222293 - browser crashes rendering this animated gif

Status: RESOLVED FIXED

(Core :: Graphics: ImageLib, defect)

Description

[Ryan Hamilton]

User-Agent:       Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.4b) Gecko/20030516 Mozilla Firebird/0.6
Build Identifier: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.4b) Gecko/20030516 Mozilla Firebird/0.6

In mozilla for FreeBSD, this page hang mozilla as it renders.
In mozilla for OSX, this page crashes mozilla when you interact with mozilla 
after it renders.
In mozilla for Windows, this page crases mozilla when closing the page (I don't
have a windows box, but a friend reported this...)

Reproducible: Always

Steps to Reproduce:
1. visit http://music.optimism.cc/
2. wait for page to load
3. try to do anything with browser - it is now hung (or crashed)

Actual Results:  
browser crashed :)

Expected Results:  
not crash :)  (I don't mean to be silly)

Comment 1

[Bill Mason]

Works for me 20031012 PC/Win2000

The build you are testing on is 5 months old.  Please reopen bug if you can
reproduce this on a current build.

Comment 2

[Ryan Hamilton]

I just downloaded firebird 0.7 for my mac and it still crashes.  this time i was able to click to
the next page before it died...

Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.5) Gecko/20031007 Firebird/0.7

Comment 3

[Bob Firth]

This crashed my browser too. The page loaded fine, but once I clicked a link
Firebird was gone.

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5) Gecko/20031007 Firebird/0.7
Same on Mozilla 1.4.1 Gecko/20031008
moving to Browser

Adding keyword qawanted because more info on the cause of the crash is needed.

Comment 4

[Ryan Hamilton]

I have refined the problem to rendering this particular image file
http://music.optimism.cc/images/bg_copper4.gif
It is a gif which seems to take quite a while to load.  If I pull that
up in firebird, it will wait perhaps 5 seconds after the image appears
to display the dimensions.  Then <30 seconds later (with out any
interaction by me) firebird will crash :(

Comment 5

[Hermann Schwab]

Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6a) Gecko/20031017
Loading http://music.optimism.cc/images/bg_copper4.gif crashes:

Crash in MSVCRT.DLL 6.10.8637.0
Mozilla 1.6a 2003101704
SiS6326m.drv 4.11.01.1280

Stack Summary was showing:
3 calls to MSVCRT.DLL .text+ 0xc710, 0xbcf7, 0x26
5 calls JS3250.DLL .text+0x3e379, 0x390f2, 0x38fc6, 0x38c09, 0x3efb
6 calls to GKLAYOUT.DLL
call to CHROME.DLL .text+0x563

filed a Talkback record, but Talkback seems to be unable to connect to
http://talkback.mozilla.org/spiral-bin/Collector.dll

Comment 6

[Hermann Schwab]

Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6a) Gecko/20031017
Loaded gif multiple times, crash after about 7 seconds.
Did download it with Netscape4.8 :-) and Mozilla crashed, when I opened the
local file.
Irfanview is showing an animation.

I assume this bug could be reduced to the gif, so I´m editing title and URL
title was: browser crashes rendering this page
URL was: http://music.optimism.cc/

gif properties as seen from irfanview:
Compression: GIF - 54 images
original size: 30x51 pixels
current size: 1600x51 pixels
colours: 256 (8 bit/pixel)
Disk Size: 94558 bytes
Memory Size: 82624 bytes

Data from DocWatson:
Last stack summary was showing ( loaded locally )

1 call  to MSVCRT.DLL .text + 0x1fa
2 calls to GKGFXWIN.DLL .text + 0xde73, 0x15fff
2 calls to IMGLIB2.DLL .text + 0x54d3, 0x513f
1 call  to XPCOM.DLL .text + 0x2a0b3
1 call  to APPSHELL.DLL .text + 0x6756
2 calls to MOZILLA.EXE .text + 0x9e7, 0x1f0f
Kernel32!ApplicationStartup

Summary before was showing same names, with different offsets.
1 call  to MSVCRT.DLL .text + 0x1fa
2 calls to GKGFXWIN.DLL .text + 0xe291, 0x16179
2 calls to IMGLIB2.DLL .text + 0x4d4b, 0x49b7
1 call  to XPCOM.DLL .text + 0x298da
1 call  to APPSHELL.DLL .text + 0x70ee
2 calls to MOZILLA.EXE .text + 0xa02, 0x1f5c
Kernel32!ApplicationStartup

Comment 7

[Hermann Schwab]

tested with Mozilla 1.0.2, no crash, gif ok
tested with Mozilla 1.3.1, crash

Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.3.1) Gecko/20030425
Talkbacks sent to talkback5.netscape.com or something like that.

TB24525786E loading the URL
TB24525963Q loading the local copy

Don´t know, if these Talkbacks from old 1.3.1 are of any use.
Talkback in recent windows trunk builds can´t connect to talback.mozilla.org ...

Comment 8

[Andrew Schultz]

a stack isn't going to be particularly useful.  this is memory corruption. 
valgrind says:

Invalid memory access of size 1
 imgContainerGIF::SetMaskVisibility (imgContainerGIF.cpp:920)
 imgContainerGIF::BuildCompositeMask (imgContainerGIF.cpp:712)
 imgContainerGIF::DoComposite (imgContainerGIF.cpp:656)
 imgContainerGIF::Notify (imgContainerGIF.cpp:434)
 nsTimerImpl::Fire (nsTimerImpl.cpp:385)
Address 0x460C83FF is 3 bytes after a block of size 204 alloc'd
 malloc (vg_replace_malloc.c:153)
 operator new (in /usr/lib/libstdc++.so.5.0.5) 
 __builtin_vec_new (nsAppRunner.cpp:160)
 operator new[] (vg_replace_malloc.c:210)
 nsImageGTK::Init (nsImageGTK.cpp:193)
 gfxImageFrame::Init (gfxImageFrame.cpp:122)
 imgContainerGIF::DoComposite (imgContainerGIF.cpp:562)
 imgContainerGIF::Notify (imgContainerGIF.cpp:434)

Comment 9

[tor]

Attachment: fix overlay overlap check

The gif in question has an overlay that it walks off the gif logical screen
area.  The test for this in SetMaskVisibility wanted it off in both x and y,
but this image just walks horizontally.

Comment 10

[tor]

Taking bug.

Comment 11

[Asa Dotzler [:asa]]

Comment on attachment 133960 [details] [diff] [review]
fix overlay overlap check

a=asa (on behalf of drivers) for checkin to 1.6alpha

Comment 12

[tor]

Checked in on trunk.

Comment 13

[Hermann Schwab]

Thanks, works for me now, tested on gif and on URL.
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6a) Gecko/20031024

Comment 14

[Mike Kaply [:mkaply]]

Comment on attachment 133960 [details] [diff] [review]
fix overlay overlap check

a=mkaply for 1.4.2

Comment 15

[Mike Kowalski]

Fixed on 1.4.x branch.