Crash with "Integer divide by zero" exception when opening this web page [@ nsBlender::Blend]

VERIFIED FIXED

Status

--
critical
VERIFIED FIXED
14 years ago
10 years ago

People

(Reporter: egrochowski, Assigned: emaijala+moz)

Tracking

({crash})

Trunk
x86
Windows 2000
crash

Firefox Tracking Flags

(Not tracked)

Details

(crash signature, URL)

Attachments

(1 attachment, 1 obsolete attachment)

(Reporter)

Description

14 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8a5) Gecko/20041122
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8a5) Gecko/20041122

I navigate to the above URL and the page starts loading. Before it completes
loading everything on the page I get a crash. 

Reproducible: Always
Steps to Reproduce:
1. Open http://www.chromethegame.com/en/show.php?002
2.
3.

Actual Results:  
Crash- An application Error dialog box comes up which reads "The exception
integer division divide by zero (0xc0000094) occurred in the application at
location 0x60d01548

Expected Results:  
Not crash.

I have had this to happen on 2 different computers (Win2000 Pro and WinXP Pro)
both of which have just been upgraded to use Mozilla 1.8a5. 

On one of my computers, I trapped the error in SoftIce and can provide further
details on the stack etc... however since it also generated a Talkback ID which
I submitted, I would rather provide that. 

One of the Talkback ID#'s is: TB2199534Q

Updated

14 years ago
Assignee: general → win32
Component: General → GFX: Win32
Depends on: 228399
Keywords: crash
Product: Mozilla Application Suite → Core
QA Contact: general → ian
Summary: Crash with "Integer divide by zero" exception when opening this web page → Crash with "Integer divide by zero" exception when opening this web page [@ nsBlender::Blend]
Version: unspecified → Trunk
(Reporter)

Comment 1

14 years ago
This page does NOT crash with FireFox 1.0 release on the same Win2000 computer.
(Reporter)

Comment 2

14 years ago
I dont know if this is relevant or not, but after browsing through dependent bug
228399, here is my relevant display info on my Win2000 Pro box:

GeForce 256 DDR graphics card with recent driver revision (6.14.10.6177)
Display resolution is 1280 x 1024 x 32bits and configured to use Large Fonts.

Comment 3

14 years ago
Not able to reproduce with Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US;
rv:1.8a5) Gecko/20041125. TNT2, tried in 16 and 32 bit modes.
(Assignee)

Updated

14 years ago
Assignee: win32 → emaijala
(Assignee)

Comment 4

14 years ago
Created attachment 167175 [details] [diff] [review]
Blender fortification patch

I couldn't reproduce it either, but I suspect blender is called with aWidth ==
0 in some situation. This patch adds a check that nothing shall be done if
width or height is 0.
(Assignee)

Updated

14 years ago
Attachment #167175 - Flags: superreview?(roc)
(Assignee)

Updated

14 years ago
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
(Reporter)

Comment 5

14 years ago
I can reproduce it on Windows XP using an ATI 9700Pro graphics card with a
resolution of 1280 x 1024 x 32 bits (large fonts - 120dpi) using 1.8a5. 

I also just installed the latest nightly:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a6) Gecko/20041126

It still crashes.

I will see about applying the patch in comment #4 and trying to reproduce... I
dont have recent source set up on this computer, so it might take a bit. 
(Reporter)

Comment 6

14 years ago
I applied the patch from comment #4 to the 1.8a5 sources and rebuilt (using VC
7.1) and it did not seem to fix the problem for me?
(Assignee)

Updated

14 years ago
Attachment #167175 - Attachment is obsolete: true
Attachment #167175 - Flags: superreview?(roc)
(Assignee)

Comment 7

14 years ago
This doesn't make sense to me. The stack of TB2199534Q points to line 
if (NS_SUCCEEDED(result)) {
and there's no division on that line. 

Could someone give another talkback ID?
(Reporter)

Comment 8

14 years ago
I just generated another crash with talkback ID of TB2276508Q

Unfortunately, it points to the same line of code (no surprise).

By the way, is the Talkback ID handler smart enough to know which source file
revision to display the line numbers from?

I am able to do this using the release of 1.8 Alpha5.

Should I try it with a more recent nightly?
(Reporter)

Comment 10

14 years ago
hmmm... if the crash is at the line posted in the URL, then Ere's fix from
comment #4 should have stopped the crash from happening??? 

Maybe I screwed up doing my test build? Things have changed since I last built
from source... sigh. I'll try again when I get a chance. Alternatively, if you
provide me with a release build of the affected dll (gkgfx?) that has this fix
in, I can drop it onto my computer's 1.8 alpha5 (or whatever nightly you
suggest) and test it that way. 
(Assignee)

Comment 11

14 years ago
Created attachment 167654 [details] [diff] [review]
Patch v1.1

A new fortification patch. rangeCheck might change the width or height, so the
values must be checked after rangeCheck.
(Assignee)

Comment 12

14 years ago
Please try the new patch and report back the results.
(Reporter)

Comment 13

14 years ago
I can confirm that the new patch works. It prevents the crash!

Updated

14 years ago
Attachment #167654 - Flags: superreview?(roc)
Attachment #167654 - Flags: review?(roc)

Comment 14

14 years ago
Comment on attachment 167654 [details] [diff] [review]
Patch v1.1

rs=me
Attachment #167654 - Flags: superreview?(roc)
Attachment #167654 - Flags: superreview+
Attachment #167654 - Flags: review?(roc)
Attachment #167654 - Flags: review+
(Assignee)

Comment 15

14 years ago
Fix checked in to trunk.
Status: ASSIGNED → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → FIXED
(Reporter)

Comment 16

14 years ago
I can confirm that the bug is fixed in the following nightly build:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a6) Gecko/20041207


Updated

14 years ago
Status: RESOLVED → VERIFIED
Product: Core → Core Graveyard
Crash Signature: [@ nsBlender::Blend]
You need to log in before you can comment on or make changes to this bug.