Closed
Bug 368427
Opened 18 years ago
Closed 18 years ago
Crash [@nsThebesImage::AllowedImageSize, nsThebesImage::Draw] due to "Integer divide by zero"
Categories
(Core :: Graphics, defect, P1)
Tracking
()
VERIFIED
FIXED
People
(Reporter: sciguyryan, Assigned: MatsPalmgren_bugz)
References
Details
(4 keywords)
Crash Data
Attachments
(3 files)
1.38 KB,
patch
|
pavlov
:
review+
pavlov
:
superreview+
|
Details | Diff | Splinter Review |
2.63 KB,
patch
|
pavlov
:
review+
pavlov
:
superreview+
|
Details | Diff | Splinter Review |
1.50 KB,
patch
|
pavlov
:
review+
pavlov
:
superreview+
|
Details | Diff | Splinter Review |
I've reproduced this bug a new times (see talkbacks). http://lxr.mozilla.org/mozilla/source/gfx/src/thebes/nsThebesImage.h#128 is reported in the talkback's as being the source of the "Integer divide by zero" error. TB28759235W, TB28759210Z, TB28759062M, TB28759048K, TB28759016E
Reporter | ||
Comment 1•18 years ago
|
||
My guess is that: NS_ASSERTION(aWidth > 0, "invalid image width"); NS_ASSERTION(aHeight > 0, "invalid image height"); Should be: NS_ENSURE_SUCCESS(aWidth > 0, PR_FALSE); NS_ENSURE_SUCCESS(aHeight > 0, PR_FALSE); Unless its possible to have a 0 width and or a 0 height image.
Reporter | ||
Comment 2•18 years ago
|
||
(In reply to comment #1) > My guess is that: > > NS_ENSURE_SUCCESS(aWidth > 0, PR_FALSE); > NS_ENSURE_SUCCESS(aHeight > 0, PR_FALSE); > > Unless its possible to have a 0 width and or a 0 height image. > Meant to use NS_ENSURE_TRUE sorry :)
Comment 3•18 years ago
|
||
This should be marked dependent on bug 367740 by someone who has rights to do so. Also, it's been reproduced on Linux as well.
Severity: critical → blocker
Flags: blocking1.9?
Keywords: regression
OS: Windows XP → All
Priority: -- → P1
Comment 4•18 years ago
|
||
I'm seeing this on linux too. Both aDWidth and aDHeight are zero in the Draw call: 0xb59efbc0 in nsThebesImage::Draw (this=0x8e44d48, aContext=@0x8e44be4, aSurface=0x8e44c48, aSX=<value optimized out>, aSY=<value optimized out>, aSWidth=165, aSHeight=119, aDX=601, aDY=417, aDWidth=0, aDHeight=0) at /home/chb/mozilla/gfx/src/thebes/nsThebesImage.h:128
Comment 5•18 years ago
|
||
must be because of the aDWidth/aDHeight assignment here in nsThebesImage.cpp: 370 // use '+ 1 - *scale' to get rid of rounding errors 371 aDWidth = (PRInt32)((srcRect.width)*xscale + 1 - xscale); 372 aDHeight = (PRInt32)((srcRect.height)*yscale + 1 - yscale);
Assignee | ||
Comment 8•18 years ago
|
||
(gdb) p mDecoded $1 = {x = 0, y = 0, width = 0, height = 0} when we IntersectRect() with that we end up with aDHeight=0 which causes the division by zero in AllowedImageSize().
Attachment #253029 -
Flags: superreview?(pavlov)
Attachment #253029 -
Flags: review?(pavlov)
Comment 10•18 years ago
|
||
Patch v1 fixes the crashing for me it appears
Updated•18 years ago
|
Attachment #253029 -
Flags: superreview?(pavlov)
Attachment #253029 -
Flags: superreview+
Attachment #253029 -
Flags: review?(pavlov)
Attachment #253029 -
Flags: review+
Assignee | ||
Comment 11•18 years ago
|
||
Checked in to trunk at 2007-01-27 15:35 PST -> FIXED
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Comment 13•18 years ago
|
||
Adding nsThebesImage::AllowedImageSize to summary to prevent more dupes.
Flags: blocking1.9?
Summary: Crash [@nsThebesImage::Draw] due to "Integer divide by zero" → Crash [@nsThebesImage::AllowedImageSize, nsThebesImage::Draw] due to "Integer divide by zero"
Comment 14•18 years ago
|
||
Was seeing this (TB28799332), disappeared with the latest nightly. -> VERIFIED
Status: RESOLVED → VERIFIED
Updated•18 years ago
|
Flags: in-testsuite?
Comment 16•18 years ago
|
||
There is at least one crash in TB after this fix: http://talkback-public.mozilla.org/search/start.jsp?search=2&type=iid&id=28833178 Note the build id 2007012904 nsThebesImage::AllowedImageSize [mozilla\gfx\src\thebes\nsthebesimage.h, line 128] nsThebesImage::Draw [mozilla\gfx\src\thebes\nsthebesimage.cpp, line 383] (Before the fix, it was line 379, not 383)
Assignee | ||
Comment 17•18 years ago
|
||
(In reply to comment #16) > (Before the fix, it was line 379, not 383) Good catch Olli, thanks. Apparently there is a nsThebesImage::Draw() call with aDHeight == 0. As far as I understand this code, that shouldn't be allowed and the caller is to blame. I haven't been able to reproduce the bug yet though so I don't where the call came from...
Assignee | ||
Comment 18•18 years ago
|
||
This should take care of it for now...
Attachment #253344 -
Flags: superreview?(pavlov)
Attachment #253344 -
Flags: review?(pavlov)
Updated•18 years ago
|
Attachment #253344 -
Flags: superreview?(pavlov)
Attachment #253344 -
Flags: superreview+
Attachment #253344 -
Flags: review?(pavlov)
Attachment #253344 -
Flags: review+
Assignee | ||
Comment 19•18 years ago
|
||
Comment on attachment 253344 [details] [diff] [review] Additional patch Checked in to trunk at 2007-01-30 14:52 PST
Comment 20•18 years ago
|
||
There is still something wrong :( http://talkback-public.mozilla.org/search/start.jsp?search=2&type=iid&id=28930489 BuildID 2007020104 nsThebesImage::AllowedImageSize [mozilla\gfx\src\thebes\nsthebesimage.h, line 128] nsThebesImage::Draw [mozilla\gfx\src\thebes\nsthebesimage.cpp, line 388]
Assignee | ||
Comment 21•18 years ago
|
||
Let's wallpaper the issue once and for all. Hopefully someone will spot the assertions in a debug build someday and file a bug on it...
Attachment #253765 -
Flags: superreview?(pavlov)
Attachment #253765 -
Flags: review?(pavlov)
Updated•18 years ago
|
Attachment #253765 -
Flags: superreview?(pavlov)
Attachment #253765 -
Flags: superreview+
Attachment #253765 -
Flags: review?(pavlov)
Attachment #253765 -
Flags: review+
Assignee | ||
Comment 22•17 years ago
|
||
Comment on attachment 253765 [details] [diff] [review] Third patch Checked in to trunk at 2007-02-08 05:52 PST
Updated•13 years ago
|
Crash Signature: [@nsThebesImage::AllowedImageSize, nsThebesImage::Draw]
You need to log in
before you can comment on or make changes to this bug.
Description
•