Closed Bug 166886 Opened 23 years ago Closed 23 years ago

Crash while loading sourceforge.net (on a debug build)

Categories

(Core :: Graphics: ImageLib, defect, P1)

Product:
Core
Component:
Graphics: ImageLib
Platform:
DEC
OSF/1
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.2alpha

People

(Reporter: shanmu, Assigned: Biesinger)

References

(
URL
)

Details

(Keywords: crash)

Attachments

(2 files, 1 obsolete file)

very well... using memcpy, removing DOCOPY
6.23 KB, patch
jesup
: review+
tor
: superreview+
jesup
: approval+
Details | Diff | Splinter Review
sf favicon
894 bytes, image/x-icon
Details
Mozilla's debug build crashed everytime, on a Tru64 UNIX, while loading the page sourceforge.net. Debugging this stuff revealed a bug in "./modules/libpr0n/decoders/bmp/nsICODecoder.cpp" in the routine nsICODecoder::ProcessDirEntry. This has a call DOCOPY(&aTarget.mImageOffset, mDirEntryArray+12); while DOCOPY is defined as #define DOCOPY(dest, src) memcpy(dest, src, sizeof(dest)) The third argument in memcpy is the one that is causing the problem. It gets the sizeof(dest) while dest is the size of the address (&aTarget.mImageOffset). This is 64 in 64 bit OS. We only need 32 bitsPRUint32 because IconDirEntry::mImageOffset is defined as PRUint32 This wipes out the adjacent memory and causes crash, while the content of the address which was stored in that memory is accessed later. In order to solve this we can change the DOCOPYs from DOCOPY(&aTarget.mImageOffset, mDirEntryArray+12); to DOCOPY(aTarget.mImageOffset, mDirEntryArray+12); and the definition of DOCOPY from #define DOCOPY(dest, src) memcpy(dest, src, sizeof(dest)) to #define DOCOPY(dest, src) memcpy(&dest, src, sizeof(dest)) This solved the problem. I can give the full diffs if there is no objection to this.
-> Stuart
Assignee: asa → pavlov
Status: UNCONFIRMED → NEW
Component: Browser-General → ImageLib
Ever confirmed: true
QA Contact: asa → tpreston
taking bug as I wrote this stuff
Assignee: pavlov → cbiesinger
Priority: -- → P1
Target Milestone: --- → mozilla1.2alpha
actually that's the ICO decoder which hyatt wrote, not I :) anyway, I'll fix this.
ok that code was completely broken. (this macro was part of the stuff I did write :) ). I'll attach a slight variant of the suggested patch which should be safer. nominating for 1.0.2.
Status: NEW → ASSIGNED
Keywords: crash, mozilla1.0.2
Attached patch patch (obsolete) — Splinter Review
paper or stuart, could one of you review this patch? shanmu, could you verify if the patch fixes your crash?
Keywords: patch, review
This patch fixed the crash.
crash -> critical
Severity: major → critical
Comment on attachment 97996 [details] [diff] [review] patch Actually, I don't think I would use a macro for this. It only saves you one argument; it relies on something rather ambiguous to humans to make it function correctly; and in source, the casual reader will be significantly more familiar with |memcpy| than with |DOCOPY|. Not to mention the fact that macro's are best avoided in general, particularly where they don't do the magic of conditional definition. My advice: eliminate the macro, use straight |memcpy|s throughout.
scc, could you review this patch?
If you want I'll give an r= for that patch. However, given a choice(*) I'd rather you cast your void/char pointer to the structure you're copying from and just use structure copies. (*) the case where doing that wouldn't be good is if you expected that some platforms wouldn't like longword accesses on odd boundaries (not normally a problem in modern times), or if you expected this to be byte-misaligned and thought that the compiler might do better inlining a series of memcpy's than doing a structure copy, or if only small isolated parts of the structure were being copied into a different structure (though in that case I'd still want you to make a structure pointer to pull them out). IMHO. Lots of memcpy's for 2 or 4 bytes is silly, even if the compiler _might_ optimize them away.
um, jesup, are you really sure that every compiler will byte-align the structure?
Yeah, good point. It would require making sure the source structure was correctly packed on each compiler, which is a pain. I still dislike the memcpy()'s and would prefer something like: foo.bar = *((PRUint32 *) (mypointer + 6)); Which you could combine with your 32->64 bit conversions, but as you mentioned in IRC these are done once per BMP so it's not important. r=rjesup@wgate.com
(patch keyword does not apply here)
Keywords: patch
Comment on attachment 98572 [details] [diff] [review] very well... using memcpy, removing DOCOPY While I agree that many memcpy()s is somewhat gross, it looks somewhat cleaner than the same amount of pointer casting. sr=tor
Attachment #98572 - Flags: superreview+
Comment on attachment 98572 [details] [diff] [review] very well... using memcpy, removing DOCOPY r=pavlov
ok, checked in. this crash should be fixed now.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Comment on attachment 98572 [details] [diff] [review] very well... using memcpy, removing DOCOPY a=rjesup@wgate.com for 1.0 branch. CHange mozilla1.0.2+ to fixed1.0.2 when checked in
Attachment #98572 - Flags: approval+
fixed on 1.0 branch.
Keywords: mozilla1.0.2+fixed1.0.2
Verified win xp branch build 2002091908, linux branch build 2002091906 and Mac os x branch build 2002091905
Keywords: fixed1.0.2verified1.0.2
Attached image sf favicon
unfortunately I'm not sure that this is the icon that triggered this bug
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: