Closed Bug 619048 Opened 14 years ago Closed 14 years ago

Crash when trying to optimize zero-sized image

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla7

Tracking Flags:

Tracking

Status

firefox5

---

firefox6

---

blocking2.0

---

People

(Reporter: wsmwk, Assigned: joe)

References

Details

(4 keywords, Whiteboard: [sg:dos null-deref][inbound])

Crash Data

Attachments

(3 files, 7 obsolete files)

Crash image 14 years ago Alice0775 White 161.00 KB, image/x-icon		Details
handle zero-sized images in imgFrame::Optimize 14 years ago Joe Drew (not getting mail) 958 bytes, patch	jrmuizel : review-	Details \| Diff \| Splinter Review
zero sized image crashtest 14 years ago Joe Drew (not getting mail) 12.61 KB, patch	jrmuizel : review-	Details \| Diff \| Splinter Review
Correctly reject both 0-width and 0-height images 14 years ago Joe Drew (not getting mail) 1.32 KB, patch	jrmuizel : review-	Details \| Diff \| Splinter Review
max-sized image crashtest 14 years ago Joe Drew (not getting mail) 12.68 KB, patch	jrmuizel : review-	Details \| Diff \| Splinter Review
correctly reject invalid sizes 14 years ago Joe Drew (not getting mail) 1.32 KB, patch		Details \| Diff \| Splinter Review
correctly reject invalid sizes 14 years ago Joe Drew (not getting mail) 1.32 KB, patch	jrmuizel : review+	Details \| Diff \| Splinter Review
256 height 14 years ago Jeff Muizelaar [:jrmuizel] 154 bytes, image/x-icon		Details
256 width 14 years ago Jeff Muizelaar [:jrmuizel] 154 bytes, image/x-icon		Details
maximum-width and maximum-height icon crashtests 14 years ago Joe Drew (not getting mail) 1.57 KB, patch	jrmuizel : review+	Details \| Diff \| Splinter Review

Wayne Mery (:wsmwk)

Reporter

Description

•

14 years ago

crash [@ imgFrame::Optimize()] bp-3a4443c1-0914-4bcf-9855-e90742101204 EXCEPTION_ACCESS_VIOLATION_READ 0x0 0 xul.dll imgFrame::Optimize modules/libpr0n/src/imgFrame.cpp:259 1 xul.dll mozilla::imagelib::RasterImage::DecodingComplete modules/libpr0n/src/RasterImage.cpp:1046 2 xul.dll mozilla::imagelib::Decoder::Finish modules/libpr0n/src/Decoder.cpp:132 3 xul.dll mozilla::imagelib::RasterImage::ShutdownDecoder modules/libpr0n/src/RasterImage.cpp:2138 4 xul.dll mozilla::imagelib::imgDecodeWorker::Run modules/libpr0n/src/RasterImage.cpp:2609 5 xul.dll mozilla::imagelib::RasterImage::SourceDataComplete modules/libpr0n/src/RasterImage.cpp:1269 6 xul.dll imgRequest::OnStopRequest modules/libpr0n/src/imgRequest.cpp:926 7 mozcrt19.dll arena_dalloc obj-firefox/memory/jemalloc/crtsrc/jemalloc.c:4284 8 xul.dll nsStreamListenerTee::OnStopRequest netwerk/base/src/nsStreamListenerTee.cpp:71 9 xul.dll nsHttpChannel::OnStopRequest netwerk/protocol/http/nsHttpChannel.cpp:4030 10 xul.dll nsInputStreamPump::OnStateStop netwerk/base/src/nsInputStreamPump.cpp:578

Scoobidiver (away)

Comment 1

•

14 years ago

It is #271 top crasher in 4.0b11. More reports at: https://crash-stats.mozilla.com/report/list?range_value=4&range_unit=weeks&signature=imgFrame%3A%3AOptimize%28%29

Marcia Knous [:marcia]

Comment 2

•

14 years ago

A comment from one user that crashed: "This problem seems to confirm some Display Driver bug with Radeon Catalyst 2011.0308.2325.42017 - Repeated many times..."

Alice0775 White

Comment 3

•

14 years ago

Reproducible url http://www.beanrunnercafe.com/ Regression window(m-c hourly):: Works; http://hg.mozilla.org/mozilla-central/rev/484bd866905e Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b6pre) Gecko/20100911 Firefox/4.0b6pre ID:20100912040749 Crash: http://hg.mozilla.org/mozilla-central/rev/389e836517bc Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b6pre) Gecko/20100911 Firefox/4.0b6pre ID:20100912085645 Pushlog: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=484bd866905e&tochange=389e836517bc

Alice0775 White

Comment 4

•

14 years ago

bp-f9961fa8-8c3e-4660-9426-7a07b2110519

Alice0775 White

Updated

•

14 years ago

OS: Windows Vista → All

Hardware: x86 → All

Alice0775 White

Updated

•

14 years ago

blocking2.0: --- → ?

tracking-firefox5: --- → ?

tracking-firefox6: --- → ?

Keywords: regression

Scoobidiver (away)

Updated

•

14 years ago

Keywords: reproducible

Asa Dotzler [:asa]

Comment 6

•

14 years ago

Has this spiked in the crash data or something? Why has it been nominated as a concern for Firefox 5?

jeffreystern

Comment 7

•

14 years ago

The reproducible url listed here: http://www.beanrunnercafe.com/ is a site that I created and just put online on 5.16.11. It was created in Freeway Pro 5.5 (developer Softpress). Uses an inline box model, with some CMS (WebYep) and some javascript feeds.

Alice0775 White

Updated

•

14 years ago

Blocks: 514033

Alice0775 White

Comment 8

•

14 years ago

Open http://www.beanrunnercafe.com/Resources/favicon.ico Crash ...

jeffreystern

Comment 9

•

14 years ago

ARe you suggesting I should remove the favicon.ico?

Alice0775 White

Comment 10

•

14 years ago

Attached image Crash image — Details

jeffreystern

Comment 11

•

14 years ago

I removed the favicon from each page and it appears to no longer crash. Anyone know why this would cause a crash?

Marcia Knous [:marcia]

Comment 12

•

14 years ago

https://crash-stats.mozilla.com/query/query?query_type=simple&do_query=1&query=imgFrame%3A%3AOptimize() - 236 crashes in the last week, all Windows.

Sheila Mooney

Comment 13

•

14 years ago

We are not going to track this but if there is a fix ready it should be nominated for beta approval with a risk analysis.

tracking-firefox5: ? → -

Daniel Veditz [:dveditz]

Updated

•

14 years ago

blocking2.0: ? → -

Keywords: testcase

Whiteboard: [sg:dos null-deref]

chris hofmann

Comment 14

•

14 years ago

Asa Dotzler [:asa]

Comment 15

•

14 years ago

per comment 13, we're not going to be tracking this specific issue.

tracking-firefox6: ? → -

Nobody; OK to take it and work on it

Updated

•

14 years ago

Crash Signature: [@ imgFrame::Optimize()]

Joe Drew (not getting mail)

Assignee

Updated

•

14 years ago

Assignee: nobody → joe

Summary: crash [@ imgFrame::Optimize()] → Crash when trying to optimize zero-sized image

Joe Drew (not getting mail)

Assignee

Comment 17

•

14 years ago

Attached patch handle zero-sized images in imgFrame::Optimize (obsolete) — Details — Splinter Review

Zero-sized images are special-cased in gfxImageSurface by leaving mData set to null. We should not even try to optimize zero-sized images.

Attachment #542585 - Flags: review?(jmuizelaar)

Joe Drew (not getting mail)

Assignee

Comment 18

•

14 years ago

Attached patch zero sized image crashtest (obsolete) — Details — Splinter Review

Attachment #542587 - Flags: review?(jmuizelaar)

Jeff Muizelaar [:jrmuizel]

Comment 19

•

14 years ago

Comment on attachment 542585 [details] [diff] [review] handle zero-sized images in imgFrame::Optimize Go straight to hell.

Attachment #542585 - Flags: review?(jmuizelaar) → review-

Jeff Muizelaar [:jrmuizel]

Comment 20

•

14 years ago

(In reply to comment #19) > Comment on attachment 542585 [details] [diff] [review] [review] > handle zero-sized images in imgFrame::Optimize > > Go straight to hell. The reasons for which have been communicated out of band.

Joe Drew (not getting mail)

Assignee

Comment 21

•

14 years ago

The reason this came up is because our ICO decoder (potentially) incorrectly says images with a width or height of 0 actually have that width or height, but various other places disagree and say that its width/height are actually 256. I filed bug 668068 on that issue. We already handled a 0-height image, but we didn't handle 0-width.

Jeff Muizelaar [:jrmuizel]

Comment 22

•

14 years ago

Comment on attachment 542587 [details] [diff] [review] zero sized image crashtest This is a poor name for the crash test.

Attachment #542587 - Flags: review?(jmuizelaar) → review-

Joe Drew (not getting mail)

Assignee

Comment 23

•

14 years ago

Attached patch Correctly reject both 0-width and 0-height images (obsolete) — Details — Splinter Review

Jeff didn't like us allowing 0-height and 0-width images. It turned out that we already rejected 0-height, so I just extended that to reject 0-width too.

Attachment #542585 - Attachment is obsolete: true

Attachment #542632 - Flags: review?(jmuizelaar)

Joe Drew (not getting mail)

Assignee

Comment 24

•

14 years ago

Attached patch max-sized image crashtest (obsolete) — Details — Splinter Review

Due to the above revelations, I'm retitling this crashtest to be max-width, not zero-width.

Attachment #542587 - Attachment is obsolete: true

Jeff Muizelaar [:jrmuizel]

Comment 25

•

14 years ago

Comment on attachment 542632 [details] [diff] [review] Correctly reject both 0-width and 0-height images <= is better than ==

Attachment #542632 - Flags: review?(jmuizelaar) → review-

Joe Drew (not getting mail)

Assignee

Updated

•

14 years ago

Attachment #542634 - Flags: review?(jmuizelaar)

Joe Drew (not getting mail)

Assignee

Comment 26

•

14 years ago

Attached patch correctly reject invalid sizes (obsolete) — Details — Splinter Review

Attachment #542632 - Attachment is obsolete: true

Attachment #542635 - Flags: review?(jmuizelaar)

Joe Drew (not getting mail)

Assignee

Comment 27

•

14 years ago

Attached patch correctly reject invalid sizes — Details — Splinter Review

forgot to qref

Attachment #542635 - Attachment is obsolete: true

Attachment #542638 - Flags: review?(jmuizelaar)

Attachment #542635 - Flags: review?(jmuizelaar)

Jeff Muizelaar [:jrmuizel]

Comment 28

•

14 years ago

Attached image 256 height (obsolete) — Details

Jeff Muizelaar [:jrmuizel]

Comment 29

•

14 years ago

Attached image 256 width (obsolete) — Details

Jeff Muizelaar [:jrmuizel]

Updated

•

14 years ago

Attachment #542634 - Flags: review?(jmuizelaar) → review-

Jeff Muizelaar [:jrmuizel]

Updated

•

14 years ago

Attachment #542638 - Flags: review?(jmuizelaar) → review+

Joe Drew (not getting mail)

Assignee

Comment 30

•

14 years ago

Attached patch maximum-width and maximum-height icon crashtests — Details — Splinter Review

Attachment #542634 - Attachment is obsolete: true

Attachment #542639 - Attachment is obsolete: true

Attachment #542640 - Attachment is obsolete: true

Attachment #542643 - Flags: review?(jmuizelaar)

Jeff Muizelaar [:jrmuizel]

Updated

•

14 years ago

Attachment #542643 - Flags: review?(jmuizelaar) → review+

Joe Drew (not getting mail)

Assignee

Updated

•

14 years ago

Crash Signature: [@ imgFrame::Optimize()] → [@ imgFrame::Optimize() ]

Joe Drew (not getting mail)

Assignee

Comment 31

•

14 years ago

http://hg.mozilla.org/integration/mozilla-inbound/rev/ff318d0e5d72 http://hg.mozilla.org/integration/mozilla-inbound/rev/098f5469308d Accidentally labeled the second push under the wrong bug, though.

Whiteboard: [sg:dos null-deref] → [sg:dos null-deref][inbound]

Marco Bonardo [:mak]

Comment 32

•

14 years ago

this push, along with bug 552605, greatly increased random oranges in the followint reftest: layout/reftests/svg/as-image/img-and-image-1.html

Marco Bonardo [:mak]

Comment 33

•

14 years ago

backed out from inbound since the reftests failures were not something I'd love to merge to central. fixing the above one or marking as random may be enough, but I don't know what this code does and what the test is supposed to do.

Marco Bonardo [:mak]

Updated

•

14 years ago

Whiteboard: [sg:dos null-deref][inbound] → [sg:dos null-deref]

Joe Drew (not getting mail)

Assignee

Comment 34

•

14 years ago

I marked that reftest as random until dholbert gets a chance to fix the bug. http://hg.mozilla.org/integration/mozilla-inbound/rev/17f5ec50a7f1 http://hg.mozilla.org/integration/mozilla-inbound/rev/3bc48f2e9899

Whiteboard: [sg:dos null-deref] → [sg:dos null-deref][inbound]

Marco Bonardo [:mak]

Comment 35

•

14 years ago

http://hg.mozilla.org/mozilla-central/rev/17f5ec50a7f1 http://hg.mozilla.org/mozilla-central/rev/3bc48f2e9899

Status: NEW → RESOLVED

Closed: 14 years ago

Resolution: --- → FIXED

Target Milestone: --- → mozilla7

Mihaela Velimiroviciu (:mihaelav)

Comment 37

•

14 years ago

Build identifier: Mozilla/5.0 (X11; Linux x86_64; rv:7.0) Gecko/20100101 Firefox/7.0 Verified as fixed on Ubuntu: none of the pages specified in comment 3 and comment 14 crashed.

Gabriela [:gaby2300]

Comment 38

•

14 years ago

Build identifier: Mozilla/5.0 (Windows NT 6.1; rv:7.0) Gecko/20100101 Firefox/7.0 Verified as fixed on Windows: none of the pages specified in comment 3 and comment 14 crashed.

Gaurav

Comment 39

•

4 years ago

(In reply to chris hofmann from comment #14)

looks like this is also seen on other sites

domains/pages:

85 www.mafia2multiplayer.com
66 www.sendmepc.com
2 http://www.sendmepc.com/toshiba/191-toshiba-satellite-l650-15g.html
2 http://www.sendmepc.com/acer/204-acer-aspire-5741-i5-ati.html
2 http://www.sendmepc.com/208-dell-inspiron-n5010-new-shape-.html
2 http://www.sendmepc.com/14-2500-le-to-3000-le
1
http://www.sendmepc.com/toshiba/306-toshiba-satellite-c660-162-i3-253-ghz-
320-gb-ram-2-gb.html
1 http://www.sendmepc.com/toshiba/178-toshiba-satellite-c650-1cg.html
1
http://www.sendmepc.com/search.
php?orderby=position&orderway=desc&search_query=N5110&submit_search=Search
1
http://www.sendmepc.com/lang-fr/308-hp-pavilion-g6-1040ee-core-i3-4g-ram-ati-
5650-win7.html
1
http://www.sendmepc.com/hp-laptop/239-hp-pavilion-dv6-3170ee-core-i7-.html
1 http://www.sendmepc.com/hp-laptop/182-hp-pavilion-dv6-3053ee.html
1
http://www.sendmepc.com/fujitsu-siemens/251-fujitsu-lifebook-core-i5-500gb-
ati.html
1
http://www.sendmepc.com/dell/252-dell-inspiron-n5010-i7-6mb-cache-4-gb-ram-1-
year-warantee.html
1
http://www.sendmepc.com/dell/244-dell-inspiron-n5010-i7-6mb-cache-4-gb-ram-3-
years-warantee.html
1
http://www.sendmepc.com/asus/295-laptop-asus-x42jy-i5-266ghz-3g-ram-ddr3-
500g-hd-ati-hd-1gb-2-yrs-ltd-warranty.html
1
http://www.sendmepc.com/asus/294-asus-x42jy-i3-253ghz-3g-ram-ddr3-500g-2yr-
ltd-warranty.html
1
http://www.sendmepc.com/acer/301-acer-aspire-5742g-i5-nvidia-geforce.html
1 http://www.sendmepc.com/acer/301-acer-aspire-5740g-i5.html
1 http://www.sendmepc.com/acer/300-acer-aspire-5740g-i5.html
1
http://www.sendmepc.com/acer/151-acer-aspire-5741g-i5-226-ghz-up-to-253ghz-
ati-hd-5470-512mb-up-2234mb-hd-500gb-4gb-ddr3-win-7.html
1
http://www.sendmepc.com/316-inspiron-n5010-253-ghz-i5-320-gb-hd-3-gb-ram-ati-
512mb-.html
1
http://www.sendmepc.com/315-dell-inspiron-n5110-i7-win7-3years-6gb-ram.html
1
http://www.sendmepc.com/308-hp-pavilion-g6-1040ee-core-i3-4g-ram-ati-5650-
win7.html
1
http://www.sendmepc.com/285-dell-inspiron-n5010-i5-3-gb-253-ghz-320-gb-ati-
512-mb.html
1
http://www.sendmepc.com/237-dell-inspiron-n5010-i5-266-ghz-290-ghz-ram-4gb-
500-gb-hd-ati-1gb-windows-7.html
1
http://www.sendmepc.com/236-inspiron-n5010-266-ghz-i5-500-gb-hd-4-gb-ram-ati-
hd-5650-1gb-up-2775mb-.html

35 www.facebook.com
21 www.beanrunnercafe.com
2 http://www.beanrunnercafe.com/test/webyep-system/program/l-save.php

15 www.google.com.eg
14 gobowling.com.au
11 www.youtube.com
10 www.heritagehumanesociety.org
9 hurrichips.com
9 bugzilla.mozilla.org
9 https://bugzilla.mozilla.org/attachment.cgi?id=533813

8 mafia2multiplayer.com
7 www.samradford.com
1
http://www.samradford.com/post/5583012305/is-the-anc-fit-to-lead-south-
africa-anymore
1
http://www.samradford.com/post/5417121537/the-importance-of-unwritten-plans
1
http://www.samradford.com/post/5360994454/skype-only-makes-money-when-it-
changes-hands
1
http://www.samradford.com/post/5268435883/cameron-and-clegg-one-year-on-from-
the-times
1 http://www.samradford.com/

7 www.leutesdorf-rhein.de
1 http://www.leutesdorf-rhein.de/weingut-emmerich/download/weinliste.pdf
1 http://www.leutesdorf-rhein.de/service/web-quiz-mai-2011.html
1 http://www.leutesdorf-rhein.de/pension-will/index.html
1 http://www.leutesdorf-rhein.de/gastronomie.html
1 http://www.leutesdorf-rhein.de/

7 www.google.com

(In reply to Gabriela [:gaby2300] from comment #38)

Build identifier: Mozilla/5.0 (Windows NT 6.1; rv:7.0) Gecko/20100101
Firefox/7.0

Verified as fixed on Windows: none of the pages specified in comment 3 and
comment 14 crashed.

(In reply to chris hofmann from comment #14)

looks like this is also seen on other sites

domains/pages:

85 www.mafia2multiplayer.com
66 www.sendmepc.com
2 http://www.sendmepc.com/toshiba/191-toshiba-satellite-l650-15g.html
2 http://www.sendmepc.com/acer/204-acer-aspire-5741-i5-ati.html
2 http://www.sendmepc.com/208-dell-inspiron-n5010-new-shape-.html
2 http://www.sendmepc.com/14-2500-le-to-3000-le
1
http://www.sendmepc.com/toshiba/306-toshiba-satellite-c660-162-i3-253-ghz-
320-gb-ram-2-gb.html
1 http://www.sendmepc.com/toshiba/178-toshiba-satellite-c650-1cg.html
1
http://www.sendmepc.com/search.
php?orderby=position&orderway=desc&search_query=N5110&submit_search=Search
1
http://www.sendmepc.com/lang-fr/308-hp-pavilion-g6-1040ee-core-i3-4g-ram-ati-
5650-win7.html
1
http://www.sendmepc.com/hp-laptop/239-hp-pavilion-dv6-3170ee-core-i7-.html
1 http://www.sendmepc.com/hp-laptop/182-hp-pavilion-dv6-3053ee.html
1
http://www.sendmepc.com/fujitsu-siemens/251-fujitsu-lifebook-core-i5-500gb-
ati.html
1
http://www.sendmepc.com/dell/252-dell-inspiron-n5010-i7-6mb-cache-4-gb-ram-1-
year-warantee.html
1
http://www.sendmepc.com/dell/244-dell-inspiron-n5010-i7-6mb-cache-4-gb-ram-3-
years-warantee.html
1
http://www.sendmepc.com/asus/295-laptop-asus-x42jy-i5-266ghz-3g-ram-ddr3-
500g-hd-ati-hd-1gb-2-yrs-ltd-warranty.html
1
http://www.sendmepc.com/asus/294-asus-x42jy-i3-253ghz-3g-ram-ddr3-500g-2yr-
ltd-warranty.html
1
http://www.sendmepc.com/acer/301-acer-aspire-5742g-i5-nvidia-geforce.html
1 http://www.sendmepc.com/acer/301-acer-aspire-5740g-i5.html
1 http://www.sendmepc.com/acer/300-acer-aspire-5740g-i5.html
1
http://www.sendmepc.com/acer/151-acer-aspire-5741g-i5-226-ghz-up-to-253ghz-
ati-hd-5470-512mb-up-2234mb-hd-500gb-4gb-ddr3-win-7.html
1
http://www.sendmepc.com/316-inspiron-n5010-253-ghz-i5-320-gb-hd-3-gb-ram-ati-
512mb-.html
1
http://www.sendmepc.com/315-dell-inspiron-n5110-i7-win7-3years-6gb-ram.html
1
http://www.sendmepc.com/308-hp-pavilion-g6-1040ee-core-i3-4g-ram-ati-5650-
win7.html
1
http://www.sendmepc.com/285-dell-inspiron-n5010-i5-3-gb-253-ghz-320-gb-ati-
512-mb.html
1
http://www.sendmepc.com/237-dell-inspiron-n5010-i5-266-ghz-290-ghz-ram-4gb-
500-gb-hd-ati-1gb-windows-7.html
1
http://www.sendmepc.com/236-inspiron-n5010-266-ghz-i5-500-gb-hd-4-gb-ram-ati-
hd-5650-1gb-up-2775mb-.html

35 www.facebook.com
21 www.beanrunnercafe.com
2 http://www.beanrunnercafe.com/test/webyep-system/program/l-save.php

15 www.google.com.eg
14 gobowling.com.au
11 www.youtube.com
10 www.heritagehumanesociety.org
9 hurrichips.com
9 bugzilla.mozilla.org
9 https://bugzilla.mozilla.org/attachment.cgi?id=533813

8 mafia2multiplayer.com
7 www.samradford.com
1
http://www.samradford.com/post/5583012305/is-the-anc-fit-to-lead-south-
africa-anymore
1
http://www.samradford.com/post/5417121537/the-importance-of-unwritten-plans
1
http://www.samradford.com/post/5360994454/skype-only-makes-money-when-it-
changes-hands
1
http://www.samradford.com/post/5268435883/cameron-and-clegg-one-year-on-from-
the-times
1 http://www.samradford.com/

7 www.leutesdorf-rhein.de
1 http://www.leutesdorf-rhein.de/weingut-emmerich/download/weinliste.pdf
1 http://www.leutesdorf-rhein.de/service/web-quiz-mai-2011.html
1 http://www.leutesdorf-rhein.de/pension-will/index.html
1 http://www.leutesdorf-rhein.de/gastronomie.html
1 http://www.leutesdorf-rhein.de/

7 www.google.com

https://www.digitalstudyhindi.com