Last Comment Bug 52275 - Page causes Mozilla to crash (nsImageGTK::DrawComposited)
: Page causes Mozilla to crash (nsImageGTK::DrawComposited)
Status: VERIFIED FIXED
[nsbeta3-][rtm++]
: crash, testcase
Product: SeaMonkey
Classification: Client Software
Component: UI Design (show other bugs)
: Trunk
: x86 Linux
: P2 critical (vote)
: M18
Assigned To: Stuart Parmenter
: sairuh (rarely reading bugmail)
Mentors:
http://www.gnome.org/~michael
: 52820 52946 52980 52986 53175 53232 (view as bug list)
Depends on: 37779
Blocks:
  Show dependency treegraph
 
Reported: 2000-09-12 08:39 PDT by Christian Schaller
Modified: 2011-08-05 21:11 PDT (History)
12 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
PNG file for testcase (11.38 KB, image/png)
2000-09-13 09:47 PDT, Jeffrey Baker
no flags Details
Minimal Testcase (112 bytes, text/html)
2000-09-13 09:52 PDT, Jeffrey Baker
no flags Details
add some checks for error conditions (878 bytes, patch)
2000-09-22 11:46 PDT, tor
no flags Details | Diff | Review
updated patch with assertion (938 bytes, patch)
2000-09-22 16:49 PDT, tor
no flags Details | Diff | Review

Description Christian Schaller 2000-09-12 08:39:47 PDT
Using the latest nightly builds this page causes Mozilla Linux to crash.
The builds tested are from the 10 and the 12 of September. 

Also tested with latest windows build (12) which doesn't crash.
Comment 1 robin shaw 2000-09-12 16:52:49 PDT
i see this also linux 2000091108
Comment 2 Asa Dotzler [:asa] 2000-09-12 17:20:44 PDT
unable to reproduce with 091212 mozilla linux build.  can one of you install the
installer build with talkback and let me know if it generates a report.  I
should be able to get a stack trace if it does.
Comment 3 Jeffrey Baker 2000-09-12 18:50:16 PDT
I'm also seeing this on a debug build pulled 2000-09-11.  Stack trace:

#0  0x410265c7 in nsImageGTK::DrawComposited (this=0x87d6e60, 
    aContext=@0x863fd00, aSurface=0x858fcf0, aX=837, aY=31, aWidth=0, 
    aHeight=0) at nsImageGTK.cpp:727
#1  0x410256c8 in nsImageGTK::Draw (this=0x87d6e60, aContext=@0x863fd00, 
    aSurface=0x858fcf0, aX=837, aY=31, aWidth=0, aHeight=0)
    at nsImageGTK.cpp:905
#2  0x4102b8a6 in nsRenderingContextGTK::DrawImage (this=0x863fd00, 
    aImage=0x87d6e60, aX=0, aY=0, aWidth=1, aHeight=1)
    at nsRenderingContextGTK.cpp:1498
#3  0x4102b814 in nsRenderingContextGTK::DrawImage (this=0x863fd00, 
    aImage=0x87d6e60, aRect=@0xbfffe16c) at nsRenderingContextGTK.cpp:1467
#4  0x415aec06 in nsImageFrame::Paint (this=0x874fc18, aPresContext=0x85f3bd8, 
    aRenderingContext=@0x863fd00, aDirtyRect=@0xbfffe1bc, 
    aWhichLayer=eFramePaintLayer_Overlay) at nsImageFrame.cpp:647
#5  0x4158c387 in nsContainerFrame::PaintChild (this=0x874fbcc, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffe488, aFrame=0x874fc18, 
    aWhichLayer=eFramePaintLayer_Overlay) at nsContainerFrame.cpp:209
#6  0x41585f9e in nsBlockFrame::PaintChildren (this=0x874fbcc, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffe488, aWhichLayer=eFramePaintLayer_Overlay)
    at nsBlockFrame.cpp:6383
#7  0x41585cd9 in nsBlockFrame::Paint (this=0x874fbcc, aPresContext=0x85f3bd8, 
    aRenderingContext=@0x863fd00, aDirtyRect=@0xbfffe488, 
    aWhichLayer=eFramePaintLayer_Overlay) at nsBlockFrame.cpp:6260
#8  0x4158c387 in nsContainerFrame::PaintChild (this=0x874fb6c, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffe620, aFrame=0x874fbcc, 
    aWhichLayer=eFramePaintLayer_Overlay) at nsContainerFrame.cpp:209
#9  0x4158c226 in nsContainerFrame::PaintChildren (this=0x874fb6c, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffe620, aWhichLayer=eFramePaintLayer_Overlay)
    at nsContainerFrame.cpp:154
#10 0x417b5e39 in nsTableCellFrame::Paint (this=0x874fb6c, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffe620, aWhichLayer=eFramePaintLayer_Overlay)
    at nsTableCellFrame.cpp:365
#11 0x417ca5e5 in nsTableRowFrame::PaintChildren (this=0x850a518, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffe704, aWhichLayer=eFramePaintLayer_Overlay)
    at nsTableRowFrame.cpp:596
#12 0x417ca47e in nsTableRowFrame::Paint (this=0x850a518, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffe704, aWhichLayer=eFramePaintLayer_Overlay)
    at nsTableRowFrame.cpp:551
#13 0x417cd1fe in nsTableRowGroupFrame::PaintChildren (this=0x850a4d4, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffe7e0, aWhichLayer=eFramePaintLayer_Overlay)
    at nsTableRowGroupFrame.cpp:261
#14 0x417cd0b9 in nsTableRowGroupFrame::Paint (this=0x850a4d4, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffe7e0, aWhichLayer=eFramePaintLayer_Overlay)
---Type <return> to continue, or q <return> to quit---
    at nsTableRowGroupFrame.cpp:217
#15 0x4158c387 in nsContainerFrame::PaintChild (this=0x850a46c, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffe8fc, aFrame=0x850a4d4, 
    aWhichLayer=eFramePaintLayer_Overlay) at nsContainerFrame.cpp:209
#16 0x4158c226 in nsContainerFrame::PaintChildren (this=0x850a46c, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffe8fc, aWhichLayer=eFramePaintLayer_Overlay)
    at nsContainerFrame.cpp:154
#17 0x417bd675 in nsTableFrame::Paint (this=0x850a46c, aPresContext=0x85f3bd8, 
    aRenderingContext=@0x863fd00, aDirtyRect=@0xbfffe8fc, 
    aWhichLayer=eFramePaintLayer_Overlay) at nsTableFrame.cpp:1313
#18 0x4158c387 in nsContainerFrame::PaintChild (this=0x850a418, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffe9c0, aFrame=0x850a46c, 
    aWhichLayer=eFramePaintLayer_Overlay) at nsContainerFrame.cpp:209
#19 0x417c5fca in nsTableOuterFrame::Paint (this=0x850a418, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffe9c0, aWhichLayer=eFramePaintLayer_Overlay)
    at nsTableOuterFrame.cpp:351
#20 0x4158c387 in nsContainerFrame::PaintChild (this=0x850a340, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffec8c, aFrame=0x850a418, 
    aWhichLayer=eFramePaintLayer_Overlay) at nsContainerFrame.cpp:209
#21 0x41585f9e in nsBlockFrame::PaintChildren (this=0x850a340, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffec8c, aWhichLayer=eFramePaintLayer_Overlay)
    at nsBlockFrame.cpp:6383
#22 0x41585cd9 in nsBlockFrame::Paint (this=0x850a340, aPresContext=0x85f3bd8, 
    aRenderingContext=@0x863fd00, aDirtyRect=@0xbfffec8c, 
    aWhichLayer=eFramePaintLayer_Overlay) at nsBlockFrame.cpp:6260
#23 0x4158c387 in nsContainerFrame::PaintChild (this=0x850a2b8, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffef58, aFrame=0x850a340, 
    aWhichLayer=eFramePaintLayer_Overlay) at nsContainerFrame.cpp:209
#24 0x41585f9e in nsBlockFrame::PaintChildren (this=0x850a2b8, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffef58, aWhichLayer=eFramePaintLayer_Overlay)
    at nsBlockFrame.cpp:6383
#25 0x41585cd9 in nsBlockFrame::Paint (this=0x850a2b8, aPresContext=0x85f3bd8, 
    aRenderingContext=@0x863fd00, aDirtyRect=@0xbfffef58, 
    aWhichLayer=eFramePaintLayer_Overlay) at nsBlockFrame.cpp:6260
#26 0x4158c387 in nsContainerFrame::PaintChild (this=0x85095e4, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbffff14c, aFrame=0x850a2b8, 
    aWhichLayer=eFramePaintLayer_Overlay) at nsContainerFrame.cpp:209
#27 0x4158c226 in nsContainerFrame::PaintChildren (this=0x85095e4, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbffff14c, aWhichLayer=eFramePaintLayer_Overlay)
    at nsContainerFrame.cpp:154
#28 0x415a4ed9 in nsHTMLContainerFrame::Paint (this=0x85095e4, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
---Type <return> to continue, or q <return> to quit---
    aDirtyRect=@0xbffff14c, aWhichLayer=eFramePaintLayer_Overlay)
    at nsHTMLContainerFrame.cpp:105
#29 0x415d0292 in PresShell::Paint (this=0x86b6208, aView=0x85e19f8, 
    aRenderingContext=@0x863fd00, aDirtyRect=@0xbffff14c)
    at nsPresShell.cpp:3928
#30 0x41bbc100 in nsView::Paint (this=0x85e19f8, rc=@0x863fd00, 
    rect=@0xbffff14c, aPaintFlags=128, aResult=@0xbffff164) at nsView.cpp:282
#31 0x41bc57d8 in nsViewManager2::RenderDisplayListElement (this=0x85e8998, 
    element=0x86896f0, aRC=@0x863fd00) at nsViewManager2.cpp:847
#32 0x41bc557a in nsViewManager2::RenderViews (this=0x85e8998, 
    aRootView=0x85e12a8, aRC=@0x863fd00, aRect=@0xbffff258, 
    aResult=@0xbffff270) at nsViewManager2.cpp:793
#33 0x41bc50cd in nsViewManager2::Refresh (this=0x85e8998, aView=0x85e12a8, 
    aContext=0x863fd00, rect=0xbffff2f0, aUpdateFlags=1)
    at nsViewManager2.cpp:674
#34 0x41bc6b7d in nsViewManager2::DispatchEvent (this=0x85e8998, 
    aEvent=0xbffff414, aStatus=0xbffff334) at nsViewManager2.cpp:1338
#35 0x41bbb9cc in HandleEvent (aEvent=0xbffff414) at nsView.cpp:67
#36 0x40c2ecfc in nsWidget::DispatchEvent (this=0x85e1338, aEvent=0xbffff414, 
    aStatus=@0xbffff3d0) at nsWidget.cpp:1475
#37 0x40c2e938 in nsWidget::DispatchWindowEvent (this=0x85e1338, 
    event=0xbffff414) at nsWidget.cpp:1366
#38 0x40c34c8e in nsWindow::DoPaint (this=0x85e1338, aX=0, aY=0, aWidth=849, 
    aHeight=826, aClipRegion=0x85e1468) at nsWindow.cpp:670
#39 0x40c34f4e in nsWindow::Update (this=0x85e1338) at nsWindow.cpp:716
#40 0x40c3515f in nsWindow::Update (this=0x8512a88) at nsWindow.cpp:740
#41 0x40c349db in nsWindow::UpdateIdle (data=0x0) at nsWindow.cpp:582
#42 0x40dd966c in g_idle_dispatch (source_data=0x40c3496c, 
    dispatch_time=0xbffff6b0, user_data=0x0) at gmain.c:1365
#43 0x40dd8717 in g_main_dispatch (dispatch_time=0xbffff6b0) at gmain.c:656
#44 0x40dd8cdb in g_main_iterate (block=1, dispatch=1) at gmain.c:877
#45 0x40dd8e59 in g_main_run (loop=0x8135658) at gmain.c:935
#46 0x40d07069 in gtk_main () at gtkmain.c:476
#47 0x40c1b829 in nsAppShell::Run (this=0x80a1ec0) at nsAppShell.cpp:335
#48 0x4069a50c in nsAppShellService::Run (this=0x80c63d8)
    at nsAppShellService.cpp:378
#49 0x80553e0 in main1 (argc=2, argv=0xbffff994, nativeApp=0x0)
    at nsAppRunner.cpp:958
#50 0x8055ab4 in main (argc=2, argv=0xbffff994) at nsAppRunner.cpp:1139
#51 0x403712e7 in __libc_start_main () from /lib/libc.so.6
Comment 4 robin shaw 2000-09-12 21:21:49 PDT
I've found that if you comment out the eleventh line that mentions  image = src
"logo.png" the page will load.
Comment 5 Doron Rosenberg (IBM) 2000-09-13 09:36:10 PDT
robin shaw - could you post a small testcase which crashes mozilla? thanks!
Comment 6 Jeffrey Baker 2000-09-13 09:47:03 PDT
Created attachment 14590 [details]
PNG file for testcase
Comment 7 Jeffrey Baker 2000-09-13 09:52:21 PDT
Created attachment 14592 [details]
Minimal Testcase
Comment 8 alla 2000-09-13 10:04:48 PDT
Compositing with with==0 and/or height==0 crashes.
My patch in bug 37779 fixes this.
Comment 9 Doron Rosenberg (IBM) 2000-09-13 10:53:08 PDT
is this a dupe of bug 37779?
Comment 10 robin shaw 2000-09-13 19:25:33 PDT
page loads with 2000-09-13 
Comment 11 Asa Dotzler [:asa] 2000-09-14 15:19:16 PDT
WFM with 091408 mozilla linux build
Comment 12 tor 2000-09-14 15:37:50 PDT
From what I've heard on irc, this seems to be something of a race condition
(happens when everything is local).  It can either be fixed with a trivial
change to the existing code or by applying alex's patch for 37779, which
helps a number of other issues.
Comment 13 tor 2000-09-14 15:39:31 PDT
Assigning to myself, so I'll remember to checkin the trivial fix if 37779
is denied for some reason.
Comment 14 robin shaw 2000-09-15 18:11:38 PDT
crashes with 2000-09-15-08 linux
Comment 15 tor 2000-09-15 18:16:02 PDT
*** Bug 52820 has been marked as a duplicate of this bug. ***
Comment 16 tor 2000-09-17 14:35:58 PDT
*** Bug 52986 has been marked as a duplicate of this bug. ***
Comment 17 Decklin Foster 2000-09-17 15:09:21 PDT
*** Bug 52980 has been marked as a duplicate of this bug. ***
Comment 18 Doron Rosenberg (IBM) 2000-09-18 14:34:51 PDT
setting default qa contact (se, joy joy!)
Comment 19 sairuh (rarely reading bugmail) 2000-09-18 18:15:18 PDT
don't crash (going to the above url) when i'm using 2000.09.18.06 opt comm bits
on linux (modern theme). i feel left out. ;)

would this perchance be a mozilla-only bug? but, asa doesn't seem to repro this.
Comment 20 Decklin Foster 2000-09-19 14:07:41 PDT
*** Bug 53175 has been marked as a duplicate of this bug. ***
Comment 21 Christian Schaller 2000-09-20 14:30:10 PDT
After reading Libermans comment about Mozilla not crashing I tested myself
with nightly build -> Mozilla/5.0 (X11; U; Linux 2.2.14-5.0 i686; en-US; m18)
Gecko/20000919

It still crashes for me. I have PSM installed if that makes a difference, and is
using RH6.2 and the Helix GNOME updates running on an Athlon.
Comment 22 tor 2000-09-20 14:30:50 PDT
*** Bug 52946 has been marked as a duplicate of this bug. ***
Comment 23 sairuh (rarely reading bugmail) 2000-09-20 15:21:57 PDT
hm, still cannot get this to crash either using comm or mozilla 2000.09.20.08
bits. however, the moz bits i have don't have psm (although the comm bits do,
which is odd)...

asa/junruh, have you tried using mozilla + psm to see if this occurs?
Comment 24 John Unruh 2000-09-20 16:03:57 PDT
This url crashes the 091921 commercial linux build. win98 and Mac are OK.
Comment 25 stuarta 2000-09-22 02:41:19 PDT
Probable cause of problem: appalling English on the page.  No other page on the 
Internet displays such a lamentable grasp of the English language, so this is 
not an important problem.
Comment 26 tor 2000-09-22 11:46:14 PDT
Created attachment 15325 [details] [diff] [review]
add some checks for error conditions
Comment 27 Stuart Parmenter 2000-09-22 11:49:32 PDT
r=pavlov
Comment 28 Scott Collins 2000-09-22 12:05:20 PDT
r=scc for the 9/22 patch
Comment 29 buster 2000-09-22 13:32:06 PDT
are these unexpected conditions you are testing for?  If so, it would be good to 
add assertions, so that when the conditions are encountered somebody with a 
debugger can hopefully trace back and see what caused them.  I'm not against 
adding band-aid fixes like this, but I don't want to lose sight of the need to 
get to the root cause.

a=buster, if you add the assertions (or convince me they're unnecessary because 
the conditions are legal and expected.)
Comment 30 tor 2000-09-22 16:48:25 PDT
The first condition is a result of the layout engine asking
nsRenderingContextGTK to render a 1x1 portion of the image (presumably
in twips, though I'm not familiar about the layout engine's various
coordinate systems).  nsRenderingContextGTK pumps it through mTranMatrix,
at which point the width and height come out to be zero pixels.  Checking
for a zero width or height image is a valid check and avoids needless
calculations (and calling XGetImage() on a zero dimension image, which
it doesn't like).

XGetImage() failing is a more serious problem, so I added an assertion
as you suggested.

How does this sound?
Comment 31 tor 2000-09-22 16:49:00 PDT
Created attachment 15363 [details] [diff] [review]
updated patch with assertion
Comment 32 John Morrison 2000-09-22 17:14:59 PDT
*** Bug 53232 has been marked as a duplicate of this bug. ***
Comment 33 tor 2000-09-22 18:58:51 PDT
Checked into the trunk - adding nsbeta3 and rtm to get the attention of PDT
for the Netscape 6.0 branch.
Comment 34 John Morrison 2000-09-22 19:23:12 PDT
Thanks Tim! Perhaps it would be a good idea to assign this over to pavlov. 
[nsbeta3/rtm are more likely to not drop off the radar when assigned to 
a NS engineer. (I know, they shouldn't, but it has happened in the past).]
Comment 35 sairuh (rarely reading bugmail) 2000-09-22 19:43:36 PDT
oh, i was able to crash going to www.linuxfr.org... i no longer feel left out.
;)
Comment 36 John Morrison 2000-09-23 17:57:42 PDT
Assigning to pavlov to bring this up for consideration for checkin 
on the branch. 
Comment 37 Peter Trudelle 2000-09-26 15:58:00 PDT
nsbeta3+, crashes on popular Linux sites, fixed on trunk where it has been used 
for a few days without incident.  change restricted to gtk, no risk on 
Win32/Mac.
Comment 38 Peter Trudelle 2000-09-28 00:35:21 PDT
Marking nsbeta3-, rtm+.  No longer worth risk for nsbeta3, but need for rtm.
Comment 39 tor 2000-09-28 09:19:44 PDT
Clearing [nsbeta3-] for reconsideration - the fix has been in the trunk for
about a week now without any problem, and fixes a problem which has high
visibility on linux.

The patch itself is extremely low risk, as it only adds some argument
verification and error checking.  It doesn't even allocate/free/write memory.
Comment 40 Peter Trudelle 2000-09-28 10:02:15 PDT
All of this has been considered. If it were more commonly seen, I'd agree with
you, but it is too late to be landing this on the beta branch. The branch has to
be firmed up today, and we can't just keep adding stuff to it. nsbeta3-
Comment 41 Michael La Guardia 2000-10-02 16:25:52 PDT
marking rtm++.  Let's check this puppy into the branch.
Comment 42 Stuart Parmenter 2000-10-03 19:28:58 PDT
checked in to branch.
Comment 43 sairuh (rarely reading bugmail) 2000-10-06 15:35:15 PDT
vrfy fixed using 2000.10.06.10-n6 [opt comm branch] bits on linux. needs final
vrf'tion on trunk bits...
Comment 44 sairuh (rarely reading bugmail) 2000-10-06 15:53:35 PDT
vrfying --asa couldn't crash going to www.linuxfr.org using today's trunk bits
[2000.10.06.13-m18].

Note You need to log in before you can comment on or make changes to this bug.