browser crashes rendering this animated gif

RESOLVED FIXED

Status

()

Core
ImageLib
--
critical
RESOLVED FIXED
15 years ago
14 years ago

People

(Reporter: Ryan Hamilton, Assigned: tor)

Tracking

({crash, fixed1.4.2, qawanted})

Trunk
crash, fixed1.4.2, qawanted
Points:
---
Bug Flags:
blocking1.4.2 +

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(1 attachment)

(Reporter)

Description

15 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.4b) Gecko/20030516 Mozilla Firebird/0.6
Build Identifier: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.4b) Gecko/20030516 Mozilla Firebird/0.6

In mozilla for FreeBSD, this page hang mozilla as it renders.
In mozilla for OSX, this page crashes mozilla when you interact with mozilla 
after it renders.
In mozilla for Windows, this page crases mozilla when closing the page (I don't
have a windows box, but a friend reported this...)

Reproducible: Always

Steps to Reproduce:
1. visit http://music.optimism.cc/
2. wait for page to load
3. try to do anything with browser - it is now hung (or crashed)

Actual Results:  
browser crashed :)

Expected Results:  
not crash :)  (I don't mean to be silly)

Comment 1

15 years ago
Works for me 20031012 PC/Win2000

The build you are testing on is 5 months old.  Please reopen bug if you can
reproduce this on a current build.
Severity: blocker → critical
Status: UNCONFIRMED → RESOLVED
Last Resolved: 15 years ago
Keywords: crash
OS: All → Linux
Resolution: --- → WORKSFORME
(Reporter)

Comment 2

15 years ago
I just downloaded firebird 0.7 for my mac and it still crashes.  this time i was able to click to
the next page before it died...

Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.5) Gecko/20031007 Firebird/0.7
Status: RESOLVED → UNCONFIRMED
Resolution: WORKSFORME → ---

Comment 3

15 years ago
This crashed my browser too. The page loaded fine, but once I clicked a link
Firebird was gone.

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5) Gecko/20031007 Firebird/0.7
Same on Mozilla 1.4.1 Gecko/20031008
moving to Browser

Adding keyword qawanted because more info on the cause of the crash is needed.
Assignee: blake → general
Status: UNCONFIRMED → NEW
Component: General → Browser-General
Ever confirmed: true
Keywords: qawanted
Product: Firebird → Browser
QA Contact: general
Version: unspecified → 1.0 Branch
(Reporter)

Comment 4

15 years ago
I have refined the problem to rendering this particular image file
http://music.optimism.cc/images/bg_copper4.gif
It is a gif which seems to take quite a while to load.  If I pull that
up in firebird, it will wait perhaps 5 seconds after the image appears
to display the dimensions.  Then <30 seconds later (with out any
interaction by me) firebird will crash :(

Comment 5

15 years ago
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6a) Gecko/20031017
Loading http://music.optimism.cc/images/bg_copper4.gif crashes:

Crash in MSVCRT.DLL 6.10.8637.0
Mozilla 1.6a 2003101704
SiS6326m.drv 4.11.01.1280

Stack Summary was showing:
3 calls to MSVCRT.DLL .text+ 0xc710, 0xbcf7, 0x26
5 calls JS3250.DLL .text+0x3e379, 0x390f2, 0x38fc6, 0x38c09, 0x3efb
6 calls to GKLAYOUT.DLL
call to CHROME.DLL .text+0x563

filed a Talkback record, but Talkback seems to be unable to connect to
http://talkback.mozilla.org/spiral-bin/Collector.dll

Comment 6

15 years ago
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6a) Gecko/20031017
Loaded gif multiple times, crash after about 7 seconds.
Did download it with Netscape4.8 :-) and Mozilla crashed, when I opened the
local file.
Irfanview is showing an animation.

I assume this bug could be reduced to the gif, so I´m editing title and URL
title was: browser crashes rendering this page
URL was: http://music.optimism.cc/

gif properties as seen from irfanview:
Compression: GIF - 54 images
original size: 30x51 pixels
current size: 1600x51 pixels
colours: 256 (8 bit/pixel)
Disk Size: 94558 bytes
Memory Size: 82624 bytes

Data from DocWatson:
Last stack summary was showing ( loaded locally )

1 call  to MSVCRT.DLL .text + 0x1fa
2 calls to GKGFXWIN.DLL .text + 0xde73, 0x15fff
2 calls to IMGLIB2.DLL .text + 0x54d3, 0x513f
1 call  to XPCOM.DLL .text + 0x2a0b3
1 call  to APPSHELL.DLL .text + 0x6756
2 calls to MOZILLA.EXE .text + 0x9e7, 0x1f0f
Kernel32!ApplicationStartup

Summary before was showing same names, with different offsets.
1 call  to MSVCRT.DLL .text + 0x1fa
2 calls to GKGFXWIN.DLL .text + 0xe291, 0x16179
2 calls to IMGLIB2.DLL .text + 0x4d4b, 0x49b7
1 call  to XPCOM.DLL .text + 0x298da
1 call  to APPSHELL.DLL .text + 0x70ee
2 calls to MOZILLA.EXE .text + 0xa02, 0x1f5c
Kernel32!ApplicationStartup
Assignee: general → jdunn
Component: Browser-General → ImageLib
OS: Linux → All
Summary: browser crashes rendering this page → browser crashes rendering this animated gif

Comment 7

15 years ago
tested with Mozilla 1.0.2, no crash, gif ok
tested with Mozilla 1.3.1, crash

Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.3.1) Gecko/20030425
Talkbacks sent to talkback5.netscape.com or something like that.

TB24525786E loading the URL
TB24525963Q loading the local copy

Don´t know, if these Talkbacks from old 1.3.1 are of any use.
Talkback in recent windows trunk builds can´t connect to talback.mozilla.org ...
Version: 1.0 Branch → Trunk

Comment 8

15 years ago
a stack isn't going to be particularly useful.  this is memory corruption. 
valgrind says:

Invalid memory access of size 1
 imgContainerGIF::SetMaskVisibility (imgContainerGIF.cpp:920)
 imgContainerGIF::BuildCompositeMask (imgContainerGIF.cpp:712)
 imgContainerGIF::DoComposite (imgContainerGIF.cpp:656)
 imgContainerGIF::Notify (imgContainerGIF.cpp:434)
 nsTimerImpl::Fire (nsTimerImpl.cpp:385)
Address 0x460C83FF is 3 bytes after a block of size 204 alloc'd
 malloc (vg_replace_malloc.c:153)
 operator new (in /usr/lib/libstdc++.so.5.0.5) 
 __builtin_vec_new (nsAppRunner.cpp:160)
 operator new[] (vg_replace_malloc.c:210)
 nsImageGTK::Init (nsImageGTK.cpp:193)
 gfxImageFrame::Init (gfxImageFrame.cpp:122)
 imgContainerGIF::DoComposite (imgContainerGIF.cpp:562)
 imgContainerGIF::Notify (imgContainerGIF.cpp:434)
(Assignee)

Comment 9

14 years ago
Created attachment 133960 [details] [diff] [review]
fix overlay overlap check

The gif in question has an overlay that it walks off the gif logical screen
area.  The test for this in SetMaskVisibility wanted it off in both x and y,
but this image just walks horizontally.
(Assignee)

Updated

14 years ago
Attachment #133960 - Flags: review?(paper)
Attachment #133960 - Flags: approval1.6a?
Attachment #133960 - Flags: approval1.4.2?
(Assignee)

Comment 10

14 years ago
Taking bug.
Assignee: jdunn → tor
(Assignee)

Updated

14 years ago
Flags: blocking1.6a?
Flags: blocking1.4.2?

Updated

14 years ago
Attachment #133960 - Flags: review?(paper) → review+
(Assignee)

Updated

14 years ago
Attachment #133960 - Flags: superreview?(blizzard)
Attachment #133960 - Flags: superreview?(blizzard) → superreview+

Comment 11

14 years ago
Comment on attachment 133960 [details] [diff] [review]
fix overlay overlap check

a=asa (on behalf of drivers) for checkin to 1.6alpha
Attachment #133960 - Flags: approval1.6a? → approval1.6a+
(Assignee)

Comment 12

14 years ago
Checked in on trunk.
Status: NEW → RESOLVED
Last Resolved: 15 years ago14 years ago
Resolution: --- → FIXED

Updated

14 years ago
Flags: blocking1.6a?

Comment 13

14 years ago
Thanks, works for me now, tested on gif and on URL.
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6a) Gecko/20031024

Comment 14

14 years ago
Comment on attachment 133960 [details] [diff] [review]
fix overlay overlap check

a=mkaply for 1.4.2
Attachment #133960 - Flags: approval1.4.2? → approval1.4.2+

Updated

14 years ago
Flags: blocking1.4.2? → blocking1.4.2+

Comment 15

14 years ago
Fixed on 1.4.x branch.
Keywords: fixed1.4.2
You need to log in before you can comment on or make changes to this bug.