Closed Bug 151154 Opened 23 years ago Closed 23 years ago

Mozilla crashes when specific URL is accessed

Categories

(Core :: Graphics: ImageLib, defect, P2)

Product:
Core
Component:
Graphics: ImageLib
Platform:
x86
Windows 2000
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 159256
Milestone:
mozilla1.1beta

People

(Reporter: sb_tec, Assigned: pavlov)

References

(
URL
)

Details

(Keywords: crash, regression, testcase)

Attachments

(6 files, 1 obsolete file)

Testcase with faulty favicon (from bug 151485) that crashes Mozilla
190 bytes, text/html
Details
Make sure we allocated memory before we delete it.
591 bytes, patch
Details | Diff | Splinter Review
different stack traces..
16.50 KB, text/plain
Details
Patch to fix the cause of the .ICO crash
709 bytes, patch
Details | Diff | Splinter Review
Revised safety check
656 bytes, patch
Details | Diff | Splinter Review
favicon from ivw
14.94 KB, image/x-icon
Details
From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.1a) Gecko/20020611 BuildID: 2002061108 Mozilla crashed each time when I went to www.ivwbox.de, using Mozilla on a Windows 2000 (Service Pack 2) system. The build ID is 2002061108. Reproducible: Always Steps to Reproduce: 1.just surf to www.ivwbox.de 2. 3. Actual Results: Mozilla crashes Expected Results: display the page
This is a regression from M1.0 ! -> Layout win2k build 20020612.. NTDLL! 778cb9b1() NTDLL! 778cb733() _free_base(void * 0x03fc4eb8) line 60 _free_dbg_lk(void * 0x03fc4ed8, int 1) line 1083 + 9 bytes _free_dbg(void * 0x03fc4ed8, int 1) line 970 + 13 bytes operator delete(void * 0x03fc4ed8) line 49 + 16 bytes nsImageWin::CleanUpDIB() line 1016 + 18 bytes nsImageWin::CreateDDB(void * 0x03fe5a80) line 399 nsImageWin::Draw(nsImageWin * const 0x03fe7338, nsIRenderingContext & {...}, void * 0x03fe5a80, int 0, int 0, int 164, int 45, int 292, int 173, int 164, int 45) line 460 nsRenderingContextImpl::DrawImage(nsRenderingContextImpl * const 0x03f77768, imgIContainer * 0x0400ba30, const nsRect * 0x0012e270, const nsPoint * 0x0012e280) line 922 + 63 bytes nsImageFrame::Paint(nsImageFrame * const 0x03feb538, nsIPresContext * 0x03d4c640, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0) line 1362 nsContainerFrame::PaintChild(nsIPresContext * 0x03d4c640, nsIRenderingContext & {...}, const nsRect & {...}, nsIFrame * 0x03feb538, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0) line 255 nsContainerFrame::PaintChildren(nsIPresContext * 0x03d4c640, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0) line 196 nsHTMLContainerFrame::Paint(nsHTMLContainerFrame * const 0x03feb3dc, nsIPresContext * 0x03d4c640, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0) line 135 nsContainerFrame::PaintChild(nsIPresContext * 0x03d4c640, nsIRenderingContext & {...}, const nsRect & {...}, nsIFrame * 0x03feb3dc, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0) line 255 nsBlockFrame::PaintChildren(nsIPresContext * 0x03d4c640, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0) line 5657 nsBlockFrame::Paint(nsBlockFrame * const 0x03feb198, nsIPresContext * 0x03d4c640, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0) line 5529 nsContainerFrame::PaintChild(nsIPresContext * 0x03d4c640, nsIRenderingContext & {...}, const nsRect & {...}, nsIFrame * 0x03feb198, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0) line 255 nsContainerFrame::PaintChildren(nsIPresContext * 0x03d4c640, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0) line 196 nsTableCellFrame::Paint(nsTableCellFrame * const 0x03feb138, nsIPresContext * 0x03d4c640, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0) line 516 nsTableRowFrame::PaintChildren(nsIPresContext * 0x03d4c640, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0) line 655 nsTableRowFrame::Paint(nsTableRowFrame * const 0x03feae00, nsIPresContext * 0x03d4c640, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0) line 603 nsTableRowGroupFrame::PaintChildren(nsIPresContext * 0x03d4c640, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0) line 289 nsTableRowGroupFrame::Paint(nsTableRowGroupFrame * const 0x03f1bcfc, nsIPresContext * 0x03d4c640, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0) line 238 nsContainerFrame::PaintChild(nsIPresContext * 0x03d4c640, nsIRenderingContext & {...}, const nsRect & {...}, nsIFrame * 0x03f1bcfc, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0) line 255 nsContainerFrame::PaintChildren(nsIPresContext * 0x03d4c640, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0) line 196 nsTableFrame::PaintChildren(nsIPresContext * 0x03d4c640, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0) line 1449 nsTableFrame::Paint(nsTableFrame * const 0x03fe84f0, nsIPresContext * 0x03d4c640, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0) line 1495 nsContainerFrame::PaintChild(nsIPresContext * 0x03d4c640, nsIRenderingContext & {...}, const nsRect & {...}, nsIFrame * 0x03fe84f0, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0) line 255 nsTableOuterFrame::Paint(nsTableOuterFrame * const 0x03fe8324, nsIPresContext * 0x03d4c640, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0) line 375 nsContainerFrame::PaintChild(nsIPresContext * 0x03d4c640, nsIRenderingContext & {...}, const nsRect & {...}, nsIFrame * 0x03fe8324, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0) line 255 nsBlockFrame::PaintChildren(nsIPresContext * 0x03d4c640, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0) line 5657 nsBlockFrame::Paint(nsBlockFrame * const 0x03fe8104, nsIPresContext * 0x03d4c640, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0) line 5529 nsContainerFrame::PaintChild(nsIPresContext * 0x03d4c640, nsIRenderingContext & {...}, const nsRect & {...}, nsIFrame * 0x03fe8104, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0) line 255 nsBlockFrame::PaintChildren(nsIPresContext * 0x03d4c640, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0) line 5657 nsBlockFrame::Paint(nsBlockFrame * const 0x03f1b910, nsIPresContext * 0x03d4c640, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0) line 5529 nsContainerFrame::PaintChild(nsIPresContext * 0x03d4c640, nsIRenderingContext & {...}, const nsRect & {...}, nsIFrame * 0x03f1b910, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0) line 255 nsBlockFrame::PaintChildren(nsIPresContext * 0x03d4c640, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0) line 5657 nsBlockFrame::Paint(nsBlockFrame * const 0x03f1b7a4, nsIPresContext * 0x03d4c640, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0) line 5529 nsContainerFrame::PaintChild(nsIPresContext * 0x03d4c640, nsIRenderingContext & {...}, const nsRect & {...}, nsIFrame * 0x03f1b7a4, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0) line 255 nsContainerFrame::PaintChildren(nsIPresContext * 0x03d4c640, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0) line 196 nsHTMLContainerFrame::Paint(nsHTMLContainerFrame * const 0x03f23164, nsIPresContext * 0x03d4c640, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0) line 135 CanvasFrame::Paint(CanvasFrame * const 0x03f23164, nsIPresContext * 0x03d4c640, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0) line 387 + 27 bytes PresShell::Paint(PresShell * const 0x03d4a7ec, nsIView * 0x03f1b4d8, nsIRenderingContext & {...}, const nsRect & {...}) line 5830 + 36 bytes nsView::Paint(nsView * const 0x03f1b4d8, nsIRenderingContext & {...}, const nsRect & {...}, unsigned int 0, int & 1242412) line 280 nsViewManager::RenderDisplayListElement(DisplayListElement2 * 0x03f78c78, nsIRenderingContext & {...}) line 1192 nsViewManager::RenderViews(nsView * 0x03f1b238, nsIRenderingContext & {...}, const nsRect & {...}, int & 0) line 1141 nsViewManager::Refresh(nsView * 0x03f1b238, nsIRenderingContext * 0x03f77768, nsIRegion * 0x03ff6998, unsigned int 1) line 732 nsViewManager::DispatchEvent(nsViewManager * const 0x03fbb3d8, nsGUIEvent * 0x0012f850, nsEventStatus * 0x0012f764) line 1732 HandleEvent(nsGUIEvent * 0x0012f850) line 83 nsWindow::DispatchEvent(nsWindow * const 0x03f1b2f4, nsGUIEvent * 0x0012f850, nsEventStatus & nsEventStatus_eIgnore) line 1026 + 10 bytes nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f850, nsEventStatus & nsEventStatus_eIgnore) line 1052 nsWindow::OnPaint() line 4698 + 28 bytes nsWindow::ProcessMessage(unsigned int 15, unsigned int 0, long 0, long * 0x0012fc94) line 3572 + 17 bytes nsWindow::WindowProc(HWND__ * 0x003b0470, unsigned int 15, unsigned int 0, long 0) line 1291 + 27 bytes USER32! 77e01b60() USER32! 77e02f29() USER32! 77e02f4f() NTDLL! 778a032f() USER32! 77e083f1() nsAppShellService::Run(nsAppShellService * const 0x010c5ba8) line 451 main1(int 2, char * * 0x00283160, nsISupports * 0x00000000) line 1456 + 32 bytes main(int 2, char * * 0x00283160) line 1805 + 37 bytes mainCRTStartup() line 338 + 17 bytes KERNEL32! 77e7d326()
Assignee: sgehani → attinasi
Component: XP Apps → Layout
Keywords: crash, regression
QA Contact: paw → petersen
Confirming for 2002061208 (Win32)
no crash with win98 2002060908 crash with win2k 2002061204 TB7268637G
confirm crash on win2kpro Moz1.1 alpha
to dcone; he was touching that stuff last, iirc....
Assignee: attinasi → dcone
Status: UNCONFIRMED → NEW
Ever confirmed: true
*** Bug 151485 has been marked as a duplicate of this bug. ***
From bug 151485: "Mozilla 1.1a crashed each time when visiting www.ivw.de It seems to be a problem with the favicon used on this site (buggy?)."
Keywords: testcase
QA Contact: petersen → moied
Confirm crash on Win95 but not until closing the browser window. Talkbacks: TB7355024W, TB7355671M Can't confirm on Linux despite intensive testing. Both with 1.1a 2002061408.
Priority: -- → P2
*** Bug 151895 has been marked as a duplicate of this bug. ***
I know that |delete| is null-safe; e.g., |delete 0| will not crash. Is |delete[]| _not_ null-safe? I tried this test program, and it appears to work (on Unix, anyway): int main(int argc, char *argv[]) { char **p = new char*[1]; p[0] = 0; delete[] p[0]; delete p; } So...are we really fixing the problem here? Is it possible that mColorMap->Index is not being initialized? (Or has already been deleted?)
*** Bug 155341 has been marked as a duplicate of this bug. ***
Looking at this bug.. and where this said it crashes.. and running some tests to make sure the windows is null safe on delete.. I dont see how that is causing the crash. There is a duplicate that also crashes.. but in a different spot. I think it crashed in nsImageWin::CleanUpDIB because of an unstable enviornment. I can not duplicate this on the branch or trunk.. used windows 2k to test. The patch I put in was a shot in the dark to make sure everything was cool.. but a closer look and doing watersons test on windows.. I just dont think thats the cause of anything crashing.
dcone: you can't reproduce the crash ? Have you enabled the favicons ? i crash everytime on win2k with the given URL and a win2k trunk build. (Nvidia card) MSVC++ reports a hardcoded breakpoint..
I dont really know how to enable those favicons.. but I am using w2k, nvidia card.. gforce II, athlon processor. I will keep trying.. but both my machines run it fine.. What screen depth are you using?
Favicons: Edit\preferences\Appearance\[X] Show Web Site Icons I'm using a gforce II MX with 32Bit 1024x768 and recent drivers.. You could access my system if you really can't get it crashing but my system and MSVC++ is german :-)
I can get this to crash on my HP machine.. but mine crashes in -- consistenly, not the GFX method. SinkContext::FlushTags(int 1) line 1921 + 74 bytes HTMLContentSink::FlushPendingNotifications(HTMLContentSink * const 0x035c5fd0) line 5067 + 16 bytes nsHTMLDocument::FlushPendingNotifications(nsHTMLDocument * const 0x035cb418, int 0, int 0) line 1543 + 23 bytes nsHTMLDocument::ResolveName(nsHTMLDocument * const 0x035cb5bc, const nsAString & {...}, nsIDOMHTMLFormElement * 0x00000000, nsISupports * * 0x0012df9c) line 3727 nsHTMLDocumentSH::ResolveImpl(JSContext * 0x034ecd78, nsIXPConnectWrappedNative * 0x03a31a40, long 49197332, nsISupports * * 0x0012df9c) line 4625 + 33 bytes nsHTMLDocumentSH::NewResolve(nsHTMLDocumentSH * const 0x02f2bb60, nsIXPConnectWrappedNative * 0x03a31a40, JSContext * 0x034ecd78, JSObject * 0x037254c0, long 49197332, unsigned int 1, JSObject * * 0x0012e0a0, int * 0x0012e01c) line 4675 + 41 bytes XPC_WN_Helper_NewResolve(JSContext * 0x034ecd78, JSObject * 0x037254c0, long 49197332, unsigned int 1, JSObject * * 0x0012e1c4) line 904 + 66 bytes _js_LookupProperty(JSContext * 0x034ecd78, JSObject * 0x037254c0, long 49371408, JSObject * * 0x0012e2b0, JSProperty * * 0x0012e2a4, const char * 0x013457e0, unsigned int 2454) line 2250 + 59 bytes js_GetProperty(JSContext * 0x034ecd78, JSObject * 0x037254c0, long 49371408, long * 0x0012eee4) line 2454 + 35 bytes js_Interpret(JSContext * 0x034ecd78, long * 0x0012f104) line 2574 + 2032 bytes js_Execute(JSContext * 0x034ecd78, JSObject * 0x03393b10, JSScript * 0x039e63e0, JSStackFrame * 0x00000000, unsigned int 0, long * 0x0012f104) line 968 + 13 bytes JS_EvaluateUCScriptForPrincipals(JSContext * 0x034ecd78, JSObject * 0x03393b10, JSPrincipals * 0x030f0b88, const unsigned short * 0x0372f670, unsigned int 177, const char * 0x0012f21c, unsigned int 15, long * 0x0012f104) line 3379 + 25 bytes nsJSContext::EvaluateString(nsJSContext * const 0x034ecb90, const nsAString & {...}, void * 0x03393b10, nsIPrincipal * 0x030f0b84, const char * 0x0012f21c, unsigned int 15, const char * 0x0132969c, nsAString & {...}, int * 0x0012f168) line 702 + 85 bytes
sorry but i get now also different stack traces with my updated build :-( I got the page completly loaded 1x but i crashed after i hit reload (the last stack in the attachment)
This is not crashing in GFX.. but in layout somewhere.. like JavaScript somewere. The stack traces change.. but non of the stack traces I get are in GFX.. they all seem to have JavaScript in there somewhere.
Assignee: dcone → attinasi
QA Contact: moied → petersen
Since I disabled, I don't get a crash accessing www.ivwonline.de or www.ivw.de (Mozilla Build ID: 2002072108) Hope, this will help someone. Tri
Target Milestone: --- → Future
*** Bug 160840 has been marked as a duplicate of this bug. ***
With these patches and the icon in bug 160840, you can see the .ICO decoder is not handling this image correctly. The image data per line is getting shifted by one byte. I'll leave that for an imglib person though :)
Found no dup, so filed bug 160975 for the issue with decoding the image.
Blocks: 160975
*** Bug 161055 has been marked as a duplicate of this bug. ***
This is retentive, but using this order looks better to me since the value of newOffset can just be carried into the second part of the expression to be mangled at will ... this is what working all day on 8086 based embedded systems with unsophisticated compilers will do to you.
Attachment #93912 - Attachment is obsolete: true
Requesting review and nominate for moz 1.1.
Keywords: patch
Component: Layout → Image Conversion Library
taking this
Assignee: attinasi → pavlov
Component: Image Conversion Library → ImageLib
QA Contact: petersen → tpreston
Target Milestone: Future → mozilla1.1beta
Alias: favicon
This bug was fixed in bug 159256 with the same patch (some time after it was suggested here :). Should this be resolved dupe now?
grrr. I _knew_ I had seen the patch before. marking dup; if you want to get the "revised safety check" into the tree, please reopen *** This bug has been marked as a duplicate of 159256 ***
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → DUPLICATE
The revised safety check is for when things have already been shafted horribly. You probably want to put it in as as assertion instead/as well so that instead of the random stacks that were seen, you get a assertion that tells you that a decoder has gone loopy. It would make debugging this sort of issue much easier in future. I'll not repoen this though as adding that assertion is probably the module owners decision.
Attached image favicon from ivw
unfortunately I'm not sure that this is the icon that triggered this bug
Alias: favicon
Summary: Mozilla crashes when specific URL is accessed → Mozilla crashes when specific URL is accessed
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: