Closed
Bug 42788
Opened 24 years ago
Closed 19 years ago
crash in il_BACat in timer callback
Categories
(Core :: Graphics: ImageLib, defect, P3)
Tracking
()
RESOLVED
WORKSFORME
Future
People
(Reporter: warrensomebody, Assigned: saari)
References
Details
(Keywords: crash, Whiteboard: [imglib])
I just crashed in a timer callback with doubly freed memory: char * il_BACat (char **destination, size_t destination_length, const char *source, size_t source_length) { if (source) { if (*destination) { ==> *destination = (char *) PR_REALLOC (*destination, destination_length + source_length); if (*destination == NULL) return(NULL); nsCRT::memmove(*destination + destination_length, source, source_length); realloc_help(void * 0xdddddddd, unsigned int 0xdddddddd, int 0x00000001, const char * 0x00000000, int 0x00000000, int 0x00000001) line 614 + 3 bytes _realloc_dbg(void * 0xdddddddd, unsigned int 0xdddddddd, int 0x00000001, const char * 0x00000000, int 0x00000000) line 806 + 27 bytes realloc(void * 0xdddddddd, unsigned int 0xdddddddd) line 755 + 19 bytes PR_Realloc(void * 0xdddddddd, unsigned int 0xdddddddd) line 57 + 14 bytes il_BACat(char * * 0x0012fb14, unsigned int 0xdddddddd, const char * 0x02dc8d00, unsigned int 0x00000000) line 236 + 19 bytes il_gif_write(il_container_struct * 0x03193420, const unsigned char * 0x02dc8d00, long 0x00000000) line 1592 + 27 bytes process_buffered_gif_input_data(gif_struct * 0x03196250) line 669 + 16 bytes gif_delay_time_callback(void * 0x03193420) line 725 + 9 bytes timer_callback(nsITimer * 0x03197ec0, void * 0x031956d0) line 70 + 12 bytes nsTimer::Fire() line 194 + 17 bytes nsTimerManager::FireNextReadyTimer(nsTimerManager * const 0x020700c0, unsigned int 0x00000000) line 117 FireTimeout(HWND__ * 0x00000000, unsigned int 0x00000113, unsigned int 0x00001551, unsigned long 0x781d2d7d) line 89 USER32! 77e7185c() nsAppShellService::Run(nsAppShellService * const 0x01060ef0) line 387 main1(int 0x00000001, char * * 0x00c54190, nsISupports * 0x00000000) line 906 + 32 bytes main(int 0x00000001, char * * 0x00c54190) line 1092 + 37 bytes mainCRTStartup() line 338 + 17 bytes
Could this be related to the crash in nsFrameLoader?? bug#42724 from yesterday. If a frame is leaking and it has an animated gif associated with the frame, this might cause this to show up. I'll certainly see what I can do to make il_BACat more robust, but I'll bet the crash will then occur somewhere else.
I don't really have a way to test this bug. No test url is given and I haven't seen the bug in over a month of viewing gifs. Please reopen if you see the bug again and ...save the url. -p
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → WORKSFORME
Reporter | ||
Comment 4•24 years ago
|
||
I think you're not going to see this bug unless you force the race condition. I think it's best not to close this, but perhaps push it off to Future if you can't get to it. What's needed here is some code to ensure that any timer that's started gets stopped before we shutdown services. It should be obvious from examining the code that that's not happening.
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
All pnunn bugs reassigned to Pav, who is taking over the imglib.
Assignee: pnunn → pavlov
Status: REOPENED → NEW
Comment 9•23 years ago
|
||
saari: please take a look at this and make sure it doesn't happen with the revampd gif decoder
Assignee: pavlov → saari
Updated•23 years ago
|
Whiteboard: [imglib]
Comment 10•22 years ago
|
||
By the definitions on <http://bugzilla.mozilla.org/bug_status.html#severity> and <http://bugzilla.mozilla.org/enter_bug.cgi?format=guided>, crashing and dataloss bugs are of critical or possibly higher severity. Only changing open bugs to minimize unnecessary spam. Keywords to trigger this would be crash, topcrash, topcrash+, zt4newcrash, dataloss.
Severity: normal → critical
Comment 11•20 years ago
|
||
I think this bug can be closed, cause it should be resolved by the landing of the new imglib.
Comment 12•19 years ago
|
||
il_BACat was removed with the fix for bug 285872 resolving as WFM
Status: NEW → RESOLVED
Closed: 24 years ago → 19 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•