The default bug view has changed. See this FAQ.

Page causes Mozilla to crash (nsImageGTK::DrawComposited)

VERIFIED FIXED in M18

Status

SeaMonkey
UI Design
P2
critical
VERIFIED FIXED
17 years ago
6 years ago

People

(Reporter: Christian Schaller, Assigned: Stuart Parmenter)

Tracking

({crash, testcase})

Trunk
x86
Linux
crash, testcase

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [nsbeta3-][rtm++], URL)

Attachments

(4 attachments)

(Reporter)

Description

17 years ago
Using the latest nightly builds this page causes Mozilla Linux to crash.
The builds tested are from the 10 and the 12 of September. 

Also tested with latest windows build (12) which doesn't crash.

Comment 1

17 years ago
i see this also linux 2000091108

Comment 2

17 years ago
unable to reproduce with 091212 mozilla linux build.  can one of you install the
installer build with talkback and let me know if it generates a report.  I
should be able to get a stack trace if it does.

Comment 3

17 years ago
I'm also seeing this on a debug build pulled 2000-09-11.  Stack trace:

#0  0x410265c7 in nsImageGTK::DrawComposited (this=0x87d6e60, 
    aContext=@0x863fd00, aSurface=0x858fcf0, aX=837, aY=31, aWidth=0, 
    aHeight=0) at nsImageGTK.cpp:727
#1  0x410256c8 in nsImageGTK::Draw (this=0x87d6e60, aContext=@0x863fd00, 
    aSurface=0x858fcf0, aX=837, aY=31, aWidth=0, aHeight=0)
    at nsImageGTK.cpp:905
#2  0x4102b8a6 in nsRenderingContextGTK::DrawImage (this=0x863fd00, 
    aImage=0x87d6e60, aX=0, aY=0, aWidth=1, aHeight=1)
    at nsRenderingContextGTK.cpp:1498
#3  0x4102b814 in nsRenderingContextGTK::DrawImage (this=0x863fd00, 
    aImage=0x87d6e60, aRect=@0xbfffe16c) at nsRenderingContextGTK.cpp:1467
#4  0x415aec06 in nsImageFrame::Paint (this=0x874fc18, aPresContext=0x85f3bd8, 
    aRenderingContext=@0x863fd00, aDirtyRect=@0xbfffe1bc, 
    aWhichLayer=eFramePaintLayer_Overlay) at nsImageFrame.cpp:647
#5  0x4158c387 in nsContainerFrame::PaintChild (this=0x874fbcc, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffe488, aFrame=0x874fc18, 
    aWhichLayer=eFramePaintLayer_Overlay) at nsContainerFrame.cpp:209
#6  0x41585f9e in nsBlockFrame::PaintChildren (this=0x874fbcc, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffe488, aWhichLayer=eFramePaintLayer_Overlay)
    at nsBlockFrame.cpp:6383
#7  0x41585cd9 in nsBlockFrame::Paint (this=0x874fbcc, aPresContext=0x85f3bd8, 
    aRenderingContext=@0x863fd00, aDirtyRect=@0xbfffe488, 
    aWhichLayer=eFramePaintLayer_Overlay) at nsBlockFrame.cpp:6260
#8  0x4158c387 in nsContainerFrame::PaintChild (this=0x874fb6c, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffe620, aFrame=0x874fbcc, 
    aWhichLayer=eFramePaintLayer_Overlay) at nsContainerFrame.cpp:209
#9  0x4158c226 in nsContainerFrame::PaintChildren (this=0x874fb6c, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffe620, aWhichLayer=eFramePaintLayer_Overlay)
    at nsContainerFrame.cpp:154
#10 0x417b5e39 in nsTableCellFrame::Paint (this=0x874fb6c, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffe620, aWhichLayer=eFramePaintLayer_Overlay)
    at nsTableCellFrame.cpp:365
#11 0x417ca5e5 in nsTableRowFrame::PaintChildren (this=0x850a518, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffe704, aWhichLayer=eFramePaintLayer_Overlay)
    at nsTableRowFrame.cpp:596
#12 0x417ca47e in nsTableRowFrame::Paint (this=0x850a518, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffe704, aWhichLayer=eFramePaintLayer_Overlay)
    at nsTableRowFrame.cpp:551
#13 0x417cd1fe in nsTableRowGroupFrame::PaintChildren (this=0x850a4d4, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffe7e0, aWhichLayer=eFramePaintLayer_Overlay)
    at nsTableRowGroupFrame.cpp:261
#14 0x417cd0b9 in nsTableRowGroupFrame::Paint (this=0x850a4d4, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffe7e0, aWhichLayer=eFramePaintLayer_Overlay)
---Type <return> to continue, or q <return> to quit---
    at nsTableRowGroupFrame.cpp:217
#15 0x4158c387 in nsContainerFrame::PaintChild (this=0x850a46c, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffe8fc, aFrame=0x850a4d4, 
    aWhichLayer=eFramePaintLayer_Overlay) at nsContainerFrame.cpp:209
#16 0x4158c226 in nsContainerFrame::PaintChildren (this=0x850a46c, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffe8fc, aWhichLayer=eFramePaintLayer_Overlay)
    at nsContainerFrame.cpp:154
#17 0x417bd675 in nsTableFrame::Paint (this=0x850a46c, aPresContext=0x85f3bd8, 
    aRenderingContext=@0x863fd00, aDirtyRect=@0xbfffe8fc, 
    aWhichLayer=eFramePaintLayer_Overlay) at nsTableFrame.cpp:1313
#18 0x4158c387 in nsContainerFrame::PaintChild (this=0x850a418, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffe9c0, aFrame=0x850a46c, 
    aWhichLayer=eFramePaintLayer_Overlay) at nsContainerFrame.cpp:209
#19 0x417c5fca in nsTableOuterFrame::Paint (this=0x850a418, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffe9c0, aWhichLayer=eFramePaintLayer_Overlay)
    at nsTableOuterFrame.cpp:351
#20 0x4158c387 in nsContainerFrame::PaintChild (this=0x850a340, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffec8c, aFrame=0x850a418, 
    aWhichLayer=eFramePaintLayer_Overlay) at nsContainerFrame.cpp:209
#21 0x41585f9e in nsBlockFrame::PaintChildren (this=0x850a340, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffec8c, aWhichLayer=eFramePaintLayer_Overlay)
    at nsBlockFrame.cpp:6383
#22 0x41585cd9 in nsBlockFrame::Paint (this=0x850a340, aPresContext=0x85f3bd8, 
    aRenderingContext=@0x863fd00, aDirtyRect=@0xbfffec8c, 
    aWhichLayer=eFramePaintLayer_Overlay) at nsBlockFrame.cpp:6260
#23 0x4158c387 in nsContainerFrame::PaintChild (this=0x850a2b8, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffef58, aFrame=0x850a340, 
    aWhichLayer=eFramePaintLayer_Overlay) at nsContainerFrame.cpp:209
#24 0x41585f9e in nsBlockFrame::PaintChildren (this=0x850a2b8, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffef58, aWhichLayer=eFramePaintLayer_Overlay)
    at nsBlockFrame.cpp:6383
#25 0x41585cd9 in nsBlockFrame::Paint (this=0x850a2b8, aPresContext=0x85f3bd8, 
    aRenderingContext=@0x863fd00, aDirtyRect=@0xbfffef58, 
    aWhichLayer=eFramePaintLayer_Overlay) at nsBlockFrame.cpp:6260
#26 0x4158c387 in nsContainerFrame::PaintChild (this=0x85095e4, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbffff14c, aFrame=0x850a2b8, 
    aWhichLayer=eFramePaintLayer_Overlay) at nsContainerFrame.cpp:209
#27 0x4158c226 in nsContainerFrame::PaintChildren (this=0x85095e4, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbffff14c, aWhichLayer=eFramePaintLayer_Overlay)
    at nsContainerFrame.cpp:154
#28 0x415a4ed9 in nsHTMLContainerFrame::Paint (this=0x85095e4, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
---Type <return> to continue, or q <return> to quit---
    aDirtyRect=@0xbffff14c, aWhichLayer=eFramePaintLayer_Overlay)
    at nsHTMLContainerFrame.cpp:105
#29 0x415d0292 in PresShell::Paint (this=0x86b6208, aView=0x85e19f8, 
    aRenderingContext=@0x863fd00, aDirtyRect=@0xbffff14c)
    at nsPresShell.cpp:3928
#30 0x41bbc100 in nsView::Paint (this=0x85e19f8, rc=@0x863fd00, 
    rect=@0xbffff14c, aPaintFlags=128, aResult=@0xbffff164) at nsView.cpp:282
#31 0x41bc57d8 in nsViewManager2::RenderDisplayListElement (this=0x85e8998, 
    element=0x86896f0, aRC=@0x863fd00) at nsViewManager2.cpp:847
#32 0x41bc557a in nsViewManager2::RenderViews (this=0x85e8998, 
    aRootView=0x85e12a8, aRC=@0x863fd00, aRect=@0xbffff258, 
    aResult=@0xbffff270) at nsViewManager2.cpp:793
#33 0x41bc50cd in nsViewManager2::Refresh (this=0x85e8998, aView=0x85e12a8, 
    aContext=0x863fd00, rect=0xbffff2f0, aUpdateFlags=1)
    at nsViewManager2.cpp:674
#34 0x41bc6b7d in nsViewManager2::DispatchEvent (this=0x85e8998, 
    aEvent=0xbffff414, aStatus=0xbffff334) at nsViewManager2.cpp:1338
#35 0x41bbb9cc in HandleEvent (aEvent=0xbffff414) at nsView.cpp:67
#36 0x40c2ecfc in nsWidget::DispatchEvent (this=0x85e1338, aEvent=0xbffff414, 
    aStatus=@0xbffff3d0) at nsWidget.cpp:1475
#37 0x40c2e938 in nsWidget::DispatchWindowEvent (this=0x85e1338, 
    event=0xbffff414) at nsWidget.cpp:1366
#38 0x40c34c8e in nsWindow::DoPaint (this=0x85e1338, aX=0, aY=0, aWidth=849, 
    aHeight=826, aClipRegion=0x85e1468) at nsWindow.cpp:670
#39 0x40c34f4e in nsWindow::Update (this=0x85e1338) at nsWindow.cpp:716
#40 0x40c3515f in nsWindow::Update (this=0x8512a88) at nsWindow.cpp:740
#41 0x40c349db in nsWindow::UpdateIdle (data=0x0) at nsWindow.cpp:582
#42 0x40dd966c in g_idle_dispatch (source_data=0x40c3496c, 
    dispatch_time=0xbffff6b0, user_data=0x0) at gmain.c:1365
#43 0x40dd8717 in g_main_dispatch (dispatch_time=0xbffff6b0) at gmain.c:656
#44 0x40dd8cdb in g_main_iterate (block=1, dispatch=1) at gmain.c:877
#45 0x40dd8e59 in g_main_run (loop=0x8135658) at gmain.c:935
#46 0x40d07069 in gtk_main () at gtkmain.c:476
#47 0x40c1b829 in nsAppShell::Run (this=0x80a1ec0) at nsAppShell.cpp:335
#48 0x4069a50c in nsAppShellService::Run (this=0x80c63d8)
    at nsAppShellService.cpp:378
#49 0x80553e0 in main1 (argc=2, argv=0xbffff994, nativeApp=0x0)
    at nsAppRunner.cpp:958
#50 0x8055ab4 in main (argc=2, argv=0xbffff994) at nsAppRunner.cpp:1139
#51 0x403712e7 in __libc_start_main () from /lib/libc.so.6
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash

Comment 4

17 years ago
I've found that if you comment out the eleventh line that mentions  image = src
"logo.png" the page will load.

Comment 5

17 years ago
robin shaw - could you post a small testcase which crashes mozilla? thanks!

Comment 6

17 years ago
Created attachment 14590 [details]
PNG file for testcase

Comment 7

17 years ago
Created attachment 14592 [details]
Minimal Testcase

Updated

17 years ago
Keywords: testcase

Comment 8

17 years ago
Compositing with with==0 and/or height==0 crashes.
My patch in bug 37779 fixes this.

Comment 9

17 years ago
is this a dupe of bug 37779?

Comment 10

17 years ago
page loads with 2000-09-13 

Comment 11

17 years ago
WFM with 091408 mozilla linux build
Status: NEW → RESOLVED
Last Resolved: 17 years ago
Resolution: --- → WORKSFORME

Comment 12

17 years ago
From what I've heard on irc, this seems to be something of a race condition
(happens when everything is local).  It can either be fixed with a trivial
change to the existing code or by applying alex's patch for 37779, which
helps a number of other issues.
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---

Comment 13

17 years ago
Assigning to myself, so I'll remember to checkin the trivial fix if 37779
is denied for some reason.
Assignee: asa → tor
Status: REOPENED → NEW
Component: Browser-General → XP Apps

Comment 14

17 years ago
crashes with 2000-09-15-08 linux

Comment 15

17 years ago
*** Bug 52820 has been marked as a duplicate of this bug. ***

Comment 16

17 years ago
*** Bug 52986 has been marked as a duplicate of this bug. ***

Comment 17

17 years ago
*** Bug 52980 has been marked as a duplicate of this bug. ***

Updated

17 years ago
Depends on: 37779
setting default qa contact (se, joy joy!)
QA Contact: doronr → sairuh
don't crash (going to the above url) when i'm using 2000.09.18.06 opt comm bits
on linux (modern theme). i feel left out. ;)

would this perchance be a mozilla-only bug? but, asa doesn't seem to repro this.

Comment 20

17 years ago
*** Bug 53175 has been marked as a duplicate of this bug. ***
(Reporter)

Comment 21

17 years ago
After reading Libermans comment about Mozilla not crashing I tested myself
with nightly build -> Mozilla/5.0 (X11; U; Linux 2.2.14-5.0 i686; en-US; m18)
Gecko/20000919

It still crashes for me. I have PSM installed if that makes a difference, and is
using RH6.2 and the Helix GNOME updates running on an Athlon.

Comment 22

17 years ago
*** Bug 52946 has been marked as a duplicate of this bug. ***
hm, still cannot get this to crash either using comm or mozilla 2000.09.20.08
bits. however, the moz bits i have don't have psm (although the comm bits do,
which is odd)...

asa/junruh, have you tried using mozilla + psm to see if this occurs?

Comment 24

17 years ago
This url crashes the 091921 commercial linux build. win98 and Mac are OK.

Comment 25

17 years ago
Probable cause of problem: appalling English on the page.  No other page on the 
Internet displays such a lamentable grasp of the English language, so this is 
not an important problem.

Comment 26

17 years ago
Created attachment 15325 [details] [diff] [review]
add some checks for error conditions
(Assignee)

Comment 27

17 years ago
r=pavlov

Comment 28

17 years ago
r=scc for the 9/22 patch

Comment 29

17 years ago
are these unexpected conditions you are testing for?  If so, it would be good to 
add assertions, so that when the conditions are encountered somebody with a 
debugger can hopefully trace back and see what caused them.  I'm not against 
adding band-aid fixes like this, but I don't want to lose sight of the need to 
get to the root cause.

a=buster, if you add the assertions (or convince me they're unnecessary because 
the conditions are legal and expected.)

Comment 30

17 years ago
The first condition is a result of the layout engine asking
nsRenderingContextGTK to render a 1x1 portion of the image (presumably
in twips, though I'm not familiar about the layout engine's various
coordinate systems).  nsRenderingContextGTK pumps it through mTranMatrix,
at which point the width and height come out to be zero pixels.  Checking
for a zero width or height image is a valid check and avoids needless
calculations (and calling XGetImage() on a zero dimension image, which
it doesn't like).

XGetImage() failing is a more serious problem, so I added an assertion
as you suggested.

How does this sound?

Comment 31

17 years ago
Created attachment 15363 [details] [diff] [review]
updated patch with assertion

Comment 32

17 years ago
*** Bug 53232 has been marked as a duplicate of this bug. ***

Comment 33

17 years ago
Checked into the trunk - adding nsbeta3 and rtm to get the attention of PDT
for the Netscape 6.0 branch.
Keywords: nsbeta3, rtm

Comment 34

17 years ago
Thanks Tim! Perhaps it would be a good idea to assign this over to pavlov. 
[nsbeta3/rtm are more likely to not drop off the radar when assigned to 
a NS engineer. (I know, they shouldn't, but it has happened in the past).]
Summary: Page causes Mozilla to crash → Page causes Mozilla to crash (nsImageGTK::DrawComposited)
oh, i was able to crash going to www.linuxfr.org... i no longer feel left out.
;)

Comment 36

17 years ago
Assigning to pavlov to bring this up for consideration for checkin 
on the branch. 
Assignee: tor → pavlov

Comment 37

17 years ago
nsbeta3+, crashes on popular Linux sites, fixed on trunk where it has been used 
for a few days without incident.  change restricted to gtk, no risk on 
Win32/Mac.
Whiteboard: [nsbeta3+] PDT: please consider for nsbeta3
Target Milestone: --- → M18

Comment 38

17 years ago
Marking nsbeta3-, rtm+.  No longer worth risk for nsbeta3, but need for rtm.
Whiteboard: [nsbeta3+] PDT: please consider for nsbeta3 → [nsbeta3-] [rtm+] TRUNK-TESTED FIX READY TO LAND

Comment 39

17 years ago
Clearing [nsbeta3-] for reconsideration - the fix has been in the trunk for
about a week now without any problem, and fixes a problem which has high
visibility on linux.

The patch itself is extremely low risk, as it only adds some argument
verification and error checking.  It doesn't even allocate/free/write memory.
Whiteboard: [nsbeta3-] [rtm+] TRUNK-TESTED FIX READY TO LAND → [rtm+] TRUNK-TESTED FIX READY TO LAND

Comment 40

17 years ago
All of this has been considered. If it were more commonly seen, I'd agree with
you, but it is too late to be landing this on the beta branch. The branch has to
be firmed up today, and we can't just keep adding stuff to it. nsbeta3-
Whiteboard: [rtm+] TRUNK-TESTED FIX READY TO LAND → [nsbeta3-][rtm+] TRUNK-TESTED FIX READY TO LAND

Comment 41

17 years ago
marking rtm++.  Let's check this puppy into the branch.
Whiteboard: [nsbeta3-][rtm+] TRUNK-TESTED FIX READY TO LAND → [nsbeta3-][rtm++] TRUNK-TESTED FIX READY TO LAND

Updated

17 years ago
Priority: P3 → P2
(Assignee)

Comment 42

17 years ago
checked in to branch.
Status: NEW → RESOLVED
Last Resolved: 17 years ago17 years ago
Resolution: --- → FIXED
vrfy fixed using 2000.10.06.10-n6 [opt comm branch] bits on linux. needs final
vrf'tion on trunk bits...
Keywords: vtrunk
Whiteboard: [nsbeta3-][rtm++] TRUNK-TESTED FIX READY TO LAND → [nsbeta3-][rtm++]
vrfying --asa couldn't crash going to www.linuxfr.org using today's trunk bits
[2000.10.06.13-m18].
Status: RESOLVED → VERIFIED
Keywords: vtrunk
Product: Core → Mozilla Application Suite
You need to log in before you can comment on or make changes to this bug.