp line 470
        Build: 2001053023 CrashDate: 2001-06-06 UptimeMinutes: 4  Total: 437 
        OS: Windows NT  5.0 build 2195
         Detailed : http://climate/reports/incidenttemplate.cfm?bbid=31409453
         StackTrace: 
http://climate/reports/stackcommentemail.cfm?dynamicBBID=31409453

    HaveDecodedRow 2d25614d
        
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif
/nsGIFDecoder2.cpp line 508
        Build: 2001060506 CrashDate: 2001-06-06 UptimeMinutes: 27  Total: 143 
        OS: Windows NT  5.0 build 2195
         Detailed : http://climate/reports/incidenttemplate.cfm?bbid=31406922
         StackTrace: 
http://climate/reports/stackcommentemail.cfm?dynamicBBID=31406922
     (31406922) URL: http://bugscape.com/
     (31406922) Comments: filing bugs...

    HaveDecodedRow f1a78db1
        
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif
/nsGIFDecoder2.cpp line 508
        Build: 2001060506 CrashDate: 2001-06-06 UptimeMinutes: 66  Total: 66 
        OS: Windows NT  5.0 build 2195
         Detailed : http://climate/reports/incidenttemplate.cfm?bbid=31382620
         StackTrace: 
http://climate/reports/stackcommentemail.cfm?dynamicBBID=31382620
     (31382620) URL: http://www.plenum.com/
     (31382620) Comments: Mozilla crashed while downloading graphics

    HaveDecodedRow 715f7b31
        
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif
/nsGIFDecoder2.cpp line 470
        Build: 2001052909 CrashDate: 2001-06-05 UptimeMinutes: 7358  Total: 8902 
        OS: Windows NT  5.0 build 2195
         Detailed : http://climate/reports/incidenttemplate.cfm?bbid=31373609
         StackTrace: 
http://climate/reports/stackcommentemail.cfm?dynamicBBID=31373609
     (31373609) Comments: - www.iltalehti.fi -> crash

    HaveDecodedRow 2d25614d
        
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif
/nsGIFDecoder2.cpp line 505
        Build: 2001060122 CrashDate: 2001-06-05 UptimeMinutes: 99  Total: 99 
        OS: Windows NT  5.0 build 2195
         Detailed : http://climate/reports/incidenttemplate.cfm?bbid=31348294
         StackTrace: 
http://climate/reports/stackcommentemail.cfm?dynamicBBID=31348294

    HaveDecodedRow c53ea1ed
        
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif
/nsGIFDecoder2.cpp line 382
        Build: 2001053106 CrashDate: 2001-06-04 UptimeMinutes: 6  Total: 6 
        OS: Windows NT  5.0 build 2195
         Detailed : http://climate/reports/incidenttemplate.cfm?bbid=31304418
         StackTrace: 
http://climate/reports/stackcommentemail.cfm?dynamicBBID=31304418

    HaveDecodedRow 693fc419
        
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif
/nsGIFDecoder2.cpp line 505
        Build: 2001060106 CrashDate: 2001-06-04 UptimeMinutes: 785  Total: 785 
        OS: Windows NT  5.0 build 2195
         Detailed : http://climate/reports/incidenttemplate.cfm?bbid=31298908
         StackTrace: 
http://climate/reports/stackcommentemail.cfm?dynamicBBID=31298908

    HaveDecodedRow 693fc419
        
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif
/nsGIFDecoder2.cpp line 505
        Build: 2001060222 CrashDate: 2001-06-04 UptimeMinutes: 399  Total: 399 
        OS: Windows NT  5.0 build 2195
         Detailed : http://climate/reports/incidenttemplate.cfm?bbid=31294885
         StackTrace: 
http://climate/reports/stackcommentemail.cfm?dynamicBBID=31294885

    HaveDecodedRow 04bd77f4
        
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif
/nsGIFDecoder2.cpp line 470
        Build: 2001053023 CrashDate: 2001-06-04 UptimeMinutes: 189  Total: 235 
        OS: Windows 98  4.90 build 73010104
         Detailed : http://climate/reports/incidenttemplate.cfm?bbid=31294744
         StackTrace: 
http://climate/reports/stackcommentemail.cfm?dynamicBBID=31294744

    HaveDecodedRow 760e5353
        
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif
/nsGIFDecoder2.cpp line 470
        Build: 2001053106 CrashDate: 2001-06-03 UptimeMinutes: 42  Total: 1053 
        OS: Windows 98  4.10 build 67766446
         Detailed : http://climate/reports/incidenttemplate.cfm?bbid=31257752
         StackTrace: 
http://climate/reports/stackcommentemail.cfm?dynamicBBID=31257752
     (31257752) URL: www.netscape.com
     (31257752) Comments: Opening the Netscape home page.

    HaveDecodedRow 2d25614d
        
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif
/nsGIFDecoder2.cpp line 505
        Build: 2001060109 CrashDate: 2001-06-02 UptimeMinutes: 335  Total: 335 
        OS: Windows NT  5.0 build 2195
         Detailed : http://climate/reports/incidenttemplate.cfm?bbid=31246127
         StackTrace: 
http://climate/reports/stackcommentemail.cfm?dynamicBBID=31246127
     (31246127) URL: www.askmen.com

    HaveDecodedRow ed4c2391
        
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif
/nsGIFDecoder2.cpp line 505
        Build: 2001060109 CrashDate: 2001-06-02 UptimeMinutes: 157  Total: 157 
        OS: Windows NT  5.0 build 2195
         Detailed : http://climate/reports/incidenttemplate.cfm?bbid=31234312
         StackTrace: 
http://climate/reports/stackcommentemail.cfm?dynamicBBID=31234312

    HaveDecodedRow 2d25614d
        
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif
/nsGIFDecoder2.cpp line 505
        Build: 2001060122 CrashDate: 2001-06-02 UptimeMinutes: 113  Total: 113 
        OS: Windows 98  4.10 build 67766222
         Detailed : http://climate/reports/incidenttemplate.cfm?bbid=31225233
         StackTrace: 
http://climate/reports/stackcommentemail.cfm?dynamicBBID=31225233

    HaveDecodedRow e3604fff
        
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif
/nsGIFDecoder2.cpp line 413
        Build: 2001060109 CrashDate: 2001-06-01 UptimeMinutes: 3  Total: 3 
        OS: Windows 95  4.0 build 67306684
         Detailed : http://climate/reports/incidenttemplate.cfm?bbid=31215925
         StackTrace: 
http://climate/reports/stackcommentemail.cfm?dynamicBBID=31215925

    HaveDecodedRow 8a923d83
        
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif
/nsGIFDecoder2.cpp line 470
        Build: 2001052909 CrashDate: 2001-06-01 UptimeMinutes: 932  Total: 932 
        OS: Windows NT  5.0 build 2195
         Detailed : http://climate/reports/incidenttemplate.cfm?bbid=31205085
         StackTrace: 
http://climate/reports/stackcommentemail.cfm?dynamicBBID=31205085

    HaveDecodedRow 6db4d511
        
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif
/nsGIFDecoder2.cpp line 470
        Build: 2001053106 CrashDate: 2001-06-01 UptimeMinutes: 548  Total: 548 
        OS: Windows NT  5.0 build 2195
         Detailed : http://climate/reports/incidenttemplate.cfm?bbid=31204963
         StackTrace: 
http://climate/reports/stackcommentemail.cfm?dynamicBBID=31204963

    HaveDecodedRow 2d25614d
        
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif
/nsGIFDecoder2.cpp line 505
        Build: 2001060109 CrashDate: 2001-06-01 UptimeMinutes: 41  Total: 41 
        OS: Windows 98  4.90 build 73010104
         Detailed : http://climate/reports/incidenttemplate.cfm?bbid=31198359
         StackTrace: 
http://climate/reports/stackcommentemail.cfm?dynamicBBID=31198359

    HaveDecodedRow 12544336
        
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif
/nsGIFDecoder2.cpp line 470
        Build: 2001053023 CrashDate: 2001-05-31 UptimeMinutes: 7  Total: 455 
        OS: Windows NT  4.0 build 1381
         Detailed : http://climate/reports/incidenttemplate.cfm?bbid=31174628
         StackTrace: 
http://climate/reports/stackcommentemail.cfm?dynamicBBID=31174628
     (31174628) URL: http://linuxtoday.com
     (31174628) Comments: Scrolling through a webpage

    HaveDecodedRow 760e5353
        
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif
/nsGIFDecoder2.cpp line 470
        Build: 2001053106 CrashDate: 2001-05-31 UptimeMinutes: 8  Total: 8 
        OS: Windows 98  4.10 build 67766446
         Detailed : http://climate/reports/incidenttemplate.cfm?bbid=31163362
         StackTrace: 
http://climate/reports/stackcommentemail.cfm?dynamicBBID=31163362

    HaveDecodedRow 2d25614d
        
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif
/nsGIFDecoder2.cpp line 505
        Build: 2001053109 CrashDate: 2001-05-31 UptimeMinutes: 20  Total: 20 
        OS: Windows NT  4.0 build 1381
         Detailed : http://climate/reports/incidenttemplate.cfm?bbid=31157659
         StackTrace: 
http://climate/reports/stackcommentemail.cfm?dynamicBBID=31157659
     (31157659) Comments: no clue where/why it crashed...

    HaveDecodedRow efbb1629
        
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif
/nsGIFDecoder2.cpp line 470
        Build: 2001053023 CrashDate: 2001-05-31 UptimeMinutes: 19  Total: 19 
        OS: Windows NT  5.0 build 2195
         Detailed : http://climate/reports/incidenttemplate.cfm?bbid=31146747
         StackTrace: 
http://climate/reports/stackcommentemail.cfm?dynamicBBID=31146747
     (31146747) Comments: crash loading a page

    HaveDecodedRow 6974c0fc
        
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif
/nsGIFDecoder2.cpp line 382
        Build: 2001053006 CrashDate: 2001-05-30 UptimeMinutes: 0  Total: 407 
        OS: Windows 98  4.90 build 73010104
         Detailed : http://climate/reports/incidenttemplate.cfm?bbid=31114327
         StackTrace: 
http://climate/reports/stackcommentemail.cfm?dynamicBBID=31114327

    HaveDecodedRow 6974c0fc
        
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif
/nsGIFDecoder2.cpp line 470
        Build: 2001052922 CrashDate: 2001-05-30 UptimeMinutes: 3  Total: 3 
        OS: Windows NT  4.0 build 1381
         Detailed : http://climate/reports/incidenttemplate.cfm?bbid=31092607
         StackTrace: 
http://climate/reports/stackcommentemail.cfm?dynamicBBID=31092607
     (31092607) URL: www.usatoday.com
     (31092607) Comments: Clicked on the tech link

Ok, think I've found the problem.  Some invalid gifs have the transparency
bit set, but the transparent index is larger than the colormap.  In the
case of http://www.elkhart.net/go.gif the colormap is 32 entries but the
transparent index is 255.  The following patch adds bullet proofing.

r=pavlov
For what it's worth, r=jesup (though I'd prefer to have less lines of
indentation change than actual change)
In Windows NT 4.0, following URL did not crash for me.
http://www.elkhart.net/go.gif
Should there be a respin, we would consider taking this.  Please be ready, just
in case :-)  Thanks!
Whiteboard: hitchhiker
Target Milestone: --- → mozilla0.9.1
I've looked at the code and I'm pretty sure that's it isn't supposed to be a <=
instead of a < but you might want to check to make sure.  Assuming that's the
case sr=blizzard.
a= asa@mozilla.org for checkin to the trunk.
(on behalf of drivers)
Checked into trunk.
Keywords: crash
Status: REOPENED → RESOLVED
Closed: 23 years ago23 years ago
Resolution: --- → FIXED
From the talkback data this particular bug (~ line 508) appears fixed on
the trunk.  Resolving.

Verified, no crash on any of the links listed here w2k build 2001080904
Status: RESOLVED → VERIFIED
Reopening this bug since Netscape 6.10 RTM Talkback data is showing this as a
topcrasher.  The line numbers have changed on the stack, but otherwise the
latest stack traces are the same as the one originally reported.  Here's the
latest data:

HaveDecodedRow   318
			 83804 	 VERI 	 FIXE 	 tor@acm.org mozilla0.9.1 
     First BBID :33861002
     Last BBID  :34030690
     Min Runtime :2
     Max Runtime :519853
     First Appearance Date : 2001-08-08
     Last Appearance Date : 2001-08-13
     First BuildID : 2001072623
     Last BuildID : 2001072700

Stack Trace: 

	 HaveDecodedRow
[d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\nsGIFDecoder2.cpp 
line 416]
	 output_row
[d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp  line 210]
	 do_lzw
[d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp  line 399]
	 gif_write
[d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp  line 826]
	 nsGIFDecoder2::ProcessData
[d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\nsGIFDecoder2.cpp 
line 208]
	 ReadDataOut
[d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\nsGIFDecoder2.cpp 
line 156]
	 nsInputStreamTee::WriteSegmentFun
[d:\builds\seamonkey\mozilla\xpcom\io\nsInputStreamTee.cpp  line 82]
	 nsInputStreamTee::ReadSegments
[d:\builds\seamonkey\mozilla\xpcom\io\nsInputStreamTee.cpp  line 138]
	 nsGIFDecoder2::WriteFrom
[d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\nsGIFDecoder2.cpp 
line 229]
	 imgRequest::OnDataAvailable
[d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgRequest.cpp  line 741]
	 ProxyListener::OnDataAvailable
[d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgLoader.cpp  line 387]
	 nsStreamListenerTee::OnDataAvailable
[d:\builds\seamonkey\mozilla\netwerk\base\src\nsStreamListenerTee.cpp  line 57]
	 nsHttpChannel::OnDataAvailable
[d:\builds\seamonkey\mozilla\netwerk\protocol\http\src\nsHttpChannel.cpp  line 2150]
	 nsOnDataAvailableEvent::HandleEvent
[d:\builds\seamonkey\mozilla\netwerk\base\src\nsStreamListenerProxy.cpp  line 188]
	 PL_HandleEvent
[d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c  line 591]
	 PL_ProcessPendingEvents
[d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c  line 524]
	 nsEventQueueImpl::ProcessPendingEvents
[d:\builds\seamonkey\mozilla\xpcom\threads\nsEventQueue.cpp  line 375]
 
 	Source File :
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif/nsGIFDecoder2.cpp
line : 416

I have attached all the user comments and urls submitted.
Status: VERIFIED → REOPENED
Resolution: FIXED → ---
Summary: crashes [@ HaveDecodedRow] → N610 crashes [@ HaveDecodedRow]
This also is a topcrasher for M093 (MozillaTrunk Win32 build 2001080112 and
Linux build 2001080104).  Recent MozillaTrunk builds are crashing too, here is
the most recent incident:

Incident ID 34994341
Stack Signature HaveDecodedRow() 37884bdc
Bug ID
Trigger Time 2001-09-05 15:23:31
Email Address
User Comments
Build ID 2001090508
Product ID MozillaTrunk
Platform ID LinuxIntel
Trigger Reason SIGSEGV: Segmentation Fault: (signal 11)
Stack Trace
HaveDecodedRow()
output_row()
do_lzw()
gif_write()
nsGIFDecoder2::ProcessData()
ReadDataOut()
ReadSegments()
nsGIFDecoder2::WriteFrom()
imgRequest::OnDataAvailable()
ProxyListener::OnDataAvailable()
nsJARChannel::OnDataAvailable()
nsOnDataAvailableEvent::HandleEvent()
nsARequestObserverEvent::HandlePLEvent()
PL_HandleEvent()
PL_ProcessPendingEvents()
nsEventQueueImpl::ProcessPendingEvents()
NS_ShutdownXPCOM()
main()
libc.so.6 + 0x18736 (0x2aede736) 

and a recent Win32 crash with line numbers:

Incident ID 34652988
Stack Signature HaveDecodedRow 2d25614d
Bug ID
Trigger Time 2001-08-28 18:45:24
Email Address ssaux@netscape.com
User Comments
Build ID 2001082809
Product ID MozillaTrunk
Platform ID Win32
Trigger Reason Access violation
Stack Trace
HaveDecodedRow
[d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\nsGIFDecoder2.cpp,
line 416]
output_row [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp,
line 210]
do_lzw [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp, line 399]
gif_write [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp,
line 826]
nsGIFDecoder2::ProcessData
[d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\nsGIFDecoder2.cpp,
line 208]
ReadDataOut
[d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\nsGIFDecoder2.cpp,
line 156]
nsPipe::nsPipeInputStream::ReadSegments
[d:\builds\seamonkey\mozilla\xpcom\io\nsPipe2.cpp, line 412]
Summary: N610 crashes [@ HaveDecodedRow] → N610, M093 & Trunk crashes [@ HaveDecodedRow]
From the disassembly and registers in the talkback (#34652988) it's pretty clear
that the crash is on line 412 (the Windows talkback C++ next-line bias), where
decoder->mImageFrame is null, and we attempt to call decoder->mImageFrame->Init().

The disassembly is the following.  Talkback only shows *starting* with the line
that we crashed on, so the crash is on the first of the following lines, with
ECX null (comments are mine):

604e15a0 8b11             mov     edx,[ecx]                  ; load vtable ptr.
604e15a2 ffb0ac000000     push    dword ptr [eax+0xac]       ; width
604e15a8 ffb0a4000000     push    dword ptr [eax+0xa4]       ; y_offset
604e15ae ffb0a0000000     push    dword ptr [eax+0xa0]       ; x_offset
604e15b4 51               push    ecx                        ; this
604e15b5 ff520c           call    dword ptr [edx+0xc]        ; call Init
604e15b8 8b4608           mov     eax,[esi+0x8]
604e15bb ff37             push    dword ptr [edi]
604e15bd 8b08             mov     ecx,[eax]

Is it possible for this CreateInstance to fail?  It looks like a standard
generic factory constructor.
added qawanted keyword
Keywords: qawanted
6 of todays 10 crash reports for this bug are at this offset: 
HaveDecodedRow 2d25614d

The comments associated with those crashes are:

(35485141)
Comments: after having viewed an HTML page containing CSS  I have Clicked File
-> Exit. Mozilla seems to have frozen a couple of minutes  then has generated an
error log.

(35412010)
Comments: switch to modern theme.




updating summary.
Could someone review the target milestone?
Summary: N610, M093 & Trunk crashes [@ HaveDecodedRow] → N610, M094 & Trunk crashes [@ HaveDecodedRow]
any 0.9.4 data on this one?
A quick scan of the M094 data shows 22 incidents, only these with comments:

(36020424) - Windows 95  4.0 build 67109975      Comment: I was closing Mozilla 
Windows quickly in sucession as the pop'ed up continously
(36061236) - Windows 98  4.10 build 67766446     Comment: Closing the browser.
(36103703) - Windows NT  4.0 build 1381  Comment: Exiting Mozilla.
  URL: http://www.station.sony.com/
(36031057) - Linux 2.2.14        Comment: I went directly to this page through a 
bookmark.  Then I clicked on the `close window' link at the bottom.  There was 
only one window open and it closed  quitting Mozilla and prompting the feedback 
agent.
  URL: http://www.anandtech.com/printarticle.html?i=1535
(36066237) - Linux 2.4.5         Comment: Closin down site that opened several 
javascript windows with the javascript console open

Today's M094 data shows this happening on Linux also.
   3 Windows NT  5.0 build 2195
   3 Windows 98  4.10 build 67766446
   3 Windows 98  4.10 build 67766222
   2 Windows NT  4.0 build 1381
   1 Windows NT  5.1 build 2600
   1 Windows 98  4.90 build 73010104
   1 Windows 95  4.0 build 67109975
   1 Linux 2.4.8-24mdk
   1 Linux 2.4.8
   1 Linux 2.4.5
   1 Linux 2.4.2-2
   1 Linux 2.4.10-xfs
   1 Linux 2.4.10
   1 Linux 2.2.16-22
   1 Linux 2.2.1

Updating platform. Win98 -> All
OS: Windows 98 → All
Assignee: tor → pavlov
Status: REOPENED → NEW
From dbaron's comment on 2001-09-05, this appears to a pr0n/gfx2 container
problem.  Reassigning to pavlov.
The last crash in the talkback database for this stack sig was in build
2001101705 on N6.20.  Other crashes on the Mozilla Branch and trunk are from
even earlier builds.  This has not shown up at all so far in M095.
Target Milestone: mozilla0.9.1 → ---
Topcrash in N620

 Count   Offset    Real Signature
[ 198   HaveDecodedRow db38fc36 - HaveDecodedRow ]
 
     Crash date range: 2001-11-05 to 2001-11-13
     Min/Max Seconds since last crash: 23 - 109248
     Min/Max Runtime: 23 - 152191
     Keyword List : load(5), log(6), mail(5), netscape(10), shut(6), sign(5),
browser(7),  
     Count   Platform List 
     81   Windows 98 4.10 build 67766446
     57   Windows 98 4.90 build 73010104
     32   Windows 98 4.10 build 67766222
     23   Windows NT 5.0 build 2195
     5   Windows 95 4.0 build 67306684
     1   Windows 95 4.0 build 67109814
 
     Count   Build Id List 
     199   2001102218
 
     No of Unique Users       197
 
 Stack trace(Frame) 

	 HaveDecodedRow
[d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\nsGIFDecoder2.cpp 
line 416] 
	 output_row
[d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp  line 210] 
	 do_lzw
[d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp  line 399] 
	 gif_write
[d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp  line 826] 
	 nsGIFDecoder2::ProcessData
[d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\nsGIFDecoder2.cpp 
line 208] 
	 ReadDataOut
[d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\nsGIFDecoder2.cpp 
line 156] 
	 nsInputStreamTee::WriteSegmentFun
[d:\builds\seamonkey\mozilla\xpcom\io\nsInputStreamTee.cpp  line 82] 
	 nsInputStreamTee::ReadSegments
[d:\builds\seamonkey\mozilla\xpcom\io\nsInputStreamTee.cpp  line 138] 
	 nsGIFDecoder2::WriteFrom
[d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\nsGIFDecoder2.cpp 
line 229] 
	 imgRequest::OnDataAvailable
[d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgRequest.cpp  line 795] 
	 ProxyListener::OnDataAvailable
[d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgLoader.cpp  line 466] 
	 nsStreamListenerTee::OnDataAvailable
[d:\builds\seamonkey\mozilla\netwerk\base\src\nsStreamListenerTee.cpp  line 57] 
	 nsHttpChannel::OnDataAvailable
[d:\builds\seamonkey\mozilla\netwerk\protocol\http\src\nsHttpChannel.cpp  line
2226] 
	 nsOnDataAvailableEvent::HandleEvent
[d:\builds\seamonkey\mozilla\netwerk\base\src\nsStreamListenerProxy.cpp  line 188] 
	 PL_HandleEvent
[d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c  line 591] 
	 PL_ProcessPendingEvents
[d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c  line 524] 
	 nsEventQueueImpl::ProcessPendingEvents
[d:\builds\seamonkey\mozilla\xpcom\threads\nsEventQueue.cpp  line 375]  


COMMENTS/URLs:
 
     (37984704)	URL: www.neopets.com
     (37982610)	Comments: WHY do I always have trouble with netscape????????
     (37981031)	Comments: I am not able to open the taskbar and get to Email.I also need to
reset the time I want to stay connected to my Internet.
     (37978915)	Comments: going back to look a nother page
     (37970886)	Comments: Iwas shuttingdown the browzer to see if could activate from my
start buttons at bottom of the screen when I got the illegal operation screen. 
 Also the 6.2 down load should have way of linking with the old browzers.  Ie
4.7 so as to make the operation
     (37970886)	Comments:  transparent.
     (37968796)	Comments: i was logging off
     (37962779)	URL: netscape.com
     (37962779)	Comments: exiting Netscape
     (37946895)	Comments: signing on - this happened 2 X
     (37942208)	URL: www.roxio.de
     (37942208)	Comments: I load down www.roxio.de. It did'nt install.Rudi Witzke
     (37929187)	URL: www.llbean.com
     (37929187)	Comments: checking order
     (37927757)	Comments: i don't know....this always happens
     (37924317)	Comments: logging off
     (37919166)	Comments: i was closing a with the X a light encrypted page from www.kpn.nl
     (37914088)	Comments: Loading Java 1.3.1
     (37913189)	Comments: ...while browsing
     (37905330)	Comments: signing off
     (37897930)	Comments: shutting down 6.2
     (37895875)	URL: www.cnn.com
     (37895875)	Comments: trying to leave cnn.com and move to www.drudgereport.com
     (37888277)	Comments: doing a log-in to Netscape
     (37886634)	Comments: shuting dowm my e-mail
     (37881572)	Comments: I just opened it!
     (37877910)	Comments: closing window
     (37858758)	Comments: Only came up with stack dump after I closed the website. I was
personalizing the site to fit my needs.
     (37853054)	Comments: Closing the browser
     (37851517)	Comments: signing off the net
     (37850781)	Comments: closing it out. My O.S. here is Windows 2000.
     (37839139)	Comments: logging off internet
     (37837648)	Comments: trying to sign on.
     (37837028)	Comments: I am trying to get into my Email at yahoo and your stupid product
freezes out my keyboard. I wish I had never installed it. I give up on Netscape.
I will just use explorer.
     (37836071)	Comments: signing off netscape 6.2
     (37830824)	Comments: shutting down messenger.
     (37828055)	Comments: navigating
     (37827470)	Comments: shuting down browser
     (37825674)	Comments: failed during startup
     (37820259)	Comments: closing the browser
     (37815992)	Comments: I used the - x - in top  right corner to close netscape and it did
close properly...(visually anyway)??
     (37811874)	Comments: nothing  just connecting to internet & fault message came on 
     (37787863)	Comments: loading 6.2
     (37786639)	Comments: reading my email
     (37773722)	Comments: Exiting Netscape
     (37765708)	Comments: loggin off
     (37763930)	Comments: I was just clicking the browser off when it happened
     (37712340)	Comments: the program error thing popped up and said netscp6.exe. has
generated errors and will be closed by windows...you will need to restart the
program....an error log is being created
     (37710649)	Comments: shutting netscape down.
     (37696407)	URL: www.surnet.cl
     (37677600)	Comments: closing the program
     (37672884)	Comments: just exiting netscape
     (37666634)	Comments: Closing browser with "X" button.
     (37637023)	Comments: closing out from my mail and a new download from netscape
     (37610498)	Comments: browsing go.com
     (37592996)	Comments: was closing browser...
     (37589284)	URL: www.worldnet.att.net
     (37589284)	Comments: I closed the browser after having opened it to that URL.  Upon
closing the window  it crashed.
Summary: N610, M094 & Trunk crashes [@ HaveDecodedRow] → N620, M094 & Trunk crashes [@ HaveDecodedRow]
Whiteboard: hitchhiker → hitchhiker [tucson]
Attached file Bug notes 

    
    

    
  


  
Updated Bug Notes From Tucson Beta

    
    

    
  
here is another thats probably related
http://www.harry.wp.pl/

the crashing pic is http://www.harry.wp.pl/i/p.gif which is a 37b file with what
looks like a GIF89a header



    
    

    
  
*** Bug 121320 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 122164 has been marked as a duplicate of this bug. ***

    
    

    
  


  
Attached N621 talkback data...which contains A LOT user comments and urls to
help with testing.

    
    

    
  
Updating summary with N621 (this is a topcrasher with Netscape 6.21) and M097
(this crash is still around with Mozilla 0.9.7).  Any progress on this?  It
looks like we have a reproducible testcase but there isn't a target milestone yet!?
Summary: N620, M094 & Trunk crashes [@ HaveDecodedRow] → N621, M097 & Trunk crashes [@ HaveDecodedRow]

    
  
Target Milestone: --- → Future

    
    

    
  
Are you sure we should be futuring this?

According to Talkback, it's showing up a bunch in Netscape 6.2 and Mozilla 0.9.8
builds.  In addition, it's still showing up in the trunk as late as the 2/6
build.  This is definitely a top crash.  Adding nsbeta1 for reconsideration.  If
there's some info we don't have about why this should be futured, please update
the bug.
Keywords: nsbeta1

    
    

    
  


  
This patch adds a check to prevent the crash, but I am not sure why at the
first place the global_colormap is 0x0.

    
    

    
  
*** Bug 124719 has been marked as a duplicate of this bug. ***

    
    

    
  
Giving to nivedita
Assignee: pavlov → nivedita
Target Milestone: Future → ---

    
    

    
  
taking back
Assignee: nivedita → pavlov

    
    

    
  
Comment on attachment 68743 [details] [diff] [review]
Patch for crash on http://www.harry.wp.pl/

r=pavlov

        Attachment #68743 -
        Flags: review+

    
    

    
  
can someone please sr= this?

    
    

    
  
Adding testcase since we have a repro testcase...and a patch!  It's been a week
and Pav still hasn't gotten his sr= !  Are we going to get this into M099?  

We still don't have the priority or milestone set...perhaps that's why this has
been overlooked?
Keywords: qawantedtestcase

    
  
Status: NEW → ASSIGNED
Keywords: patch
Target Milestone: --- → mozilla0.9.9

    
    

    
  
If that was causing a crash, wouldn't the loop just after that also have
problems with the NULL cmap?


    
    

    
  
It does not crash because *rowBufIndex == decoder->mGIFStruct->tpixel, both are
0 in case of the crash gif. But it will be a good idea to have a check here too.
But can someone who knows the gif portion of the code tell us why cmap is 0x0
for a transparent gif. 

    
  
Keywords: nsbeta1nsbeta1+

    
    

    
  
This bug has a patch (with a review) that has been sitting around since 2/9. The 
bug is targeted for M099. This needs to happen quickly.

Updating the summary and status.
Currently crashing:
N621 (HaveDecodedRow):      802
M097 (HaveDecodedRow):        2
M098 (HaveDecodedRow):       10
Trunk (HaveDecodedRow):       2


Keywords: topcrashtopcrash+
Summary: N621, M097 & Trunk crashes [@ HaveDecodedRow] → N621, M098 & Trunk crashes [@ HaveDecodedRow]
Whiteboard: hitchhiker [tucson] → hitchhiker [tucson], seeking sr=/a=

    
    

    
  
Setting priority to P1 to get some traction on this.  It's targeted for M099,
has a patch ready and is a nsbeta1+ and topcrash+...if this doesn't get into
M099 we're gonna have to move up the target milestone to 1.0.
Priority: -- → P1

    
    

    
  
giving to nivedita for investigation.  can you please find out why cmap is null
in the transparent gif?
Assignee: pavlov → nivedita
Status: ASSIGNED → NEW

    
  

        Attachment #68743 -
        Flags: needs-work+

    
    

    
  
Yeah, http://www.harry.wp.pl/i/p.gif definitely crashes for me:

 Incident ID 3966484   
Stack Signature  HaveDecodedRow 902cc80c
Trigger Time 2002-03-12 16:14:09
Email Address jpatel@netscape.com
URL visited mail/news
Build ID 2002030710
Product ID MozillaTrunk
Platform
Operating System Win32
Module
Trigger Reason Access violation
User Comments reproducing bug 83804
Stack Trace
HaveDecodedRow
[d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\nsGIFDecoder2.cpp,
line 516]
output_row [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp,
line 234]
do_lzw [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp, line 363]
gif_write [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp,
line 1126]
nsGIFDecoder2::ProcessData
[d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\nsGIFDecoder2.cpp,
line 251]
ReadDataOut
[d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\nsGIFDecoder2.cpp,
line 196]
nsInputStreamTee::WriteSegmentFun
[d:\builds\seamonkey\mozilla\xpcom\io\nsInputStreamTee.cpp, line 97] 

And I also crashed running a fresh build under purify...not sure how helpful
this is, but here's a section from the log:

[E] NPR: NULL pointer read in nsCOMPtr_base::~nsCOMPtr_base(void) {1 occurrence}
        Reading 1 byte from 0x00000000 (1 byte at 0x00000000 illegal)
        Address 0x00000000 points into invalid memory 
        Thread ID: 0x36c
        Error location
            nsCOMPtr_base::~nsCOMPtr_base(void) [imggif.dll]
            nsCOMPtr_base::~nsCOMPtr_base(void) [imggif.dll]
            nsCOMPtr_base::~nsCOMPtr_base(void) [imggif.dll]
            nsCOMPtr_base::~nsCOMPtr_base(void) [imggif.dll]
            nsCOMPtr_base::~nsCOMPtr_base(void) [imggif.dll]
            nsCOMPtr_base::~nsCOMPtr_base(void) [imggif.dll]
            NS_NewTypicalIOFileStream [xpcom.dll]
            TestSegmentedBuffer(void) [xpcom.dll]
            NS_NewTypicalIOFileStream [xpcom.dll]
            nsCOMPtr_base::~nsCOMPtr_base(void) [imggif.dll]

    
    

    
  
I peeked into headers of this image and found that the Global Color Table Flag 
is zero, that would mean this image would not provide Global Color Table and 
that the interpretation of Background Color Index would be meaning less. 
In the code we check if the globalcolorflag is 1 then set the state as 
gif_global_colormap and get data, which is fine I think. 

I think we should check for decoder->mGIFStruct->global_colormap or cmap being 
null in all the places it is referenced in nsGIFDecoder2.cpp that would avoid 
crash for all the cases when the globalcolortable flag is 0 .

pavlov,
please convey your thoughts on above.

    
    

    
  
nivedita: go ahead and create for the scenario you have just described and let
us test it out. If it fixes the crash we can incorporate it into 1.0.
Target Milestone: mozilla0.9.9 → mozilla1.0

    
    

    
  
yes, this sounds fine.

    
    

    
  


  
Added a check for globalcolortable being null in nsGIFDecoder.

    
  
Whiteboard: hitchhiker [tucson], seeking sr=/a= → hitchhiker [tucson], seeking sr=/a=[needs r=/sr=]

    
    

    
  


  
The test case gif which was causing the crash.

    
    

    
  
Nivedita: Is it worth moving the cmap test outside of the for loop ?

@@ -517,7 +522,7 @@
         memset(decoder->mAlphaLine, 0, abpr);
         PRUint32 iwidth = (PRUint32)width;
         for (PRUint32 x=0; x<iwidth; x++) {
-          if (*rowBufIndex != decoder->mGIFStruct->tpixel) {
+          if (*rowBufIndex != decoder->mGIFStruct->tpixel && cmap) {
 #if defined(XP_PC) || defined(XP_BEOS) || defined(MOZ_WIDGET_PHOTON)
             *rgbRowIndex++ = cmap[PRUint8(*rowBufIndex)].blue;
             *rgbRowIndex++ = cmap[PRUint8(*rowBufIndex)].green;

    
    

    
  


  
patch file for avoiding the crash if the global color table flag is 0

        Attachment #74053 -
        Attachment is obsolete: true

    
    

    
  
One thought - should we be filling in the non-cmap areas?  Otherwise we'll
just see whatever garbage was in memory.  In the _A1 case the rows should be
marked transparent (likely the intended effect of that small gif).


    
    

    
  


  
Incorporated comments given by Tor. 
Tor,
In the _A1 case, setting the TransparentColor to default if cmap is null.
we are already filling decoder->mRGBLine and decoder->mAlphaLine to 0. If this
was what you intended in your first comment. If I am mistaken in understanding
your first comment, can you please clarify it further.

        Attachment #74070 -
        Attachment is obsolete: true

    
    

    
  
Looks good.  The one thing I'd suggest is zeroing out the rgb line in the
RGB and BGR cases if there isn't a cmap.  Ie.:

if (cmap) {
  ...
} else {
  memset(decoder->mRGBLine, 0, bpr);
}

    
    

    
  


  
Incorporated comments given by Tor. setting decoder->mRGBLine to zero for RGB
and BGR cases if cmap is null.

        Attachment #74496 -
        Attachment is obsolete: true

    
    

    
  
Comment on attachment 74513 [details] [diff] [review]
Incorporated the comments given by Tor

sr=tor

        Attachment #74513 -
        Flags: superreview+

    
  
Whiteboard: hitchhiker [tucson], seeking sr=/a=[needs r=/sr=] → hitchhiker,[needs r=/sr=]

    
    

    
  
Comment on attachment 74513 [details] [diff] [review]
Incorporated the comments given by Tor

r=pavlov

        Attachment #74513 -
        Flags: review+

    
    

    
  
Comment on attachment 74513 [details] [diff] [review]
Incorporated the comments given by Tor

a=dbaron for trunk checkin

        Attachment #74513 -
        Flags: approval+

    
    

    
  
fixed with check in 
D:\mozilla_trunk\mozilla\modules\libpr0n\decoders\gif>cvs commit nsGIFDecoder2.c
pp
Checking in nsGIFDecoder2.cpp;
/cvsroot/mozilla/modules/libpr0n/decoders/gif/nsGIFDecoder2.cpp,v  <--  nsGIFDec
oder2.cpp
new revision: 1.34; previous revision: 1.33
done
Status: NEW → RESOLVED
Closed: 23 years ago22 years ago
Resolution: --- → FIXED

    
    

    
  
Verified Fix checked into lxr.mozilla.org

Status: RESOLVED → VERIFIED

    
    

    
  
Crashtest added as part of http://hg.mozilla.org/mozilla-central/rev/5a6def05ccbc
Flags: in-testsuite+
Crash Signature: [@ HaveDecodedRow]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: