Closed
Bug 527587
Opened 15 years ago
Closed 15 years ago
Crash [@ qcms_transform_data]
Categories
(Core :: Graphics: Color Management, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 521549
People
(Reporter: bc, Assigned: jrmuizel)
Details
(Keywords: crash, Whiteboard: [sg:critical?])
Crash Data
http://espn.go.com/
UNKNOWN 0x870420
qcms_transform_data (/work/mozilla/builds/1.9.3/mozilla/gfx/qcms/transform.c:1323)
row_callback (/work/mozilla/builds/1.9.3/mozilla/modules/libpr0n/decoders/png/nsPNGDecoder.cpp:773)
MOZ_PNG_push_have_row (/work/mozilla/builds/1.9.3/mozilla/modules/libimg/png/pngpread.c:1744)
MOZ_PNG_push_proc_row (/work/mozilla/builds/1.9.3/mozilla/modules/libimg/png/pngpread.c:1168)
MOZ_PNG_proc_IDAT_data (/work/mozilla/builds/1.9.3/mozilla/modules/libimg/png/pngpread.c:985)
MOZ_PNG_push_read_IDAT (/work/mozilla/builds/1.9.3/mozilla/modules/libimg/png/pngpread.c:917)
MOZ_PNG_proc_some_data (/work/mozilla/builds/1.9.3/mozilla/modules/libimg/png/pngpread.c:61)
MOZ_PNG_process_data (/work/mozilla/builds/1.9.3/mozilla/modules/libimg/png/pngpread.c:33)
nsPNGDecoder::Write(char const*, unsigned int) (/work/mozilla/builds/1.9.3/mozilla/modules/libpr0n/decoders/png/nsPNGDecoder.cpp:388)
http://www.surfthechannel.com/
Stack:
UNKNOWN 0x946420
qcms_transform_data (/work/mozilla/builds/1.9.3/mozilla/gfx/qcms/transform.c:1323)
row_callback (/work/mozilla/builds/1.9.3/mozilla/modules/libpr0n/decoders/png/nsPNGDecoder.cpp:773)
MOZ_PNG_push_have_row (/work/mozilla/builds/1.9.3/mozilla/modules/libimg/png/pngpread.c:1744)
MOZ_PNG_push_proc_row (/work/mozilla/builds/1.9.3/mozilla/modules/libimg/png/pngpread.c:1168)
MOZ_PNG_proc_IDAT_data (/work/mozilla/builds/1.9.3/mozilla/modules/libimg/png/pngpread.c:985)
MOZ_PNG_push_read_IDAT (/work/mozilla/builds/1.9.3/mozilla/modules/libimg/png/pngpread.c:917)
MOZ_PNG_proc_some_data (/work/mozilla/builds/1.9.3/mozilla/modules/libimg/png/pngpread.c:61)
MOZ_PNG_process_data (/work/mozilla/builds/1.9.3/mozilla/modules/libimg/png/pngpread.c:33)
nsPNGDecoder::Write(char const*, unsigned int) (/work/mozilla/builds/1.9.3/mozilla/modules/libpr0n/decoders/png/nsPNGDecoder.cpp:388)
imgContainer::WriteToDecoder(char const*, unsigned int) (/work/mozilla/builds/1.9.3/mozilla/modules/libpr0n/src/imgContainer.cpp:2165)
imgContainer::AddSourceData(char const*, unsigned int) (/work/mozilla/builds/1.9.3/mozilla/modules/libpr0n/src/imgContainer.cpp:1183)
imgContainer::WriteToContainer(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*) (/work/mozilla/builds/1.9.3/mozilla/modules/libpr0n/src/imgContainer.cpp:2603)
http://www.vancouversun.com/
UNKNOWN 0xd0c420
qcms_transform_data (/work/mozilla/builds/1.9.3/mozilla/gfx/qcms/transform.c:1323)
nsJPEGDecoder::OutputScanlines(int*) (/work/mozilla/builds/1.9.3/mozilla/modules/libpr0n/decoders/jpeg/nsJPEGDecoder.cpp:649)
.L176 (/work/mozilla/builds/1.9.3/mozilla/modules/libpr0n/decoders/jpeg/nsJPEGDecoder.cpp:465)
imgContainer::WriteToDecoder(char const*, unsigned int) (/work/mozilla/builds/1.9.3/mozilla/modules/libpr0n/src/imgContainer.cpp:2165)
imgContainer::AddSourceData(char const*, unsigned int) (/work/mozilla/builds/1.9.3/mozilla/modules/libpr0n/src/imgContainer.cpp:1183)
imgContainer::WriteToContainer(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*) (/work/mozilla/builds/1.9.3/mozilla/modules/libpr0n/src/imgContainer.cpp:2603)
lots more. this is seriously affecting crash testing linux trunk.
sensitive because of the random address.
|
||
Comment 1•15 years ago
|
||
Are you getting these from crash-stats, or in your own test runs? If the latter have you tried with a debug build? Any informative asserts or other clues?
Keywords: testcase-wanted
Whiteboard: [sg:needinfo]
|
Reporter | |
Comment 2•15 years ago
|
||
The original urls were from a list of flash crashes unrelated to this crash. These were with a debug builds. Nothing cluefull that I can see. I'll try to reduce a test case later today.
|
|
Reporter | |
Comment 3•15 years ago
|
||
This is either a dupe or closely related to bug 521549. When trying to reproduce/reduce I get a start up crash on centos5 at qcms_transform_data_rgb_out_lut_sse2
|
Assignee | |
Updated•15 years ago
|
Component: ImageLib → GFX: Color Management
QA Contact: imagelib → color-management
|
|
||
Comment 4•15 years ago
|
||
I don't know, with the crash in bug 521549 you're at least in one of the expected transform functions. qcms_transform_data consists of the single line
transform->transform_fn(transform, src, dest, length);
If the next thing on the stack is "unknown" then we've got corrupted, potentially exploitable, memory.
Whiteboard: [sg:needinfo] → [sg:critical?]
|
|
Reporter | |
Comment 5•15 years ago
|
||
On 1.9.2, 1.9.3 linux x86, each url now crashes in flash 10.1.53.21 without a minidump but the browser stays alive. The original crash appears to be works for me. 1.9.1 just crashes in flash.
Anyone have an idea of what *might* have fixed this?
|
|
Assignee | |
Updated•15 years ago
|
Assignee: nobody → jmuizelaar
|
|
Assignee | |
Comment 6•15 years ago
|
||
This still seems like bug 521549 to me. Are there any crashes that have happened on a release build?
|
||
Comment 7•15 years ago
|
||
only 1 crash matching anything with qcms_transform_data in the singature and that doesn't appear to be related.
http://crash-stats.mozilla.com/query/query?product=Firefox&version=ALL%3AALL&range_value=1&range_unit=weeks&date=05%2F10%2F2010+13%3A29%3A07&query_search=signature&query_type=contains&query=qcms_transform_data&build_id=&process_type=plugin&plugin_field=filename&plugin_query_type=exact&plugin_query=&do_query=1
|
||
Comment 8•15 years ago
|
||
Please reopen if this is wrong!
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
|
||
Updated•13 years ago
|
Crash Signature: [@ qcms_transform_data]
|
|
||
Updated•13 years ago
|
Group: core-security
|
||
Updated•9 years ago
|
Keywords: testcase-wanted
You need to log in
before you can comment on or make changes to this bug.
Description
•