Closed
Bug 91123
Opened 23 years ago
Closed 23 years ago
[xlib] Memory corruption in nsRegionXlib::GetRects()
Categories
(Core :: XUL, defect, P2)
Tracking
()
RESOLVED
WORKSFORME
mozilla1.0
People
(Reporter: roland.mainz, Assigned: roland.mainz)
References
()
Details
Mozilla 2001-07-16-08-trunk Xlib-toolkit build on Solaris 7 SPARC. Build started with export LD_PRELOAD=watchmalloc.so.1 to catch memory corruption issues _early_ (see watchmalloc(3x)): Browsing the example URL and moving the pointer during loading results in a SIGBUS error: -- snip -- Disabling Quirk StyleSheet Enabling Quirk StyleSheet xmlencoding detect- iso-8859-1 ###!!! ASSERTION: new cache entry for READ-ONLY request: '*accessGranted', file ../../../../../../src/2001-07-16-08-trunk/mozilla/netwerk/cache/src/nsCacheEntry.cpp, line 233 ###!!! ASSERTION: new cache entry for READ-ONLY request: '*accessGranted', file ../../../../../../src/2001-07-16-08-trunk/mozilla/netwerk/cache/src/nsCacheEntry.cpp, line 233 / Reading libimgjpeg.so t@1 (l@1) signal BUS (invalid address alignment) in BURIGHT2 at 0xff381f2c 0xff381f2c: BURIGHT2+0x0054: st %i1, [%o0 + 0x8] Current function is nsRegionXlib::GetRects 227 void *buf = PR_Realloc(rects, sizeof(nsRegionRectSet) + (sizeof(nsRegionRect (/opt/SUNWspro/bin/../WS6U2/bin/sparcv9/dbx) where current thread: t@1 [1] BURIGHT2(0x743f78, 0xb2ef88, 0x4b22e0, 0xffbeec2c, 0x0, 0x9), at 0xff381f2c [2] t_splay(0x4b22e0, 0x10a88, 0xb2ef88, 0x743f78, 0xfd97acf0, 0x1835f8), at 0xff38232c [3] t_delete(0x4b22e0, 0xff392b6c, 0x0, 0xffffff60, 0x0, 0x0), at 0xff38214c [4] malloc_unlocked(0x30, 0x30, 0x76fda8, 0xff392b6c, 0x4b22e0, 0x0), at 0xff3810ac [5] realloc(0x0, 0x2c, 0xff392b6c, 0x4, 0xff392e6c, 0x0), at 0xff38127c [6] PR_Realloc(0x0, 0x2c, 0xfe29c000, 0x0, 0x6e72d88, 0x1b9cb620), at 0xfef97928 =>[7] nsRegionXlib::GetRects(this = 0x3b44e0, aRects = 0xffbeef14), line 227 in "nsRegionXlib.cpp" [8] nsWindow::Update(this = ???) (optimized), at 0xfd93b670 (line ~577) in "nsWindow.cpp" [9] nsWindow::UpdateIdle(data = ???) (optimized), at 0xfd93a940 (line ~150) in "nsWindow.cpp" [10] nsAppShell::Run(this = ???) (optimized), at 0xfd9210e0 (line ~497) in "nsAppShell.cpp" [11] nsAppShellService::Run(this = ???) (optimized), at 0xfdea76c4 (line ~423) in "nsAppShellService.cpp" [12] main1(argc = ???, argv = ???, nativeApp = ???) (optimized), at 0x17b20 (line ~1184) in "nsAppRunner.cpp" [13] main(argc = ???, argv = ???) (optimized), at 0x18510 (line ~1490) in "nsAppRunner.cpp" -- snip --
|
Assignee | |
Comment 2•23 years ago
|
||
This kills http://www.cnn.com/ , http://www.netscape.com/ and many other pages. Setting milestone/severty/priority... ... unfortunately I do not have any clue yet why it crashes there...
Severity: normal → blocker
Priority: -- → P2
Target Milestone: --- → mozilla0.9.3
There is a clone of GTK nsRegion code waiting for review at bug #89918. This will probably fix whatever problems happen here. Check it out. pocemit
Depends on: 89918
|
|
Assignee | |
Comment 4•23 years ago
|
||
pocemit: Nope, patch in bug 89918 does not help... ;-( Or this is a general memory corruption issue... maybe none tested the Zilla with the watchmalloc.so.1 stuff... ;-((
looks like in GetRects() we access internal xlib structures (= Regions) to get the total number of rectangles in a given region... this is achieved by copying xregion.h from somewhere in X11 sources and using it to directly access private members of region structure. I am sure this improves speed but might not be too portable. perhaps this is the reason. The thing is, X provides no way to get the current list of rectangles from the Region structure, so we are screwed to doing something like this anyway.
|
|
Assignee | |
Comment 6•23 years ago
|
||
richb: Wanna forward this to the X11_gurus@sun, please ? GTK+ toolkit is doing the same stuff... ---- pocemit: Maybe there is no other way... but there should be a comment in the bug that this piece of code is an _evil_ hack... ;-((
|
|
Assignee | |
Comment 7•23 years ago
|
||
Retargeting to milestone 0.9.4... ;-(
Target Milestone: mozilla0.9.3 → mozilla0.9.4
|
|
Assignee | |
Comment 8•23 years ago
|
||
Another weired region crasher: -- snip -- t@1 (l@1) signal BUS (invalid address alignment) in t_splay at 0xfedc6374 0xfedc6374: t_splay+0x0014: ld [%o7 + 0x10], %o1 Current function is nsRegionXlib::Subtract (optimized) 214 ::XSubtractRegion(mRegion, pRegion->mRegion, nRegion); (/opt/SUNWspro/bin/../WS6U2/bin/sparcv9/dbx) where current thread: t@1 [1] t_splay(0xb9a548, 0x6f944, 0xfee3c450, 0xfee35ad4, 0xbe7180, 0x9), at 0xfedc6374 [2] t_delete(0xb9a548, 0xfee35ad4, 0xfee3c3c4, 0xfee3c444, 0xfee3c440, 0x2), at 0xfedc61dc [3] _malloc_unlocked(0x0, 0x90, 0xb9a548, 0xb9a548, 0x0, 0xfee35ad4), at 0xfedc58cc [4] malloc(0x90, 0x90, 0x0, 0x0, 0x0, 0xfee35ad4), at 0xfedc572c [5] miRegionOp(0xc99b08, 0xfda4b89c, 0xbd8a20, 0xfda4b89c, 0xfda4b7c0, 0x0), at 0xfda4ad8c [6] XSubtractRegion(0xb7b508, 0xbd8a20, 0xc99b08, 0x1ef2, 0x44, 0xc99b08), at 0xfda1d4b0 =>[7] nsRegionXlib::Subtract(this = ???, aRegion = CLASS) (optimized), at 0xfcfbed5c (line ~214) in "nsRegionXlib.cpp" [8] nsViewManager::OptimizeDisplayList(this = ???, aDamageRect = STRUCT, aFinalTransparentRect = STRUCT) (optimized), at 0xfc9ef1f4 (line ~3478) in "nsViewManager.cpp" [9] nsViewManager::RenderViews(this = ???, aRootView = ???, aRC = CLASS, aRect = STRUCT, aResult = ???) (optimized), at 0xfc9ea748 (line ~1296) in "nsViewManager.cpp" [10] nsViewManager::Refresh(this = ???, aView = ???, aContext = ???, rect = ???, aUpdateFlags = ???) (optimized), at 0xfc9e9730 (line ~901) in "nsViewManager.cpp" [11] nsViewManager::DispatchEvent(this = ???, aEvent = ???, aStatus = ???) (optimized), at 0xfc9ebdbc (line ~1958) in "nsViewManager.cpp" [12] HandleEvent(aEvent = ???) (optimized), at 0xfc9ddfc4 (line ~67) in "nsView.cpp" [13] nsWidget::DispatchEvent(this = 0x8bfbc0, aEvent = 0xffbeede0, aStatus = nsEventStatus_eIgnore), line 1227 in "nsWidget.cpp" [14] nsWidget::DispatchWindowEvent(this = 0x8bfbc0, aEvent = STRUCT), line 1134 in "nsWidget.cpp" [15] nsWidget::OnPaint(this = 0x8bfbc0, event = STRUCT), line 885 in "nsWidget.cpp" [16] nsWindow::Update(this = 0x8bfbc0), line 609 in "nsWindow.cpp" [17] nsWindow::UpdateIdle(data = (nil)), line 150 in "nsWindow.cpp" [18] CallProcessTimeoutsXtProc(dummy1 = 0xffbef0c8, dummy2 = 0xffbeef88), line 402 in "nsAppShell.cpp" [19] DoOtherSources(0x11df58, 0xfdb72000, 0x1, 0xf4240, 0x0, 0x1), at 0xfdb3ad9c [20] XtAppNextEvent(0x11df58, 0x0, 0x1, 0x0, 0xffbef068, 0x1), at 0xfdb3aa14 [21] nsAppShell::Run(this = 0x18fd60), line 454 in "nsAppShell.cpp" [22] nsAppShellService::Run(this = ???) (optimized), at 0xfe127994 (line ~424) in "nsAppShellService.cpp" [23] main1(argc = ???, argv = ???, nativeApp = ???) (optimized), at 0x188ac (line ~1306) in "nsAppRunner.cpp" [24] main(argc = ???, argv = ???) (optimized), at 0x19298 (line ~1622) in "nsAppRunner.cpp" -- snip -- Any ideas ?
|
|
Assignee | |
Comment 9•23 years ago
|
||
Retargeting to 1.0 to get this off my 0.9.4/0.9.5 radar for now... ;-(
Target Milestone: mozilla0.9.4 → mozilla1.0
|
||
Comment 10•23 years ago
|
||
May God have mercy on us all. The 212 bug spam-o-rama is Now!
QA Contact: aegis → jrgm
|
|
Assignee | |
Comment 11•23 years ago
|
||
I cannot reproduce this issue anymore, nor does Rational Purify show up any issues while purifying the Xprint module (which makes use of this part of XLlib toolkit). Marking WorksForMe ...
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•