Closed Bug 271931 Opened 20 years ago Closed 20 years ago

Crash with "Integer divide by zero" exception when opening this web page [@ nsBlender::Blend]

Categories

(Core Graveyard :: GFX: Win32, defect)

Product:
Core Graveyard
Component:
GFX: Win32
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: egrochowski, Assigned: emaijala+moz)

References

(
URL
)

Details

(Keywords: crash)

Crash Data

Attachments

(1 file, 1 obsolete file)

Patch v1.1
603 bytes, patch
neil
: review+
neil
: superreview+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8a5) Gecko/20041122
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8a5) Gecko/20041122

I navigate to the above URL and the page starts loading. Before it completes
loading everything on the page I get a crash. 

Reproducible: Always
Steps to Reproduce:
1. Open http://www.chromethegame.com/en/show.php?002
2.
3.

Actual Results:  
Crash- An application Error dialog box comes up which reads "The exception
integer division divide by zero (0xc0000094) occurred in the application at
location 0x60d01548

Expected Results:  
Not crash.

I have had this to happen on 2 different computers (Win2000 Pro and WinXP Pro)
both of which have just been upgraded to use Mozilla 1.8a5. 

On one of my computers, I trapped the error in SoftIce and can provide further
details on the stack etc... however since it also generated a Talkback ID which
I submitted, I would rather provide that. 

One of the Talkback ID#'s is: TB2199534Q
Assignee: general → win32
Component: General → GFX: Win32
Depends on: 228399
Keywords: crash
Product: Mozilla Application Suite → Core
QA Contact: general → ian
Summary: Crash with "Integer divide by zero" exception when opening this web page → Crash with "Integer divide by zero" exception when opening this web page [@ nsBlender::Blend]
Version: unspecified → Trunk
This page does NOT crash with FireFox 1.0 release on the same Win2000 computer.
I dont know if this is relevant or not, but after browsing through dependent bug
228399, here is my relevant display info on my Win2000 Pro box:

GeForce 256 DDR graphics card with recent driver revision (6.14.10.6177)
Display resolution is 1280 x 1024 x 32bits and configured to use Large Fonts.

Not able to reproduce with Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US;
rv:1.8a5) Gecko/20041125. TNT2, tried in 16 and 32 bit modes.
Assignee: win32 → emaijala
Attached patch Blender fortification patch (obsolete) — Splinter Review 
I couldn't reproduce it either, but I suspect blender is called with aWidth ==
0 in some situation. This patch adds a check that nothing shall be done if
width or height is 0.
Attachment #167175 - Flags: superreview?(roc)
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
I can reproduce it on Windows XP using an ATI 9700Pro graphics card with a
resolution of 1280 x 1024 x 32 bits (large fonts - 120dpi) using 1.8a5. 

I also just installed the latest nightly:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a6) Gecko/20041126

It still crashes.

I will see about applying the patch in comment #4 and trying to reproduce... I
dont have recent source set up on this computer, so it might take a bit. 
I applied the patch from comment #4 to the 1.8a5 sources and rebuilt (using VC
7.1) and it did not seem to fix the problem for me?
Attachment #167175 - Attachment is obsolete: true
Attachment #167175 - Flags: superreview?(roc)
This doesn't make sense to me. The stack of TB2199534Q points to line 
if (NS_SUCCEEDED(result)) {
and there's no division on that line. 

Could someone give another talkback ID?
I just generated another crash with talkback ID of TB2276508Q

Unfortunately, it points to the same line of code (no surprise).

By the way, is the Talkback ID handler smart enough to know which source file
revision to display the line numbers from?

I am able to do this using the release of 1.8 Alpha5.

Should I try it with a more recent nightly?
hmmm... if the crash is at the line posted in the URL, then Ere's fix from
comment #4 should have stopped the crash from happening??? 

Maybe I screwed up doing my test build? Things have changed since I last built
from source... sigh. I'll try again when I get a chance. Alternatively, if you
provide me with a release build of the affected dll (gkgfx?) that has this fix
in, I can drop it onto my computer's 1.8 alpha5 (or whatever nightly you
suggest) and test it that way.
Attached patch Patch v1.1Splinter Review 
A new fortification patch. rangeCheck might change the width or height, so the
values must be checked after rangeCheck.
Please try the new patch and report back the results.
I can confirm that the new patch works. It prevents the crash!
Attachment #167654 - Flags: superreview?(roc)
Attachment #167654 - Flags: review?(roc)
Comment on attachment 167654 [details] [diff] [review]
Patch v1.1

rs=me
Attachment #167654 - Flags: superreview?(roc)
Attachment #167654 - Flags: superreview+
Attachment #167654 - Flags: review?(roc)
Attachment #167654 - Flags: review+
Fix checked in to trunk.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
I can confirm that the bug is fixed in the following nightly build:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a6) Gecko/20041207
Status: RESOLVED → VERIFIED
Product: Core → Core Graveyard
Crash Signature: [@ nsBlender::Blend]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: