Closed Bug 89595 Opened 24 years ago Closed 24 years ago

Browser crashes each time while showing this page - Trunk [@ MSVCRT.DLL - nsInputStreamTee::WriteSegmentFun]

Categories

(Core :: Graphics: ImageLib, defect, P2)

Product:
Core
Component:
Graphics: ImageLib
Platform:
x86
All
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.0

People

(Reporter: markovitch, Assigned: pavlov)

References

(
URL
)

Details

(Keywords: crash, topcrash, Whiteboard: [ETA 06/27])

Crash Data

Attachments

(2 files, 2 obsolete files)

Patch to always return NS_OK to the pipe code
2.92 KB, patch
Details | Diff | Splinter Review
Updated patch
2.94 KB, patch
dougt
: review+
darin.moz
: superreview+
roc
: approval+
Details | Diff | Splinter Review
From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.2) Gecko/20010628 BuildID: 2001062815 Browser crashes each time while showing the chart picture on the page http://gcc.gnu.org/benchresults/aov.html Reproducible: Always Steps to Reproduce: 1. Open the URL Actual Results: Browser crashes with standard OS "illegal memory access" dialog box.
confirmed on w2k 2001070404 TB32593748E
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash
It's the image. TB32593953W -> ImageLib Netscape 4.77 shows half of the image, Internet Explorer shows nothing
URL: http://gcc.gnu.org/benchresults/aov.htmlhttp://gcc.gnu.org/benchresults/img/a...
Component: Browser-General → ImageLib
WFM Linux 2001070206 and 20010705 (cvs). Well, WFM as in "displays half an image."
Confirmed, linux, 0.9.2 Talkback: TB32596438Q
OS: Windows 2000 → All
Incident ID 32596438 Stack Signature libc.so.6 + 0x2ce54 (0x404eae54) 0d130da9 Bug ID Trigger Time 2001-07-06 09:41:19 User Comments was seeing a webpage of gnu (listed at a recent bug) Build ID 2001062823 Product ID Netscape6.10 Platform ID LinuxIntel Stack Trace libc.so.6 + 0x2ce54 (0x404eae54)
Looks too similar like bug 88744 (the stack trace)
WFM on Solaris Build 2001070522. --Roy
reassign.
Assignee: asa → pavlov
QA Contact: doronr → tpreston
Crash on 0.9.2 branch 20010706 build with WindowsME. Talback incident ID TB32606402Z
*** Bug 89746 has been marked as a duplicate of this bug. ***
over to dougt. nsPipe::nsPipeInputStream::ReadSegments doesn't return the error that is returned to by the writer function thing.
Assignee: pavlov → dougt
Attached patch returns writer error. (obsolete) — Splinter Review
I am not sure that this is the correct fix, but it does address the problem. I am not sure why both ReadSegment and WriteSegment ignore the user-defined callback return value. rpotts could you review, please? Should we be also be doing something similar in WriteSegments (although it uses mCondition, but I don't think that is good enough).
hey doug, i think that you are hitting one of the old semantics of the pipe code :-) In the very beginning, warren made the assumption that if any data could be read from the pipe that the return code should be NS_OK... This means that the "writer" functions must be prepared to return the SAME failure code on subsequent calls... so that once all of the data has been drained from the pipe that the real error code can be propagated via: return *readCount == 0 ? rv : NS_OK; If "writer" functions obey this convention hten everything is fine :-) otherwise, well bad things happen. I'm not sure what the rammifications will be if an NS_ERROR code is returned along with data.. I wouldn't be surprised if there is code that makes the assumption that if data is *only* returned with NS_OK... Could Pav change his "writer" function to do the right thing?
*** Bug 89393 has been marked as a duplicate of this bug. ***
Your right. If he hit and error, he can cancel the request via the closure. reassigning.
Assignee: dougt → pavlov
I found A LOT of crashes submitted to Talkback under Windows 2k... Here is the stack trace of one of the entries: Incident ID 32593748 MSVCRT.DLL + 0x1f64b (0x7801f64b) nsInputStreamTee::WriteSegmentFun [d:\builds\seamonkey\mozilla\xpcom\io\nsInputStreamTee.cpp, line 82] nsPipe::nsPipeInputStream::ReadSegments [d:\builds\seamonkey\mozilla\xpcom\io\nsPipe2.cpp, line 412] nsInputStreamTee::ReadSegments [d:\builds\seamonkey\mozilla\xpcom\io\nsInputStreamTee.cpp, line 138] nsPNGDecoder::WriteFrom [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\png\nsPNGDecoder.cpp, line 164] ReadDataOut [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\png\nsPNGDecoder.cpp, line 139] nsCOMPtr_base::assign_with_AddRef [d:\builds\seamonkey\mozilla\xpcom\base\nsCOMPtr.cpp, line 57] MSVCRT.DLL + 0x1426 (0x78001426) ProxyListener::OnDataAvailable [d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgLoader.cpp, line 387] nsStreamListenerTee::OnDataAvailable [d:\builds\seamonkey\mozilla\netwerk\base\src\nsStreamListenerTee.cpp, line 57] nsHttpChannel::OnDataAvailable [d:\builds\seamonkey\mozilla\netwerk\protocol\http\src\nsHttpChannel.cpp, line 2146] nsOnDataAvailableEvent::HandleEvent [d:\builds\seamonkey\mozilla\netwerk\base\src\nsStreamListenerProxy.cpp, line 185] PL_HandleEvent [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c, line 591] PL_ProcessPendingEvents [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c, line 524] _md_EventReceiverProc [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c, line 1072] nsAppShellService::Run [d:\builds\seamonkey\mozilla\xpfe\appshell\src\nsAppShellService.cpp, line 419] main1 [d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp, line 1181] main [d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp, line 1481] WinMain [d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp, line 1499] WinMainCRTStartup() KERNEL32.DLL + 0x17d08 (0x77e87d08) Most of the entries with this stack trace metioned this bug and also submitted http://gcc.gnu.org/benchmarks/ as the url. Actually, I'm just going to paste in a couple of the entries from the Talkback topcrash report: MSVCRT.DLL + 0x1f64b (0x7801f64b) 8164cf2c line Build: 2001070710 CrashDate: 2001-07-08 UptimeMinutes: 241 Total: 241 OS: Windows NT 5.0 build 2195 Detailed : http://climate/reports/incidenttemplate.cfm?bbid=32649932 StackTrace: http://climate/reports/stackcommentemail.cfm?dynamicBBID=32649932 (32649932) URL: http://gcc.gnu.org/benchresults/aov.html MSVCRT.DLL + 0x1f64b (0x7801f64b) 310ac88c line Build: 2001070609 CrashDate: 2001-07-07 UptimeMinutes: 172 Total: 172 OS: Windows NT 5.0 build 2195 Detailed : http://climate/reports/incidenttemplate.cfm?bbid=32636615 StackTrace: http://climate/reports/stackcommentemail.cfm?dynamicBBID=32636615 (32636615) URL: http://gcc.gnu.org/benchmarks/ (32636615) Comments: Browsing with 2 windows: gcc.gnu.org and grosbill.fr MSVCRT.DLL + 0x1f64b (0x7801f64b) 785a2037 line Build: 2001070509 CrashDate: 2001-07-06 UptimeMinutes: 282 Total: 532 OS: Windows NT 5.0 build 2195 Detailed : http://climate/reports/incidenttemplate.cfm?bbid=32593748 StackTrace: http://climate/reports/stackcommentemail.cfm?dynamicBBID=32593748 (32593748) Comments: Bug #89595 Adding topcrash keyword and Trunk [@ MSVCRT.DLL - nsInputStreamTee::WriteSegmentFun] to summary. This is coming up in large numbers in the Talkback data, but they could all be from the same person testing this particular crash...so prioritize accordingly.
Summary: Browser crashes each time while showing this page → Browser crashes each time while showing this page - Trunk [@ MSVCRT.DLL - nsInputStreamTee::WriteSegmentFun]
This doesn't look like a topcrasher, but Talkback data shows a couple of crashes with recent builds. Here is one of them: Incident ID 34588446 Stack Signature MSVCRT.DLL + 0x1e7b4 (0x7801e7b4) 5dcf7e4b Bug ID Trigger Time 2001-08-27 12:16:27 Email Address User Comments Build ID 2001082706 Product ID MozillaTrunk Platform ID Win32 Trigger Reason Access violation Stack Trace MSVCRT.DLL + 0x1e7b4 (0x7801e7b4) nsInputStreamTee::WriteSegmentFun [d:\builds\seamonkey\mozilla\xpcom\io\nsInputStreamTee.cpp, line 82] nsPipe::nsPipeInputStream::ReadSegments [d:\builds\seamonkey\mozilla\xpcom\io\nsPipe2.cpp, line 412] nsInputStreamTee::ReadSegments [d:\builds\seamonkey\mozilla\xpcom\io\nsInputStreamTee.cpp, line 138] nsPNGDecoder::WriteFrom [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\png\nsPNGDecoder.cpp, line 164] ReadDataOut [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\png\nsPNGDecoder.cpp, line 139] KERNEL32.DLL + 0xb9b6 (0xbff7b9b6) ProxyListener::OnDataAvailable [d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgLoader.cpp, line 402] nsStreamListenerTee::OnDataAvailable [d:\builds\seamonkey\mozilla\netwerk\base\src\nsStreamListenerTee.cpp, line 57] nsHttpChannel::OnDataAvailable [d:\builds\seamonkey\mozilla\netwerk\protocol\http\src\nsHttpChannel.cpp, line 2232] nsOnDataAvailableEvent::HandleEvent [d:\builds\seamonkey\mozilla\netwerk\base\src\nsStreamListenerProxy.cpp, line 188] PL_HandleEvent [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c, line 591] PL_ProcessPendingEvents [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c, line 524] _md_EventReceiverProc [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c, line 1072] KERNEL32.DLL + 0x242e7 (0xbff942e7) 0x00688b5a
Clicking on a link, Build 2001092103 and several before it have a fatal "msvcrt.dll" error at the go.to/speak-out site and several others around the world also.
Crashes w2k build 2001-09-21-05-0.9.4 (Incident #35695588) Image comes up fine linux build 2001-09-21-04-0.9.4, Image is distorted but the browser does not crash Mac OS X build 2001-09-21-04-0.9.4
Crashes 0.9.4+ build 2001100622. DOESN'T crash 0.9.5+ build 2001101022, but libpng gives errors in console window. Looks like a bad png ? $ !LD LD_LIBRARY_PATH=/opt/gnome-1.4/lib ./mozilla ./run-mozilla.sh ./mozilla-bin MOZILLA_FIVE_HOME=. LD_LIBRARY_PATH=.:./plugins:/opt/gnome-1.4/lib LIBRARY_PATH=.:./components SHLIB_PATH=. LIBPATH=. ADDON_PATH=. MOZ_PROGRAM=./mozilla-bin MOZ_TOOLKIT= moz_debug=0 moz_debugger= libpng error: Decompression Error libpng error: Decompression Error Crashes 0.9.4+ build
This bug is fixed on linux build 2001110112, w2k build 2001110103 and mac OS X build 2001103113 (there is no crash) The image is not displayed properly on Mac OS X, but that is bug 103934
I take that back, crashes win XP build 2001110209
*** Bug 111996 has been marked as a duplicate of this bug. ***
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla0.9.7
Target Milestone: mozilla0.9.7 → mozilla0.9.8
Attached patch patch to hopefully fix the crash (obsolete) — Splinter Review
darin thinks that by moving the setjmp into a non-stdcall method it should fix the problem. i can't reproduce the crash though.
Attachment #41784 - Attachment is obsolete: true
Keywords: patch
Priority: -- → P2
pavlov: i think i was leading you in the wrong direction w/ the setjmp/stdcall foo... all the documentation i could find on setjmp seems to suggest that it shouldn't depend on function calling convention. so, i thought about this some more, and what rpotts said makes sense to me. the method ReadDataOut can be called several times, during a call to ReadSegments. if ReadDataOut succeeds on the first call, but fails on a subsequent call, then ReadSegments will return NS_OK. this screws up your error handling, and it looks like you were expecting ReadSegments to return the error returned from ReadDataOut. but, that won't always be the case. as rpotts said, this is the convention for pipes, and it is that way for a very good reason. lots would break if we changed the convention and functionality would be lost. this means that in ReadDataOut you have to record the error code someplace, so that if ReadDataOut is ever called again, you'll be able to return the error code again... and not call ProcessData. you could also check this error code after ReadSegments returns, and then if NS_FAILED(the_error_code) return the_error_code. then it looks like the imgRequest code would do the right thing.
Target Milestone: mozilla0.9.8 → mozilla0.9.9
Target Milestone: mozilla0.9.9 → mozilla1.0
Whiteboard: dup?
*** Bug 118233 has been marked as a duplicate of this bug. ***
Attachment #61993 - Attachment is obsolete: true
Whiteboard: dup?
Attached patch Updated patchSplinter Review
Darin says it is ok to return an error from ReadDataOut, so we'll do that and still use mError to determine the result in WriteFrom
adding topcrash from one of the dups
Keywords: topcrash
Moving Netscape owned 0.9.9 and 1.0 bugs that don't have an nsbeta1, nsbeta1+, topembed, topembed+, Mozilla0.9.9+ or Mozilla1.0+ keyword. Please send any questions or feedback about this to adt@netscape.com. You can search for "Moving bugs not scheduled for a project" to quickly delete this bugmail.
Target Milestone: mozilla1.0 → mozilla1.2
Target Milestone: mozilla1.2 → mozilla1.0
this is topembed with a patch. why are we moving this to 1.2?
Keywords: nsbeta1
er, topcrash, not topembed
per adt, critical for nsbeta1. hence plus.
Keywords: nsbeta1nsbeta1+
Whiteboard: [adt2]
Comment on attachment 72177 [details] [diff] [review] Updated patch sr=darin
Attachment #72177 - Flags: superreview+
Comment on attachment 72177 [details] [diff] [review] Updated patch r=dougt
Attachment #72177 - Flags: review+
checked in
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
It's nice to know that we do not crash at the image anymore, but why don't we render it? Netscape 4.77 and Opera do render it...
Verified no crash on win 2k build 2002032603, Mac OS X build 2002032608 and linux build 2002032608
Status: RESOLVED → VERIFIED
Keywords: adt1.0.1
jay - this crash is occurring on the branch, right?
Blocks: 143047
Keywords: approval, mozilla1.0.1
Whiteboard: [adt2] → [adt2 RTM] [ETA 06/27]
Jaime: I have not seen any crashes like this in Talkback data for the Gecko1.0 Branch. It looks like it might have been fixed on the Trunk before we branched for Gecko1.0.
Based on Jay's comments and the fact that the patch was checked in in March prior to the branch, I'm removing the adt1.0.1 and adt markings. Please put them back if this still needs to land on the branch.
Keywords: adt1.0.1
Whiteboard: [adt2 RTM] [ETA 06/27] → [ETA 06/27]
Crash Signature: [@ MSVCRT.DLL - nsInputStreamTee::WriteSegmentFun]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: