Closed Bug 463306 Opened 17 years ago Closed 17 years ago

crash on loading PNG or JPEG image [@ cmsAllocMatShaper ]

Categories

(Core :: Graphics: Color Management, defect)

Product:
Core
Component:
Graphics: Color Management
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9.1b3

People

(Reporter: tar, Assigned: timeless)

References

(
URL
)

Details

(Keywords: crash, verified1.9.1)

Crash Data

Attachments

(2 files)

PNG crash with Gecko/20081105
37.48 KB, image/png
Details
null ch eck
1.12 KB, patch
joe
: review+
bholley
: review+
vlad
: superreview+
vlad
: approval1.9.1+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b2pre) Gecko/20081105 Minefield/3.1b2pre Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b2pre) Gecko/20081105 Minefield/3.1b2pre crashes on loading image Reproducible: Always Steps to Reproduce: 1. http://imgs.xkcd.com/comics/going_west.png 2. crash 1. http://www.motomaania.ee/wp-content/uploads/bmw_f800r.jpg 2. crash Actual Results: crashes Expected Results: shows image SeaMonkey is affected too. Regression about month+ back sometime.
I can't reproduce this with latest nightly on either Linux or Windows XP. The two files in comment 0 show fine and attachment 346546 [details] says it has errors, but no crashes. Please post crash report ID or stack trace. http://developer.mozilla.org/En/How_to_get_a_stacktrace_for_a_bug_report
Version: unspecified → Trunk
Indeed crashes on only one machine: PNG http://crash-stats.mozilla.com/report/index/b7aefa57-ab93-11dd-b1e7-001cc45a2c28 JPEG http://crash-stats.mozilla.com/report/index/d036d37a-ab93-11dd-b779-001cc4e2bf68 Crashes with javascript.options.jit.chrome|content on/off and clean or old profile.
bp-d036d37a-ab93-11dd-b779-001cc4e2bf68 0 xul.dll cmsAllocMatShaper modules/lcms/src/cmsmatsh.c:202 1 xul.dll cmsBuildOutputMatrixShaper modules/lcms/src/cmsxform.c:1027 2 xul.dll xul.dll@0x29634c 3 xul.dll cmsCreateTransform modules/lcms/src/cmsxform.c:1927 4 xul.dll nsJPEGDecoder::ProcessData modules/libpr0n/decoders/jpeg/nsJPEGDecoder.cpp:421 5 xul.dll ReadDataOut modules/libpr0n/decoders/jpeg/nsJPEGDecoder.cpp:248 6 xul.dll nsInputStreamTee::WriteSegmentFun xpcom/io/nsInputStreamTee.cpp:102 7 xul.dll nsPipeInputStream::ReadSegments xpcom/io/nsPipe3.cpp:799 8 xul.dll nsInputStreamTee::ReadSegments xpcom/io/nsInputStreamTee.cpp:156 9 xul.dll nsJPEGDecoder::WriteFrom modules/libpr0n/decoders/jpeg/nsJPEGDecoder.cpp:266 10 xul.dll imgRequest::OnDataAvailable modules/libpr0n/src/imgRequest.cpp:893 11 xul.dll ProxyListener::OnDataAvailable modules/libpr0n/src/imgLoader.cpp:1402 12 xul.dll nsMediaDocumentStreamListener::OnDataAvailable content/html/document/src/nsMediaDocument.cpp:115 13 xul.dll nsDocumentOpenInfo::OnDataAvailable uriloader/base/nsURILoader.cpp:306 14 xul.dll nsStreamListenerTee::OnDataAvailable netwerk/base/src/nsStreamListenerTee.cpp:97 15 xul.dll nsHttpChannel::OnDataAvailable netwerk/protocol/http/src/nsHttpChannel.cpp:4886 16 xul.dll nsInputStreamPump::OnStateTransfer netwerk/base/src/nsInputStreamPump.cpp:508 17 nspr4.dll _MD_CURRENT_THREAD nsprpub/pr/src/md/windows/w95thred.c:298 18 nspr4.dll PR_Lock nsprpub/pr/src/threads/combined/prulock.c:239 19 xul.dll nsInputStreamReadyEvent::Run xpcom/io/nsStreamUtils.cpp:111 20 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:510 21 xul.dll nsBaseAppShell::Run widget/src/xpwidgets/nsBaseAppShell.cpp:170 22 nspr4.dll PR_GetEnv 23 firefox.exe wmain toolkit/xre/nsWindowsWMain.cpp:87 24 firefox.exe firefox.exe@0x2197 25 kernel32.dll kernel32.dll@0x17066
Summary: crash on loading PNG or JPEG image → crash on loading PNG or JPEG image [@ cmsAllocMatShaper ]
http://mxr.mozilla.org/mozilla-central/source/modules/lcms/src/cmsio1.c?mark=1848-1849#1830 cmsReadICCGammaReversed can return null cmsBuildOutputMatrixShaper just uses its result and calls cmsAllocMatShaper: http://mxr.mozilla.org/mozilla-central/source/modules/lcms/src/cmsxform.c?mark=1023-1025,1027#1002 which crashes: http://mxr.mozilla.org/mozilla-central/source/modules/lcms/src/cmsmatsh.c?mark=201-202#163
Component: General → GFX
Keywords: crash
Product: Firefox → Core
Attached patch null ch eckSplinter Review
Assignee: nobody → timeless
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #346686 - Flags: superreview?(pavlov)
Attachment #346686 - Flags: review?
Attachment #346686 - Flags: review? → review?(tor)
QA Contact: general → general
Attachment #346686 - Attachment description: null check → null ch eck
Attachment #346686 - Flags: superreview?(pavlov)
Attachment #346686 - Flags: review?(tor)
Attachment #346686 - Flags: review?(joe)
Comment on attachment 346686 [details] [diff] [review] null ch eck Looks alright. Vlad, thoughts?
Attachment #346686 - Flags: superreview?(vladimir)
Attachment #346686 - Flags: review?(joe) → review+
Comment on attachment 346686 [details] [diff] [review] null ch eck Looks fine, but let's let bholley take a look at it -- he knows this code best.
Attachment #346686 - Flags: superreview?(vladimir)
Attachment #346686 - Flags: superreview+
Attachment #346686 - Flags: review?(bholley)
Attachment #346686 - Flags: review?(bholley) → review+
Comment on attachment 346686 [details] [diff] [review] null ch eck Looks good. It appears that the forward gamma reads already do this. I'm mailing a link to the upstream maintainer, since presumably they'd be interested in this as well.
Does the setting of color_management.mode affect this? The file contains iCCP and valid gAMA and cHRM chunks. I don't know if the iCCP chunk is OK or not. The gAMA and cHRM chunks seem to be describing the sRGB colorspace. The image data is actually 8-bit grayscale. pngcheck -v says: File: going_west.png (38379 bytes) chunk IHDR at offset 0x0000c, length 13 740 x 238 image, 8-bit grayscale, non-interlaced chunk pHYs at offset 0x00025, length 9: 2835x2835 pixels/meter (72 dpi) chunk iCCP at offset 0x0003a, length 792 profile name = Photoshop ICC profile, compression method = 0 (deflate) compressed profile = 769 bytes chunk gAMA at offset 0x0035e, length 4: 0.45454 chunk cHRM at offset 0x0036e, length 32 White x = 0.31269 y = 0.32899, Red x = 0.63999 y = 0.33001 Green x = 0.3 y = 0.6, Blue x = 0.15 y = 0.05999 chunk IDAT at offset 0x0039a, length 37437 zlib: deflated, 32K window, maximum compression chunk IEND at offset 0x095e3, length 0 No errors detected in going_west.png (78.2% compression).
For what it's worth: when I removed the monitor color profile "driver" then it doesn't crash Gecko/20081105 anymore. GPU: nVidia GeForce4 Ti 4280 using the 93.71 WHQL drivers Monitor: Hyundai DeluxScan HL-5870B (aka 15G+) CRT.
Whoa, I almost forgot about this bug - did it ever land in MC? If not, we need to land this in 1.9.1 as well.
Blocks: 455056
I'm no longer landing things to m-c because it's absolutely impossible to find a window. i have dozens of patches that have various sets of approvals. someone should please try to land as many as possible. please use 'timeless@mozdev.org' as my complete commit name.
Comment on attachment 346686 [details] [diff] [review] null ch eck Requesting 191 approval. this is a crasher, and should obviously go in 191.
Attachment #346686 - Flags: approval1.9.1?
pushed to mc in b638481767be. I'll push to 191 once we get approval.
> Comment #10 From Glenn Randers-Pehrson > Does the setting of color_management.mode affect this? Setting the gfx.color_management.mode to 0 prevents crashing, setting it to 1 or 2 crashes. Tested with nightly rv:1.9.1b3pre Gecko/20081204 SeaMonkey/2.0a3pre.
Component: GFX → GFX: Color Management
QA Contact: general → color-management
Fixed per c#15
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Whiteboard: [needs 191 landing]
Attachment #346686 - Flags: approval1.9.1? → approval1.9.1+
pushed to releases/mozilla-1.9.1 in 18398e0350cd
Whiteboard: [needs 191 landing]
Keywords: fixed1.9.1
Target Milestone: --- → mozilla1.9.1b3
Confirming that those images doesn't crash anymore with with "rv:1.9.1b3pre Gecko/20081210 SeaMonkey/2.0a3pre" or "rv:1.9.1b3pre Gecko/20081210 Shiretoko/3.1b3pre".
verified fixed on the 1.9.1 branch using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b3pre) Gecko/20081229 Shiretoko/3.1b3pre. No crashes with either image in Comment 0.
Keywords: fixed1.9.1verified1.9.1
Keywords: verified1.9.1
sorry for the inconvenience. i meant to detect any bugs before the branch merge that were still RESO fixed, but had a verified1.9.1 keyword next to them.
Keywords: verified1.9.1
Verified fix on Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090115 Minefield/3.2a1pre
Status: RESOLVED → VERIFIED
Crash Signature: [@ cmsAllocMatShaper ]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: