If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Mozilla crashes when specific URL is accessed

RESOLVED DUPLICATE of bug 159256

Status

()

Core
ImageLib
P2
critical
RESOLVED DUPLICATE of bug 159256
16 years ago
4 years ago

People

(Reporter: sb_tec, Assigned: Stuart Parmenter)

Tracking

({crash, regression, testcase})

Trunk
mozilla1.1beta
x86
Windows 2000
crash, regression, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(6 attachments, 1 obsolete attachment)

(Reporter)

Description

16 years ago
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.1a) Gecko/20020611
BuildID:    2002061108

Mozilla crashed each time when I went to www.ivwbox.de, using Mozilla on a
Windows 2000 (Service Pack 2) system. The build ID is 2002061108.

Reproducible: Always
Steps to Reproduce:
1.just surf to www.ivwbox.de
2.
3.

Actual Results:  Mozilla crashes

Expected Results:  display the page
This is a regression from M1.0 !

-> Layout

win2k build 20020612..
NTDLL! 778cb9b1()
NTDLL! 778cb733()
_free_base(void * 0x03fc4eb8) line 60
_free_dbg_lk(void * 0x03fc4ed8, int 1) line 1083 + 9 bytes
_free_dbg(void * 0x03fc4ed8, int 1) line 970 + 13 bytes
operator delete(void * 0x03fc4ed8) line 49 + 16 bytes
nsImageWin::CleanUpDIB() line 1016 + 18 bytes
nsImageWin::CreateDDB(void * 0x03fe5a80) line 399
nsImageWin::Draw(nsImageWin * const 0x03fe7338, nsIRenderingContext & {...}, 
void * 0x03fe5a80, int 0, int 0, int 164, int 45, int 292, int 173, int 164, int 
45) line 460
nsRenderingContextImpl::DrawImage(nsRenderingContextImpl * const 0x03f77768, 
imgIContainer * 0x0400ba30, const nsRect * 0x0012e270, const nsPoint * 
0x0012e280) line 922 + 63 bytes
nsImageFrame::Paint(nsImageFrame * const 0x03feb538, nsIPresContext * 
0x03d4c640, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer 
eFramePaintLayer_Overlay, unsigned int 0) line 1362
nsContainerFrame::PaintChild(nsIPresContext * 0x03d4c640, nsIRenderingContext & 
{...}, const nsRect & {...}, nsIFrame * 0x03feb538, nsFramePaintLayer 
eFramePaintLayer_Overlay, unsigned int 0) line 255
nsContainerFrame::PaintChildren(nsIPresContext * 0x03d4c640, nsIRenderingContext 
& {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay, 
unsigned int 0) line 196
nsHTMLContainerFrame::Paint(nsHTMLContainerFrame * const 0x03feb3dc, 
nsIPresContext * 0x03d4c640, nsIRenderingContext & {...}, const nsRect & {...}, 
nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0) line 135
nsContainerFrame::PaintChild(nsIPresContext * 0x03d4c640, nsIRenderingContext & 
{...}, const nsRect & {...}, nsIFrame * 0x03feb3dc, nsFramePaintLayer 
eFramePaintLayer_Overlay, unsigned int 0) line 255
nsBlockFrame::PaintChildren(nsIPresContext * 0x03d4c640, nsIRenderingContext & 
{...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay, 
unsigned int 0) line 5657
nsBlockFrame::Paint(nsBlockFrame * const 0x03feb198, nsIPresContext * 
0x03d4c640, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer 
eFramePaintLayer_Overlay, unsigned int 0) line 5529
nsContainerFrame::PaintChild(nsIPresContext * 0x03d4c640, nsIRenderingContext & 
{...}, const nsRect & {...}, nsIFrame * 0x03feb198, nsFramePaintLayer 
eFramePaintLayer_Overlay, unsigned int 0) line 255
nsContainerFrame::PaintChildren(nsIPresContext * 0x03d4c640, nsIRenderingContext 
& {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay, 
unsigned int 0) line 196
nsTableCellFrame::Paint(nsTableCellFrame * const 0x03feb138, nsIPresContext * 
0x03d4c640, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer 
eFramePaintLayer_Overlay, unsigned int 0) line 516
nsTableRowFrame::PaintChildren(nsIPresContext * 0x03d4c640, nsIRenderingContext 
& {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay, 
unsigned int 0) line 655
nsTableRowFrame::Paint(nsTableRowFrame * const 0x03feae00, nsIPresContext * 
0x03d4c640, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer 
eFramePaintLayer_Overlay, unsigned int 0) line 603
nsTableRowGroupFrame::PaintChildren(nsIPresContext * 0x03d4c640, 
nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer 
eFramePaintLayer_Overlay, unsigned int 0) line 289
nsTableRowGroupFrame::Paint(nsTableRowGroupFrame * const 0x03f1bcfc, 
nsIPresContext * 0x03d4c640, nsIRenderingContext & {...}, const nsRect & {...}, 
nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0) line 238
nsContainerFrame::PaintChild(nsIPresContext * 0x03d4c640, nsIRenderingContext & 
{...}, const nsRect & {...}, nsIFrame * 0x03f1bcfc, nsFramePaintLayer 
eFramePaintLayer_Overlay, unsigned int 0) line 255
nsContainerFrame::PaintChildren(nsIPresContext * 0x03d4c640, nsIRenderingContext 
& {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay, 
unsigned int 0) line 196
nsTableFrame::PaintChildren(nsIPresContext * 0x03d4c640, nsIRenderingContext & 
{...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay, 
unsigned int 0) line 1449
nsTableFrame::Paint(nsTableFrame * const 0x03fe84f0, nsIPresContext * 
0x03d4c640, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer 
eFramePaintLayer_Overlay, unsigned int 0) line 1495
nsContainerFrame::PaintChild(nsIPresContext * 0x03d4c640, nsIRenderingContext & 
{...}, const nsRect & {...}, nsIFrame * 0x03fe84f0, nsFramePaintLayer 
eFramePaintLayer_Overlay, unsigned int 0) line 255
nsTableOuterFrame::Paint(nsTableOuterFrame * const 0x03fe8324, nsIPresContext * 
0x03d4c640, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer 
eFramePaintLayer_Overlay, unsigned int 0) line 375
nsContainerFrame::PaintChild(nsIPresContext * 0x03d4c640, nsIRenderingContext & 
{...}, const nsRect & {...}, nsIFrame * 0x03fe8324, nsFramePaintLayer 
eFramePaintLayer_Overlay, unsigned int 0) line 255
nsBlockFrame::PaintChildren(nsIPresContext * 0x03d4c640, nsIRenderingContext & 
{...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay, 
unsigned int 0) line 5657
nsBlockFrame::Paint(nsBlockFrame * const 0x03fe8104, nsIPresContext * 
0x03d4c640, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer 
eFramePaintLayer_Overlay, unsigned int 0) line 5529
nsContainerFrame::PaintChild(nsIPresContext * 0x03d4c640, nsIRenderingContext & 
{...}, const nsRect & {...}, nsIFrame * 0x03fe8104, nsFramePaintLayer 
eFramePaintLayer_Overlay, unsigned int 0) line 255
nsBlockFrame::PaintChildren(nsIPresContext * 0x03d4c640, nsIRenderingContext & 
{...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay, 
unsigned int 0) line 5657
nsBlockFrame::Paint(nsBlockFrame * const 0x03f1b910, nsIPresContext * 
0x03d4c640, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer 
eFramePaintLayer_Overlay, unsigned int 0) line 5529
nsContainerFrame::PaintChild(nsIPresContext * 0x03d4c640, nsIRenderingContext & 
{...}, const nsRect & {...}, nsIFrame * 0x03f1b910, nsFramePaintLayer 
eFramePaintLayer_Overlay, unsigned int 0) line 255
nsBlockFrame::PaintChildren(nsIPresContext * 0x03d4c640, nsIRenderingContext & 
{...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay, 
unsigned int 0) line 5657
nsBlockFrame::Paint(nsBlockFrame * const 0x03f1b7a4, nsIPresContext * 
0x03d4c640, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer 
eFramePaintLayer_Overlay, unsigned int 0) line 5529
nsContainerFrame::PaintChild(nsIPresContext * 0x03d4c640, nsIRenderingContext & 
{...}, const nsRect & {...}, nsIFrame * 0x03f1b7a4, nsFramePaintLayer 
eFramePaintLayer_Overlay, unsigned int 0) line 255
nsContainerFrame::PaintChildren(nsIPresContext * 0x03d4c640, nsIRenderingContext 
& {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay, 
unsigned int 0) line 196
nsHTMLContainerFrame::Paint(nsHTMLContainerFrame * const 0x03f23164, 
nsIPresContext * 0x03d4c640, nsIRenderingContext & {...}, const nsRect & {...}, 
nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0) line 135
CanvasFrame::Paint(CanvasFrame * const 0x03f23164, nsIPresContext * 0x03d4c640, 
nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer 
eFramePaintLayer_Overlay, unsigned int 0) line 387 + 27 bytes
PresShell::Paint(PresShell * const 0x03d4a7ec, nsIView * 0x03f1b4d8, 
nsIRenderingContext & {...}, const nsRect & {...}) line 5830 + 36 bytes
nsView::Paint(nsView * const 0x03f1b4d8, nsIRenderingContext & {...}, const 
nsRect & {...}, unsigned int 0, int & 1242412) line 280
nsViewManager::RenderDisplayListElement(DisplayListElement2 * 0x03f78c78, 
nsIRenderingContext & {...}) line 1192
nsViewManager::RenderViews(nsView * 0x03f1b238, nsIRenderingContext & {...}, 
const nsRect & {...}, int & 0) line 1141
nsViewManager::Refresh(nsView * 0x03f1b238, nsIRenderingContext * 0x03f77768, 
nsIRegion * 0x03ff6998, unsigned int 1) line 732
nsViewManager::DispatchEvent(nsViewManager * const 0x03fbb3d8, nsGUIEvent * 
0x0012f850, nsEventStatus * 0x0012f764) line 1732
HandleEvent(nsGUIEvent * 0x0012f850) line 83
nsWindow::DispatchEvent(nsWindow * const 0x03f1b2f4, nsGUIEvent * 0x0012f850, 
nsEventStatus & nsEventStatus_eIgnore) line 1026 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f850, nsEventStatus & 
nsEventStatus_eIgnore) line 1052
nsWindow::OnPaint() line 4698 + 28 bytes
nsWindow::ProcessMessage(unsigned int 15, unsigned int 0, long 0, long * 
0x0012fc94) line 3572 + 17 bytes
nsWindow::WindowProc(HWND__ * 0x003b0470, unsigned int 15, unsigned int 0, long 
0) line 1291 + 27 bytes
USER32! 77e01b60()
USER32! 77e02f29()
USER32! 77e02f4f()
NTDLL! 778a032f()
USER32! 77e083f1()
nsAppShellService::Run(nsAppShellService * const 0x010c5ba8) line 451
main1(int 2, char * * 0x00283160, nsISupports * 0x00000000) line 1456 + 32 bytes
main(int 2, char * * 0x00283160) line 1805 + 37 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 77e7d326()
Assignee: sgehani → attinasi
Component: XP Apps → Layout
Keywords: crash, regression
QA Contact: paw → petersen

Comment 2

16 years ago
Confirming for 2002061208 (Win32)

Comment 3

16 years ago
no crash with win98 2002060908
crash with win2k 2002061204 TB7268637G

Comment 4

16 years ago
confirm crash 
on win2kpro Moz1.1 alpha
to dcone; he was touching that stuff last, iirc....
Assignee: attinasi → dcone
Status: UNCONFIRMED → NEW
Ever confirmed: true

Comment 6

16 years ago
*** Bug 151485 has been marked as a duplicate of this bug. ***

Comment 7

16 years ago
From bug 151485:
"Mozilla 1.1a crashed each time when visiting www.ivw.de
It seems to be a problem with the favicon used on this site (buggy?)."
Keywords: testcase

Comment 8

16 years ago
Created attachment 87500 [details]
Testcase with faulty favicon (from bug 151485) that crashes Mozilla

Updated

16 years ago
QA Contact: petersen → moied

Comment 9

16 years ago
Confirm crash on Win95 but not until closing the browser window.
Talkbacks: TB7355024W, TB7355671M
Can't confirm on Linux despite intensive testing.

Both with 1.1a 2002061408.

Updated

16 years ago
Priority: -- → P2

Comment 10

16 years ago
*** Bug 151895 has been marked as a duplicate of this bug. ***

Comment 11

16 years ago
Created attachment 89560 [details] [diff] [review]
Make sure we allocated memory before we delete it.

Comment 12

16 years ago
I know that |delete| is null-safe; e.g., |delete 0| will not crash. Is
|delete[]| _not_ null-safe? I tried this test program, and it appears to work
(on Unix, anyway):

int main(int argc, char *argv[])
{
    char **p = new char*[1];
    p[0] = 0;
    delete[] p[0];
    delete p;
}

So...are we really fixing the problem here? Is it possible that mColorMap->Index
is not being initialized? (Or has already been deleted?)
*** Bug 155341 has been marked as a duplicate of this bug. ***

Comment 14

16 years ago
Looking at this bug.. and where this said it crashes.. and running some tests to
make sure the windows is null safe on delete.. I dont see how that is causing
the crash.  There is a duplicate that also crashes.. but in a different spot.  I
think it crashed in nsImageWin::CleanUpDIB because of an unstable enviornment. 
I can not duplicate this on the branch or trunk.. used windows 2k to test.  The
patch I put in was a shot in the dark to make sure everything was cool.. but a
closer look and doing watersons test on windows.. I just dont think thats the
cause of anything crashing.
dcone: you can't reproduce the crash ?
Have you enabled the favicons ?

i crash everytime on win2k with the given URL and a win2k trunk build.
(Nvidia card)

MSVC++ reports a hardcoded breakpoint..

Comment 16

16 years ago
I dont really know how to enable those favicons.. but I am using w2k, nvidia
card.. gforce II, athlon processor. I will keep trying.. but both my machines
run it fine..  What screen depth are you using?
Favicons: Edit\preferences\Appearance\[X] Show Web Site Icons

I'm using a gforce II MX with 32Bit 1024x768 and recent drivers..

You could access my system if you really can't get it crashing but my system and
MSVC++ is german :-)

Comment 18

15 years ago
I can get this to crash on my HP machine.. but mine crashes in --
consistenly, not the GFX method.

SinkContext::FlushTags(int 1) line 1921 + 74 bytes
HTMLContentSink::FlushPendingNotifications(HTMLContentSink * const 0x035c5fd0)
line 5067 + 16 bytes
nsHTMLDocument::FlushPendingNotifications(nsHTMLDocument * const 0x035cb418, int
0, int 0) line 1543 + 23 bytes
nsHTMLDocument::ResolveName(nsHTMLDocument * const 0x035cb5bc, const nsAString &
{...}, nsIDOMHTMLFormElement * 0x00000000, nsISupports * * 0x0012df9c) line 3727
nsHTMLDocumentSH::ResolveImpl(JSContext * 0x034ecd78, nsIXPConnectWrappedNative
* 0x03a31a40, long 49197332, nsISupports * * 0x0012df9c) line 4625 + 33 bytes
nsHTMLDocumentSH::NewResolve(nsHTMLDocumentSH * const 0x02f2bb60,
nsIXPConnectWrappedNative * 0x03a31a40, JSContext * 0x034ecd78, JSObject *
0x037254c0, long 49197332, unsigned int 1, JSObject * * 0x0012e0a0, int *
0x0012e01c) line 4675 + 41 bytes
XPC_WN_Helper_NewResolve(JSContext * 0x034ecd78, JSObject * 0x037254c0, long
49197332, unsigned int 1, JSObject * * 0x0012e1c4) line 904 + 66 bytes
_js_LookupProperty(JSContext * 0x034ecd78, JSObject * 0x037254c0, long 49371408,
JSObject * * 0x0012e2b0, JSProperty * * 0x0012e2a4, const char * 0x013457e0,
unsigned int 2454) line 2250 + 59 bytes
js_GetProperty(JSContext * 0x034ecd78, JSObject * 0x037254c0, long 49371408,
long * 0x0012eee4) line 2454 + 35 bytes
js_Interpret(JSContext * 0x034ecd78, long * 0x0012f104) line 2574 + 2032 bytes
js_Execute(JSContext * 0x034ecd78, JSObject * 0x03393b10, JSScript * 0x039e63e0,
JSStackFrame * 0x00000000, unsigned int 0, long * 0x0012f104) line 968 + 13 bytes
JS_EvaluateUCScriptForPrincipals(JSContext * 0x034ecd78, JSObject * 0x03393b10,
JSPrincipals * 0x030f0b88, const unsigned short * 0x0372f670, unsigned int 177,
const char * 0x0012f21c, unsigned int 15, long * 0x0012f104) line 3379 + 25 bytes
nsJSContext::EvaluateString(nsJSContext * const 0x034ecb90, const nsAString &
{...}, void * 0x03393b10, nsIPrincipal * 0x030f0b84, const char * 0x0012f21c,
unsigned int 15, const char * 0x0132969c, nsAString & {...}, int * 0x0012f168)
line 702 + 85 bytes
Created attachment 90122 [details]
different stack traces..

sorry but i get now also different stack traces with my updated build :-(

I got the page completly loaded 1x but i crashed after i hit reload (the last
stack in the attachment)

Comment 20

15 years ago
This is not crashing in GFX.. but in layout somewhere.. like JavaScript
somewere.  The stack traces change.. but non of the stack traces I get are in
GFX.. they all seem to have JavaScript in there somewhere.
Assignee: dcone → attinasi
QA Contact: moied → petersen

Comment 21

15 years ago
Since I disabled, I don't get a crash accessing www.ivwonline.de or
www.ivw.de (Mozilla Build ID: 2002072108)
Hope, this will help someone.

Tri

Updated

15 years ago
Target Milestone: --- → Future
*** Bug 160840 has been marked as a duplicate of this bug. ***
Created attachment 93912 [details] [diff] [review]
Extra safety check to stop crash
Created attachment 93913 [details] [diff] [review]
Patch to fix the cause of the .ICO crash
With these patches and the icon in bug 160840, you can see the .ICO decoder is
not handling this image correctly.  The image data per line is getting shifted
by one byte.  I'll leave that for an imglib person though :)
Found no dup, so filed bug 160975 for the issue with decoding the image.

Updated

15 years ago
Blocks: 160975
*** Bug 161055 has been marked as a duplicate of this bug. ***
Created attachment 94016 [details] [diff] [review]
Revised safety check

This is retentive, but using this order looks better to me since the value of
newOffset can just be carried into the second part of the expression to be
mangled at will ... this is what working all day on 8086 based embedded systems
with unsophisticated compilers will do to you.
Attachment #93912 - Attachment is obsolete: true
Requesting review and nominate for moz 1.1.
Keywords: patch

Updated

15 years ago
Component: Layout → Image Conversion Library
(Assignee)

Comment 30

15 years ago
taking this
Assignee: attinasi → pavlov
Component: Image Conversion Library → ImageLib
QA Contact: petersen → tpreston
Target Milestone: Future → mozilla1.1beta

Updated

15 years ago
Alias: favicon
This bug was fixed in bug 159256 with the same patch (some time after it was
suggested here :).  Should this be resolved dupe now?
grrr. I _knew_ I had seen the patch before.

marking dup; if you want to get the "revised safety check" into the tree, please
reopen

*** This bug has been marked as a duplicate of 159256 ***
Status: NEW → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → DUPLICATE
The revised safety check is for when things have already been shafted
horribly.  You probably want to put it in as as assertion instead/as well
so that instead of the random stacks that were seen, you get a assertion
that tells you that a decoder has gone loopy.  It would make debugging
this sort of issue much easier in future.

I'll not repoen this though as adding that assertion is probably the
module owners decision.
Created attachment 159350 [details]
favicon from ivw

unfortunately I'm not sure that this is the icon that triggered this bug
Alias: favicon
Summary: Mozilla crashes when specific URL is accessed → Mozilla crashes when specific URL is accessed
You need to log in before you can comment on or make changes to this bug.