Closed Bug 368427 Opened 18 years ago Closed 18 years ago

Crash [@nsThebesImage::AllowedImageSize, nsThebesImage::Draw] due to "Integer divide by zero"

Categories

(Core :: Graphics, defect, P1)

Product:
Core
Component:
Graphics
Platform:
x86
All
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: sciguyryan, Assigned: MatsPalmgren_bugz)

References

Details

(4 keywords)

Crash Data

Attachments

(3 files)

Patch rev. 1
1.38 KB, patch
pavlov
: review+
pavlov
: superreview+
Details | Diff | Splinter Review
Additional patch
2.63 KB, patch
pavlov
: review+
pavlov
: superreview+
Details | Diff | Splinter Review
Third patch
1.50 KB, patch
pavlov
: review+
pavlov
: superreview+
Details | Diff | Splinter Review 
I've reproduced this bug a new times (see talkbacks).

http://lxr.mozilla.org/mozilla/source/gfx/src/thebes/nsThebesImage.h#128 is reported in the talkback's as being the source of the "Integer divide by zero" error.

TB28759235W, TB28759210Z, TB28759062M, TB28759048K, TB28759016E
My guess is that:

NS_ASSERTION(aWidth > 0, "invalid image width");
NS_ASSERTION(aHeight > 0, "invalid image height");

Should be:

NS_ENSURE_SUCCESS(aWidth > 0, PR_FALSE);
NS_ENSURE_SUCCESS(aHeight > 0, PR_FALSE);

Unless its possible to have a 0 width and or a 0 height image.
(In reply to comment #1)
> My guess is that:
> 
> NS_ENSURE_SUCCESS(aWidth > 0, PR_FALSE);
> NS_ENSURE_SUCCESS(aHeight > 0, PR_FALSE);
> 
> Unless its possible to have a 0 width and or a 0 height image.
> 

Meant to use NS_ENSURE_TRUE sorry :)

This should be marked dependent on bug 367740 by someone who has rights to do so. Also, it's been reproduced on Linux as well.
Severity: critical → blocker
Flags: blocking1.9?
Keywords: regression
OS: Windows XP → All
Priority: -- → P1
I'm seeing this on linux too. Both aDWidth and aDHeight are zero in the Draw
call:

0xb59efbc0 in nsThebesImage::Draw (this=0x8e44d48, aContext=@0x8e44be4,
aSurface=0x8e44c48, aSX=<value optimized out>, 
    aSY=<value optimized out>, aSWidth=165, aSHeight=119, aDX=601, aDY=417,
aDWidth=0, aDHeight=0)
    at /home/chb/mozilla/gfx/src/thebes/nsThebesImage.h:128
Blocks: 367740
must be because of the aDWidth/aDHeight assignment here in nsThebesImage.cpp:

370       // use '+ 1 - *scale' to get rid of rounding errors
371       aDWidth  = (PRInt32)((srcRect.width)*xscale + 1 - xscale);
372       aDHeight = (PRInt32)((srcRect.height)*yscale + 1 - yscale);
Keywords: topcrash
Patch coming up...
Assignee: nobody → mats.palmgren
Attached patch Patch rev. 1Splinter Review 
(gdb) p mDecoded
$1 = {x = 0, y = 0, width = 0, height = 0}

when we IntersectRect() with that we end up with aDHeight=0 which causes the
division by zero in AllowedImageSize().
Attachment #253029 - Flags: superreview?(pavlov)
Attachment #253029 - Flags: review?(pavlov)
Patch v1 fixes the crashing for me it appears
Attachment #253029 - Flags: superreview?(pavlov)
Attachment #253029 - Flags: superreview+
Attachment #253029 - Flags: review?(pavlov)
Attachment #253029 - Flags: review+
Checked in to trunk at 2007-01-27 15:35 PST

-> FIXED
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Adding nsThebesImage::AllowedImageSize to summary to prevent more dupes.
Flags: blocking1.9?
Summary: Crash [@nsThebesImage::Draw] due to "Integer divide by zero" → Crash [@nsThebesImage::AllowedImageSize, nsThebesImage::Draw] due to "Integer divide by zero"
Blocks: 368390
Was seeing this (TB28799332), disappeared with the latest nightly. -> VERIFIED
Status: RESOLVED → VERIFIED
Flags: in-testsuite?
There is at least one crash in TB after this fix:
http://talkback-public.mozilla.org/search/start.jsp?search=2&type=iid&id=28833178
Note the build id 2007012904

nsThebesImage::AllowedImageSize  [mozilla\gfx\src\thebes\nsthebesimage.h, line 128]
nsThebesImage::Draw  [mozilla\gfx\src\thebes\nsthebesimage.cpp, line 383]

(Before the fix, it was line 379, not 383)
(In reply to comment #16)
> (Before the fix, it was line 379, not 383)

Good catch Olli, thanks.  Apparently there is a nsThebesImage::Draw() call
with aDHeight == 0.  As far as I understand this code, that shouldn't be
allowed and the caller is to blame.  I haven't been able to reproduce the
bug yet though so I don't where the call came from...
Attached patch Additional patchSplinter Review 
This should take care of it for now...
Attachment #253344 - Flags: superreview?(pavlov)
Attachment #253344 - Flags: review?(pavlov)
Attachment #253344 - Flags: superreview?(pavlov)
Attachment #253344 - Flags: superreview+
Attachment #253344 - Flags: review?(pavlov)
Attachment #253344 - Flags: review+
Comment on attachment 253344 [details] [diff] [review]
Additional patch

Checked in to trunk at 2007-01-30 14:52 PST
There is still something wrong :(
http://talkback-public.mozilla.org/search/start.jsp?search=2&type=iid&id=28930489
BuildID 2007020104

nsThebesImage::AllowedImageSize  [mozilla\gfx\src\thebes\nsthebesimage.h, line 128]
nsThebesImage::Draw  [mozilla\gfx\src\thebes\nsthebesimage.cpp, line 388]
Attached patch Third patchSplinter Review 
Let's wallpaper the issue once and for all.
Hopefully someone will spot the assertions in a debug build someday and
file a bug on it...
Attachment #253765 - Flags: superreview?(pavlov)
Attachment #253765 - Flags: review?(pavlov)
Attachment #253765 - Flags: superreview?(pavlov)
Attachment #253765 - Flags: superreview+
Attachment #253765 - Flags: review?(pavlov)
Attachment #253765 - Flags: review+
Comment on attachment 253765 [details] [diff] [review]
Third patch

Checked in to trunk at 2007-02-08 05:52 PST
Crash Signature: [@nsThebesImage::AllowedImageSize, nsThebesImage::Draw]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: