Closed Bug 52275 Opened 24 years ago Closed 24 years ago

Page causes Mozilla to crash (nsImageGTK::DrawComposited)

Categories

(SeaMonkey :: UI Design, defect, P2)

Product:
SeaMonkey
Component:
UI Design
Platform:
x86
Linux
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: Uraeus, Assigned: pavlov)

References

(
URL
)

Details

(Keywords: crash, testcase, Whiteboard: [nsbeta3-][rtm++])

Attachments

(4 files)

PNG file for testcase
11.38 KB, image/png
Details
Minimal Testcase
112 bytes, text/html
Details
add some checks for error conditions
878 bytes, patch
Details | Diff | Splinter Review
updated patch with assertion
938 bytes, patch
Details | Diff | Splinter Review 
Using the latest nightly builds this page causes Mozilla Linux to crash.
The builds tested are from the 10 and the 12 of September. 

Also tested with latest windows build (12) which doesn't crash.
i see this also linux 2000091108
unable to reproduce with 091212 mozilla linux build.  can one of you install the
installer build with talkback and let me know if it generates a report.  I
should be able to get a stack trace if it does.
I'm also seeing this on a debug build pulled 2000-09-11.  Stack trace:

#0  0x410265c7 in nsImageGTK::DrawComposited (this=0x87d6e60, 
    aContext=@0x863fd00, aSurface=0x858fcf0, aX=837, aY=31, aWidth=0, 
    aHeight=0) at nsImageGTK.cpp:727
#1  0x410256c8 in nsImageGTK::Draw (this=0x87d6e60, aContext=@0x863fd00, 
    aSurface=0x858fcf0, aX=837, aY=31, aWidth=0, aHeight=0)
    at nsImageGTK.cpp:905
#2  0x4102b8a6 in nsRenderingContextGTK::DrawImage (this=0x863fd00, 
    aImage=0x87d6e60, aX=0, aY=0, aWidth=1, aHeight=1)
    at nsRenderingContextGTK.cpp:1498
#3  0x4102b814 in nsRenderingContextGTK::DrawImage (this=0x863fd00, 
    aImage=0x87d6e60, aRect=@0xbfffe16c) at nsRenderingContextGTK.cpp:1467
#4  0x415aec06 in nsImageFrame::Paint (this=0x874fc18, aPresContext=0x85f3bd8, 
    aRenderingContext=@0x863fd00, aDirtyRect=@0xbfffe1bc, 
    aWhichLayer=eFramePaintLayer_Overlay) at nsImageFrame.cpp:647
#5  0x4158c387 in nsContainerFrame::PaintChild (this=0x874fbcc, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffe488, aFrame=0x874fc18, 
    aWhichLayer=eFramePaintLayer_Overlay) at nsContainerFrame.cpp:209
#6  0x41585f9e in nsBlockFrame::PaintChildren (this=0x874fbcc, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffe488, aWhichLayer=eFramePaintLayer_Overlay)
    at nsBlockFrame.cpp:6383
#7  0x41585cd9 in nsBlockFrame::Paint (this=0x874fbcc, aPresContext=0x85f3bd8, 
    aRenderingContext=@0x863fd00, aDirtyRect=@0xbfffe488, 
    aWhichLayer=eFramePaintLayer_Overlay) at nsBlockFrame.cpp:6260
#8  0x4158c387 in nsContainerFrame::PaintChild (this=0x874fb6c, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffe620, aFrame=0x874fbcc, 
    aWhichLayer=eFramePaintLayer_Overlay) at nsContainerFrame.cpp:209
#9  0x4158c226 in nsContainerFrame::PaintChildren (this=0x874fb6c, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffe620, aWhichLayer=eFramePaintLayer_Overlay)
    at nsContainerFrame.cpp:154
#10 0x417b5e39 in nsTableCellFrame::Paint (this=0x874fb6c, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffe620, aWhichLayer=eFramePaintLayer_Overlay)
    at nsTableCellFrame.cpp:365
#11 0x417ca5e5 in nsTableRowFrame::PaintChildren (this=0x850a518, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffe704, aWhichLayer=eFramePaintLayer_Overlay)
    at nsTableRowFrame.cpp:596
#12 0x417ca47e in nsTableRowFrame::Paint (this=0x850a518, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffe704, aWhichLayer=eFramePaintLayer_Overlay)
    at nsTableRowFrame.cpp:551
#13 0x417cd1fe in nsTableRowGroupFrame::PaintChildren (this=0x850a4d4, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffe7e0, aWhichLayer=eFramePaintLayer_Overlay)
    at nsTableRowGroupFrame.cpp:261
#14 0x417cd0b9 in nsTableRowGroupFrame::Paint (this=0x850a4d4, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffe7e0, aWhichLayer=eFramePaintLayer_Overlay)
---Type <return> to continue, or q <return> to quit---
    at nsTableRowGroupFrame.cpp:217
#15 0x4158c387 in nsContainerFrame::PaintChild (this=0x850a46c, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffe8fc, aFrame=0x850a4d4, 
    aWhichLayer=eFramePaintLayer_Overlay) at nsContainerFrame.cpp:209
#16 0x4158c226 in nsContainerFrame::PaintChildren (this=0x850a46c, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffe8fc, aWhichLayer=eFramePaintLayer_Overlay)
    at nsContainerFrame.cpp:154
#17 0x417bd675 in nsTableFrame::Paint (this=0x850a46c, aPresContext=0x85f3bd8, 
    aRenderingContext=@0x863fd00, aDirtyRect=@0xbfffe8fc, 
    aWhichLayer=eFramePaintLayer_Overlay) at nsTableFrame.cpp:1313
#18 0x4158c387 in nsContainerFrame::PaintChild (this=0x850a418, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffe9c0, aFrame=0x850a46c, 
    aWhichLayer=eFramePaintLayer_Overlay) at nsContainerFrame.cpp:209
#19 0x417c5fca in nsTableOuterFrame::Paint (this=0x850a418, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffe9c0, aWhichLayer=eFramePaintLayer_Overlay)
    at nsTableOuterFrame.cpp:351
#20 0x4158c387 in nsContainerFrame::PaintChild (this=0x850a340, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffec8c, aFrame=0x850a418, 
    aWhichLayer=eFramePaintLayer_Overlay) at nsContainerFrame.cpp:209
#21 0x41585f9e in nsBlockFrame::PaintChildren (this=0x850a340, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffec8c, aWhichLayer=eFramePaintLayer_Overlay)
    at nsBlockFrame.cpp:6383
#22 0x41585cd9 in nsBlockFrame::Paint (this=0x850a340, aPresContext=0x85f3bd8, 
    aRenderingContext=@0x863fd00, aDirtyRect=@0xbfffec8c, 
    aWhichLayer=eFramePaintLayer_Overlay) at nsBlockFrame.cpp:6260
#23 0x4158c387 in nsContainerFrame::PaintChild (this=0x850a2b8, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffef58, aFrame=0x850a340, 
    aWhichLayer=eFramePaintLayer_Overlay) at nsContainerFrame.cpp:209
#24 0x41585f9e in nsBlockFrame::PaintChildren (this=0x850a2b8, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbfffef58, aWhichLayer=eFramePaintLayer_Overlay)
    at nsBlockFrame.cpp:6383
#25 0x41585cd9 in nsBlockFrame::Paint (this=0x850a2b8, aPresContext=0x85f3bd8, 
    aRenderingContext=@0x863fd00, aDirtyRect=@0xbfffef58, 
    aWhichLayer=eFramePaintLayer_Overlay) at nsBlockFrame.cpp:6260
#26 0x4158c387 in nsContainerFrame::PaintChild (this=0x85095e4, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbffff14c, aFrame=0x850a2b8, 
    aWhichLayer=eFramePaintLayer_Overlay) at nsContainerFrame.cpp:209
#27 0x4158c226 in nsContainerFrame::PaintChildren (this=0x85095e4, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
    aDirtyRect=@0xbffff14c, aWhichLayer=eFramePaintLayer_Overlay)
    at nsContainerFrame.cpp:154
#28 0x415a4ed9 in nsHTMLContainerFrame::Paint (this=0x85095e4, 
    aPresContext=0x85f3bd8, aRenderingContext=@0x863fd00, 
---Type <return> to continue, or q <return> to quit---
    aDirtyRect=@0xbffff14c, aWhichLayer=eFramePaintLayer_Overlay)
    at nsHTMLContainerFrame.cpp:105
#29 0x415d0292 in PresShell::Paint (this=0x86b6208, aView=0x85e19f8, 
    aRenderingContext=@0x863fd00, aDirtyRect=@0xbffff14c)
    at nsPresShell.cpp:3928
#30 0x41bbc100 in nsView::Paint (this=0x85e19f8, rc=@0x863fd00, 
    rect=@0xbffff14c, aPaintFlags=128, aResult=@0xbffff164) at nsView.cpp:282
#31 0x41bc57d8 in nsViewManager2::RenderDisplayListElement (this=0x85e8998, 
    element=0x86896f0, aRC=@0x863fd00) at nsViewManager2.cpp:847
#32 0x41bc557a in nsViewManager2::RenderViews (this=0x85e8998, 
    aRootView=0x85e12a8, aRC=@0x863fd00, aRect=@0xbffff258, 
    aResult=@0xbffff270) at nsViewManager2.cpp:793
#33 0x41bc50cd in nsViewManager2::Refresh (this=0x85e8998, aView=0x85e12a8, 
    aContext=0x863fd00, rect=0xbffff2f0, aUpdateFlags=1)
    at nsViewManager2.cpp:674
#34 0x41bc6b7d in nsViewManager2::DispatchEvent (this=0x85e8998, 
    aEvent=0xbffff414, aStatus=0xbffff334) at nsViewManager2.cpp:1338
#35 0x41bbb9cc in HandleEvent (aEvent=0xbffff414) at nsView.cpp:67
#36 0x40c2ecfc in nsWidget::DispatchEvent (this=0x85e1338, aEvent=0xbffff414, 
    aStatus=@0xbffff3d0) at nsWidget.cpp:1475
#37 0x40c2e938 in nsWidget::DispatchWindowEvent (this=0x85e1338, 
    event=0xbffff414) at nsWidget.cpp:1366
#38 0x40c34c8e in nsWindow::DoPaint (this=0x85e1338, aX=0, aY=0, aWidth=849, 
    aHeight=826, aClipRegion=0x85e1468) at nsWindow.cpp:670
#39 0x40c34f4e in nsWindow::Update (this=0x85e1338) at nsWindow.cpp:716
#40 0x40c3515f in nsWindow::Update (this=0x8512a88) at nsWindow.cpp:740
#41 0x40c349db in nsWindow::UpdateIdle (data=0x0) at nsWindow.cpp:582
#42 0x40dd966c in g_idle_dispatch (source_data=0x40c3496c, 
    dispatch_time=0xbffff6b0, user_data=0x0) at gmain.c:1365
#43 0x40dd8717 in g_main_dispatch (dispatch_time=0xbffff6b0) at gmain.c:656
#44 0x40dd8cdb in g_main_iterate (block=1, dispatch=1) at gmain.c:877
#45 0x40dd8e59 in g_main_run (loop=0x8135658) at gmain.c:935
#46 0x40d07069 in gtk_main () at gtkmain.c:476
#47 0x40c1b829 in nsAppShell::Run (this=0x80a1ec0) at nsAppShell.cpp:335
#48 0x4069a50c in nsAppShellService::Run (this=0x80c63d8)
    at nsAppShellService.cpp:378
#49 0x80553e0 in main1 (argc=2, argv=0xbffff994, nativeApp=0x0)
    at nsAppRunner.cpp:958
#50 0x8055ab4 in main (argc=2, argv=0xbffff994) at nsAppRunner.cpp:1139
#51 0x403712e7 in __libc_start_main () from /lib/libc.so.6
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash
I've found that if you comment out the eleventh line that mentions  image = src
"logo.png" the page will load.
robin shaw - could you post a small testcase which crashes mozilla? thanks!
Attached image PNG file for testcase 

    
    

    
  

      
      
      
      

        Attached file
          
        Minimal Testcase
      

    


  

    
  
Keywords: testcase

    
    

    
  
Compositing with with==0 and/or height==0 crashes.
My patch in bug 37779 fixes this.


    
    

    
  
is this a dupe of bug 37779?

    
    

    
  
page loads with 2000-09-13 

    
    

    
  
WFM with 091408 mozilla linux build
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → WORKSFORME

    
    

    
  
From what I've heard on irc, this seems to be something of a race condition
(happens when everything is local).  It can either be fixed with a trivial
change to the existing code or by applying alex's patch for 37779, which
helps a number of other issues.

Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---

    
    

    
  
Assigning to myself, so I'll remember to checkin the trivial fix if 37779
is denied for some reason.

Assignee: asa → tor
Status: REOPENED → NEW
Component: Browser-General → XP Apps

    
    

    
  
crashes with 2000-09-15-08 linux


    
    

    
  
*** Bug 52820 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 52986 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 52980 has been marked as a duplicate of this bug. ***

    
  
Depends on: 37779

    
    

    
  
setting default qa contact (se, joy joy!)

QA Contact: doronr → sairuh

    
    

    
  
don't crash (going to the above url) when i'm using 2000.09.18.06 opt comm bits
on linux (modern theme). i feel left out. ;)

would this perchance be a mozilla-only bug? but, asa doesn't seem to repro this.

    
    

    
  
*** Bug 53175 has been marked as a duplicate of this bug. ***

    
    

    
  
After reading Libermans comment about Mozilla not crashing I tested myself
with nightly build -> Mozilla/5.0 (X11; U; Linux 2.2.14-5.0 i686; en-US; m18)
Gecko/20000919

It still crashes for me. I have PSM installed if that makes a difference, and is
using RH6.2 and the Helix GNOME updates running on an Athlon.

    
    

    
  
*** Bug 52946 has been marked as a duplicate of this bug. ***

    
    

    
  
hm, still cannot get this to crash either using comm or mozilla 2000.09.20.08
bits. however, the moz bits i have don't have psm (although the comm bits do,
which is odd)...

asa/junruh, have you tried using mozilla + psm to see if this occurs?

    
    

    
  
This url crashes the 091921 commercial linux build. win98 and Mac are OK.


    
    

    
  
Probable cause of problem: appalling English on the page.  No other page on the 
Internet displays such a lamentable grasp of the English language, so this is 
not an important problem.

    
    

    
  
r=pavlov

    
    

    
  
r=scc for the 9/22 patch


    
    

    
  
are these unexpected conditions you are testing for?  If so, it would be good to 
add assertions, so that when the conditions are encountered somebody with a 
debugger can hopefully trace back and see what caused them.  I'm not against 
adding band-aid fixes like this, but I don't want to lose sight of the need to 
get to the root cause.

a=buster, if you add the assertions (or convince me they're unnecessary because 
the conditions are legal and expected.)

    
    

    
  
The first condition is a result of the layout engine asking
nsRenderingContextGTK to render a 1x1 portion of the image (presumably
in twips, though I'm not familiar about the layout engine's various
coordinate systems).  nsRenderingContextGTK pumps it through mTranMatrix,
at which point the width and height come out to be zero pixels.  Checking
for a zero width or height image is a valid check and avoids needless
calculations (and calling XGetImage() on a zero dimension image, which
it doesn't like).

XGetImage() failing is a more serious problem, so I added an assertion
as you suggested.

How does this sound?


    
    

    
  


  

    
    

    
  
*** Bug 53232 has been marked as a duplicate of this bug. ***

    
    

    
  
Checked into the trunk - adding nsbeta3 and rtm to get the attention of PDT
for the Netscape 6.0 branch.

Keywords: nsbeta3, 
          
            rtm

    
    

    
  
Thanks Tim! Perhaps it would be a good idea to assign this over to pavlov. 
[nsbeta3/rtm are more likely to not drop off the radar when assigned to 
a NS engineer. (I know, they shouldn't, but it has happened in the past).]
Summary: Page causes Mozilla to crash → Page causes Mozilla to crash (nsImageGTK::DrawComposited)

    
    

    
  
oh, i was able to crash going to www.linuxfr.org... i no longer feel left out.
;)

    
    

    
  
Assigning to pavlov to bring this up for consideration for checkin 
on the branch. 
Assignee: tor → pavlov

    
    

    
  
nsbeta3+, crashes on popular Linux sites, fixed on trunk where it has been used 
for a few days without incident.  change restricted to gtk, no risk on 
Win32/Mac.
Whiteboard: [nsbeta3+] PDT: please consider for nsbeta3
Target Milestone: --- → M18

    
    

    
  
Marking nsbeta3-, rtm+.  No longer worth risk for nsbeta3, but need for rtm.

Whiteboard: [nsbeta3+] PDT: please consider for nsbeta3 → [nsbeta3-] [rtm+] TRUNK-TESTED FIX READY TO LAND

    
    

    
  
Clearing [nsbeta3-] for reconsideration - the fix has been in the trunk for
about a week now without any problem, and fixes a problem which has high
visibility on linux.

The patch itself is extremely low risk, as it only adds some argument
verification and error checking.  It doesn't even allocate/free/write memory.

Whiteboard: [nsbeta3-] [rtm+] TRUNK-TESTED FIX READY TO LAND → [rtm+] TRUNK-TESTED FIX READY TO LAND

    
    

    
  
All of this has been considered. If it were more commonly seen, I'd agree with
you, but it is too late to be landing this on the beta branch. The branch has to
be firmed up today, and we can't just keep adding stuff to it. nsbeta3-

Whiteboard: [rtm+] TRUNK-TESTED FIX READY TO LAND → [nsbeta3-][rtm+] TRUNK-TESTED FIX READY TO LAND

    
    

    
  
marking rtm++.  Let's check this puppy into the branch.

Whiteboard: [nsbeta3-][rtm+] TRUNK-TESTED FIX READY TO LAND → [nsbeta3-][rtm++] TRUNK-TESTED FIX READY TO LAND

    
  
Priority: P3 → P2

    
    

    
  
checked in to branch.
Status: NEW → RESOLVED
Closed: 24 years ago24 years ago
Resolution: --- → FIXED

    
    

    
  
vrfy fixed using 2000.10.06.10-n6 [opt comm branch] bits on linux. needs final
vrf'tion on trunk bits...
Keywords: vtrunk
Whiteboard: [nsbeta3-][rtm++] TRUNK-TESTED FIX READY TO LAND → [nsbeta3-][rtm++]

    
    

    
  
vrfying --asa couldn't crash going to www.linuxfr.org using today's trunk bits
[2000.10.06.13-m18].
Status: RESOLVED → VERIFIED
Keywords: vtrunk
Product: Core → Mozilla Application Suite

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: