Closed Bug 101731 Opened 23 years ago Closed 22 years ago

M1RC2 crash [@ imgContainer::FillWithColor]

Categories

(Core :: Graphics: ImageLib, defect)

x86
All
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: greer, Assigned: nivedita)

Details

(Keywords: crash, topcrash, Whiteboard: [tucson][fixed on Trunk (by 132319)])

Crash Data

Attachments

(4 files)

Talkback data shows crashes at the imgContainer::FillWithColor signature, with 
the following comments:

     (35866330) URL: http://www.auburn.edu/~gunnedh/
     (35866330) Comments: had a two or three open windows  using MultiZilla 
1.0.95  and was reading while she blew  I mean  bit. When Talkback was first 
invoked  it said there wasn't enough memory to start it  so I closed a program 
and started Talkback up manually...
     (35805405) Comments: running low on virtual memory
     (35799874) Comments: I had several windows opened but I was not doing 
anything with the browser it failed...
     (35758167) URL: http://www.healthology.com/focus_webcast.asp?
b=healthology&f=hairloss&c=hairloss_causesinwomen
     (35758167) Comments: running altavista discovery
     (35725428) Comments: I just finished an online order at DVDExpress and 
clicked on the link to my Yahoo mail account.  I had a couple of browser 
windows open and my Netscape mailbox.
     (35717602) Comments: Within composer I tried to cut and paste a table into 
another table cell  while pasting this  mozilla crashed. This reproduces on 
Solaris build of 0.9.4  too. 
     (35711788) URL: http://www.healthology.com/focus_webcast.asp?
b=healthology&f=hairloss&c=hairloss_causesinwomen
     (35711788) Comments: playing the real player (high speed)
     (35631498) Comments: nothing. Browser was not active.
     (35599944) Comments: Loading multiple pictures.
     (35554885) URL: http://www.auburn.edu/~gunnedh/
     (35554885) Comments: I wasn't even using it  actually...I had looked up 
some AOhelL 6.0 Media Player problems via Google and I opened IE5.5 to see if I 
needed to download an update from M$ & while IE5.5 was coming up  she blew  I 
mean  bit & another alert came up that said
     (35554885) Comments:  something like: "Error 2" or something to that 
effect...
     (35534277) Comments: clicking faston links before page fully loaded
     (35507613) URL: http://komodo.mozilla.org/buster/random/random.html
     (35437602) Comments: I have no idea why the feedback agent has triggered - 
nothing appears to be wrong ... except the quicklaunch icon disappeared from 
the system tray a little while ago  and I relaunched Mozilla from the Start 
menu.  I installed this new Mozilla version a
     (35437602) Comments:  few hours ago.

imgContainer::FillWithColor   34 
BBID range: 35437602 - 35892034
Min/Max Seconds since last crash: 77 - 331123
Min/Max Runtime: 1317 - 417315
Crash data range: 2001-09-15 to 2001-09-25
Build ID range: 2001091311 to 2001091311

Most crashes are happening on NT and Win98:
   2 Windows 95  4.0 build 67109975
   2 Windows 95  4.0 build 67306684
   8 Windows 98  4.10 build 67766222
  10 Windows 98  4.10 build 67766446
  12 Windows NT  4.0 build 1381

Most crashes return only the stack signature, but I will attach the two stack 
traces that are returned for all other crashes (below).
Attached file Stack Traces
Keywords: crash, topcrash
LibPr0n crash - over to imagelib
Assignee: attinasi → pavlov
Component: Layout → ImageLib
QA Contact: petersen → tpreston
Adding Trunk to the summary. Seeing this signature in the following builds:
   4 2001092705
   2 2001100514
   1 2001100109
   1 2001092806
But no comments.
Summary: M094 & N620 crash [@imgContainer::FillWithColor] → M094, N620, Trunk crash [@imgContainer::FillWithColor]
Talkback has seven incidents for this signature in M095. Updating the summary.
One comment:
(36639334) 2001101120 - Windows 98  4.90 build 73010104   I had Netscape
Communicator 4.78 working and Mozilla 5 working simultaneously. Other programs
were: WinAmp 2.77 (which also crashed), AIM (which continued to work on) and
other Windows components, like sound volume regulator, keyboard indicator and
screen  resolution tool. I clicked on a link in my.excite in Mozilla and at the
same time, Communicator was downloading a large frameset.
Summary: M094, N620, Trunk crash [@imgContainer::FillWithColor] → M094, M095, N620, Trunk crash [@imgContainer::FillWithColor]
Fixing summary for talkback
Summary: M094, M095, N620, Trunk crash [@imgContainer::FillWithColor] → M095 N620 Trunk crash [@imgContainer::FillWithColor]
Keywords: qawanted
Whiteboard: [tucson]
Updating summary with M096, this has been a topcrasher for Mozilla 0.9.6. 
Summary: M095 N620 Trunk crash [@imgContainer::FillWithColor] → M096 N620 Trunk crash [@imgContainer::FillWithColor]
Bug Notes from Tucson Beta
updating summary with M097 and N621, since this has been a topcrasher with
Mozilla 0.9.7 and Netscape 6.21.  There have also been quite a few crashes with
recent MozillaTrunk builds.  Here are just a few with user comments:

 Incident ID 2395814   
Stack Signature  imgContainer::FillWithColor a88ce134
Trigger Time 2002-02-01 12:29:05
Email Address
URL visited
http://lw8fd.law8.hotmail.msn.com/cgi-bin/compose?curmbox=F000000001&a=9dff7532665df25b327511e325dc4ca6
User Comments I went over to IE because Mozilla is unable to send emails in
Hotmail, and then Mozilla crashed when I went back to copy the URL.
Build ID 2002013009
Product ID MozillaTrunk
Platform
Operating System Win32
Module
Trigger Reason Access violation
Stack Trace
imgContainer::FillWithColor
[d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgContainer.cpp, line 657] 
-------------------
 Incident ID 2375875   
Stack Signature  imgContainer::FillWithColor a88ce134
Trigger Time 2002-01-31 15:34:35
Email Address 
URL visited http://www.itsyourturn.com/
User Comments
Build ID 2002013009
Product ID MozillaTrunk
Platform
Operating System Win32
Module
Trigger Reason Access violation
Stack Trace
imgContainer::FillWithColor
[d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgContainer.cpp, line 657] 
------------------
 Incident ID 2253125   
Stack Signature  imgContainer::FillWithColor a88ce134
Trigger Time 2002-01-29 08:36:10
Email Address 
URL visited
User Comments Opening very large text file in Navigator window -- ran out of
memory and died.
Build ID 2002012309
Product ID MozillaTrunk
Platform
Operating System Win32
Module
Trigger Reason Access violation
Stack Trace
imgContainer::FillWithColor
[d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgContainer.cpp, line 657] 
-----------------------
 Incident ID 1969269   
Stack Signature  imgContainer::FillWithColor a88ce134
Trigger Time 2002-01-22 07:49:05
Email Address
URL visited index.hu
User Comments borwsing index.hu in multiple tabs
Build ID 2002012011
Product ID MozillaTrunk
Platform
Operating System Win32
Module
Trigger Reason Access violation
Stack Trace
imgContainer::FillWithColor
[d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgContainer.cpp, line 657] 

Those don't have much of a stacktrace, but I did found a few incidents with this
stack trace:

 Incident ID 2248234   
Stack Signature  imgContainer::FillWithColor 70ac0a4b
Trigger Time 2002-01-29 06:54:13
Email Address
URL visited
User Comments
Build ID 2002012815
Product ID MozillaTrunk
Platform
Operating System Win32
Module
Trigger Reason Access violation
Stack Trace
imgContainer::FillWithColor
[d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgContainer.cpp, line 657]
imgContainer::DoComposite
[d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgContainer.cpp, line 530]
imgContainer::Notify
[d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgContainer.cpp, line 450]
nsTimerImpl::Process [d:\builds\seamonkey\mozilla\xpcom\threads\nsTimerImpl.cpp,
line 252]
handleMyEvent [d:\builds\seamonkey\mozilla\xpcom\threads\nsTimerImpl.cpp, line 287]
PL_HandleEvent [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c, line 591]
PL_ProcessPendingEvents [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c,
line 524]
_md_EventReceiverProc [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c, line
1072] 
Summary: M096 N620 Trunk crash [@imgContainer::FillWithColor] → M097 N621 Trunk crash [@imgContainer::FillWithColor]
Target Milestone: --- → Future
Giving to nivedita
Assignee: pavlov → nivedita
Target Milestone: Future → ---
I am unable to reproduce the crash. If anyone is able to reproduce the crash,
can you please forward the steps followed for the same.
   This one is still showing up in M098 (19 incidents) and recent Trunk builds. 
Several users have commented on low RAM. If that were the necessary condition 
for this crash it would help to explain the variety of conditions reported in 
the comments. 
   Nivedita, can we emulate low RAM, and have we tried that to recreate this 
one?
Summary: M097 N621 Trunk crash [@imgContainer::FillWithColor] → M098 N621 Trunk crash [@imgContainer::FillWithColor]
I am attaching the comments that include references to running out of memory
(followed by all comments from N621, M098 and Trunk for the past 10 days).
greenr,
Thanks for the info. I hadnt tried it on the low memory. I 'll emulate low 
memory on WINNT, using the boot.ini switch /maxmem=16. I hope this would help 
me in reproducing the crash.
nominating topcrash bugs for nsbeta1. 
Keywords: nsbeta1
Here's the most recent crash reported:

 Incident ID 3337834   Stack Signature  imgContainer::FillWithColor a88ce134
Trigger Time 2002-02-25 07:06:12
Email Address
URL visited
Build ID 2002022411
Product ID MozillaTrunk
Platform
Operating System Win32
Module
Trigger Reason Access violation
User Comments
Stack Trace
imgContainer::FillWithColor
[d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgContainer.cpp, line 665] 

Note the new line number.  Also, there doesn't seem to be too many comments or
urls for recent crashes.  Here are the only urls sent in for recent M098 crashes:

 http://www.telekom.co.jp
 sportsillustrated.cnn.com
 http://news.com.com/2010-1072-831385.html
http://www.sun.com/2002-0206/linux/
http://www.theage.com.au/ 
www.adequacy.org 
http://www.itsyourturn.com/ 

Recent comments mostly noted that users ran out of memory:
-  nothing, was running in background. i got a message that the virtual memory
was low.
-  system with low memory...
-  system ran out of ram
-  Opening very large text file in Navigator window -- ran out of memory and died.

I tried a few things and was unable to reproduce...I was running WinNT, 500MHz,
128MB RAM.
Summary: M098 N621 Trunk crash [@imgContainer::FillWithColor] → M098 N621 Trunk crash [@ imgContainer::FillWithColor]
Nivedita, you were going to try to emulate low memory and see if you could crash 
this one. Any luck?
greenr,
No, I could not reproduce the bug. I tried reducing the swap space  and the 
maxmem switch of boot.ini to 9 that is 9MB, and that is minimum one can specify 
there. That dint help me in reproducing the crash. 
I have tried all links listed here and am unable to reproduce on Win XP build
2002022703, marking WFM, if you can reproduce with exact steps, please reopen
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → WORKSFORME
I had a look to the code were the browser crashes, and there is an
nsMemory::Alloc() whose return value is not checked. Is this normal? (I am not
too familiar with the code). Perhaps we should add a defensive test.

if (!foo ) {
  return NS_ERROR_OUT_OF_MEMORY;
}



628 void imgContainer::FillWithColor(gfxIImageFrame *aFrame, gfx_color color)
629 {
630 if(!aFrame) return;
631 632 aFrame->LockImageData();
633 634 PRUint32 bpr;
635 aFrame->GetImageBytesPerRow(&bpr);
636 637 nscoord width;
638 nscoord height;
639 aFrame->GetWidth(&width);
640 aFrame->GetHeight(&height);
641 642 PRUint8* imageData;
643 PRUint32 imageDataLength;
644 aFrame->GetImageData(&imageData, &imageDataLength);
645 646 PRUint8* foo = (PRUint8*) nsMemory::Alloc(imageDataLength);
Attached patch patch Splinter Review
I have added the check after the Alloc. The caller of FillWithColor do not
check for the return value, hence I am just doing a return. Even in case when
the aFrame is null, we are just returning. This patch  would only shift the
crash from here to above up, where the next allocation would happen and lead to
a crash, because we are speaking in terms of low memory condition.
Keywords: patch
Whiteboard: [tucson] → [tucson][needs review/super review]
Unable to reproduce with win 2k build 2002040203, tried all the links in the
bug, marking verified
Status: RESOLVED → VERIFIED
   This bug makes no sense - It is Verified WFM, but the status whiteboard says
it has a patch and needs r=/sr=. It's still showing up in M1RC2 with 46 crashes
in the last ten days. (One incident on Linux OS -> ALL)

   This one has fallen throught the cracks because Nivedita is gone. I am
reassinging -> Pavlov. Pavlov, take a look at Nivedita's patch. Obviously we
will need something more robust to fix memory issues.

imgContainer::FillWithColor   46
		 
Stack Trace: 

 imgContainer::FillWithColor	[d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgContainer.cpp  line 659] 
	 imgContainer::AppendFrame
[d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgContainer.cpp  line 177] 
	 HaveDecodedRow
[d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\nsGIFDecoder2.cpp 
line 426] 
	 output_row
[d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp  line 234] 
	 do_lzw
[d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp  line 423] 
	 gif_write
[d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp  line 1126] 
	 nsGIFDecoder2::ProcessData
[d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\nsGIFDecoder2.cpp 
line 251] 
	 ReadDataOut
[d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\nsGIFDecoder2.cpp 
line 196] 
	 nsInputStreamTee::WriteSegmentFun
[d:\builds\seamonkey\mozilla\xpcom\io\nsInputStreamTee.cpp  line 97] 

-----------------
     (6471496)	Comments: I had been editing bookmarks in Mozilla. Then I stopped and had
been opening a document in WordPerfect then Word. I was closing Word when the
Dr. Watson popped up.
     (6356216)	Comments: Using Photoshop Save-As -- think it might be something about PShop
searching for Navigator.exe...
     (6354646)	URL: http://bkhalil.livejournal.com/
     (6353980)	URL: http://bkhalil.livejournal.com/
     (6348900)	Comments: computer uptime is like 26days on winXP  w/ 256mb ram.  had
multiple sessions open and a couple had multiple tabs  just finally ran out of
memory i guess
     (6342685)	Comments: quake was starting and MS Indexing software was running (findfast.exe)
     (6330009)	URL:http://www.geocrawler.com/archives/3/152/2001/11/100/7174186/
     (6330009)	Comments: Mozilla RC2 was displaying this URLI was starting MS Excel when it
crashedI can repeat such crashes by having mozilla open and starting enough
other apps to use up physical memory 
     (6319473)	Comments: Browser was sitting idle there were about 3/4 sites open on
tabs.Mozilla crashed and Java jre crashed also.
     (6301332)	Comments: just started the program (but QuickLaunch was on)
     (6259535)	Comments: Mozilla RC2 was idle in the background with two windows open
displaying contents of 2 different web sites. No activity was done on the
browser itself. Another application used up all free physical RAM and Mozilla
crashed
     (6235120)	URL: www.friendscout24.de
     (6202676)	Comments: retrieving imap-mail
     (6185145)	Comments: I had just opened up Mozilla  and as the logo disappeared and the
actual window opened Mozilla crashed.
Status: VERIFIED → REOPENED
OS: Windows NT → All
Resolution: WORKSFORME → ---
Summary: M098 N621 Trunk crash [@ imgContainer::FillWithColor] → M1RC2 crash [@ imgContainer::FillWithColor]
I believe this was fixed on the trunk with Bug 132319 and the regression patch
on Bug 143333.

Although the patch here would probably work fine, I'd go with the trunk-tested
patches if you are putting it in the branch.
Thanks Aaron, you're right. I will mark this one as fixed (as a result of bug
132319) and take my comments there.
Status: REOPENED → RESOLVED
Closed: 22 years ago22 years ago
Resolution: --- → FIXED
Whiteboard: [tucson][needs review/super review] → [tucson][fixed on Trunk (by 132319)]
Crash Signature: [@ imgContainer::FillWithColor]
Keywords: qawanted
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: