Last Comment Bug 619048 - Crash when trying to optimize zero-sized image
: Crash when trying to optimize zero-sized image
Status: RESOLVED FIXED
[sg:dos null-deref][inbound]
: crash, regression, reproducible, testcase
Product: Core
Classification: Components
Component: Graphics (show other bugs)
: Trunk
: All All
: -- critical with 3 votes (vote)
: mozilla7
Assigned To: Joe Drew (not getting mail)
:
Mentors:
: 658295 667624 679645 (view as bug list)
Depends on:
Blocks: 514033
  Show dependency treegraph
 
Reported: 2010-12-14 05:35 PST by Wayne Mery (:wsmwk, NI for questions)
Modified: 2011-08-29 12:41 PDT (History)
18 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
-
-
-


Attachments
Crash image (161.00 KB, image/x-icon)
2011-05-19 15:17 PDT, Alice0775 White
no flags Details
handle zero-sized images in imgFrame::Optimize (958 bytes, patch)
2011-06-28 14:00 PDT, Joe Drew (not getting mail)
jmuizelaar: review-
Details | Diff | Review
zero sized image crashtest (12.61 KB, patch)
2011-06-28 14:01 PDT, Joe Drew (not getting mail)
jmuizelaar: review-
Details | Diff | Review
Correctly reject both 0-width and 0-height images (1.32 KB, patch)
2011-06-28 15:46 PDT, Joe Drew (not getting mail)
jmuizelaar: review-
Details | Diff | Review
max-sized image crashtest (12.68 KB, patch)
2011-06-28 15:48 PDT, Joe Drew (not getting mail)
jmuizelaar: review-
Details | Diff | Review
correctly reject invalid sizes (1.32 KB, patch)
2011-06-28 15:51 PDT, Joe Drew (not getting mail)
no flags Details | Diff | Review
correctly reject invalid sizes (1.32 KB, patch)
2011-06-28 15:53 PDT, Joe Drew (not getting mail)
jmuizelaar: review+
Details | Diff | Review
256 height (154 bytes, image/x-icon)
2011-06-28 15:55 PDT, Jeff Muizelaar [:jrmuizel]
no flags Details
256 width (154 bytes, image/x-icon)
2011-06-28 15:56 PDT, Jeff Muizelaar [:jrmuizel]
no flags Details
maximum-width and maximum-height icon crashtests (1.57 KB, patch)
2011-06-28 15:59 PDT, Joe Drew (not getting mail)
jmuizelaar: review+
Details | Diff | Review

Description Wayne Mery (:wsmwk, NI for questions) 2010-12-14 05:35:01 PST
crash [@ imgFrame::Optimize()]

bp-3a4443c1-0914-4bcf-9855-e90742101204

EXCEPTION_ACCESS_VIOLATION_READ
0x0
0	xul.dll	imgFrame::Optimize	modules/libpr0n/src/imgFrame.cpp:259
1	xul.dll	mozilla::imagelib::RasterImage::DecodingComplete	modules/libpr0n/src/RasterImage.cpp:1046
2	xul.dll	mozilla::imagelib::Decoder::Finish	modules/libpr0n/src/Decoder.cpp:132
3	xul.dll	mozilla::imagelib::RasterImage::ShutdownDecoder	modules/libpr0n/src/RasterImage.cpp:2138
4	xul.dll	mozilla::imagelib::imgDecodeWorker::Run	modules/libpr0n/src/RasterImage.cpp:2609
5	xul.dll	mozilla::imagelib::RasterImage::SourceDataComplete	modules/libpr0n/src/RasterImage.cpp:1269
6	xul.dll	imgRequest::OnStopRequest	modules/libpr0n/src/imgRequest.cpp:926
7	mozcrt19.dll	arena_dalloc	obj-firefox/memory/jemalloc/crtsrc/jemalloc.c:4284
8	xul.dll	nsStreamListenerTee::OnStopRequest	netwerk/base/src/nsStreamListenerTee.cpp:71
9	xul.dll	nsHttpChannel::OnStopRequest	netwerk/protocol/http/nsHttpChannel.cpp:4030
10	xul.dll	nsInputStreamPump::OnStateStop	netwerk/base/src/nsInputStreamPump.cpp:578
Comment 1 Scoobidiver (away) 2011-02-24 05:34:34 PST
It is #271 top crasher in 4.0b11.

More reports at:
https://crash-stats.mozilla.com/report/list?range_value=4&range_unit=weeks&signature=imgFrame%3A%3AOptimize%28%29
Comment 2 Marcia Knous [:marcia - use ni] 2011-05-09 09:55:14 PDT
A comment from one user that crashed: "This problem seems to confirm some Display Driver bug with Radeon Catalyst 2011.0308.2325.42017 - Repeated many times..."
Comment 3 Alice0775 White 2011-05-19 09:30:46 PDT
Reproducible url http://www.beanrunnercafe.com/


Regression window(m-c hourly)::
Works;
http://hg.mozilla.org/mozilla-central/rev/484bd866905e
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b6pre) Gecko/20100911 Firefox/4.0b6pre ID:20100912040749
Crash:
http://hg.mozilla.org/mozilla-central/rev/389e836517bc
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b6pre) Gecko/20100911 Firefox/4.0b6pre ID:20100912085645
Pushlog:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=484bd866905e&tochange=389e836517bc
Comment 4 Alice0775 White 2011-05-19 09:32:40 PDT
bp-f9961fa8-8c3e-4660-9426-7a07b2110519
Comment 5 RobertJ 2011-05-19 09:37:10 PDT
*** Bug 658295 has been marked as a duplicate of this bug. ***
Comment 6 Asa Dotzler [:asa] 2011-05-19 12:10:44 PDT
Has this spiked in the crash data or something? Why has it been nominated as a concern for Firefox 5?
Comment 7 jeffreystern 2011-05-19 12:26:50 PDT
The reproducible url listed here: http://www.beanrunnercafe.com/  is a site that I created and just put online on 5.16.11. It was created in Freeway Pro 5.5 (developer Softpress). Uses an inline box model, with some CMS (WebYep) and some javascript feeds.
Comment 8 Alice0775 White 2011-05-19 15:11:40 PDT
Open http://www.beanrunnercafe.com/Resources/favicon.ico
Crash ...
Comment 9 jeffreystern 2011-05-19 15:14:49 PDT
ARe you suggesting I should remove the favicon.ico?
Comment 10 Alice0775 White 2011-05-19 15:17:03 PDT
Created attachment 533813 [details]
Crash image
Comment 11 jeffreystern 2011-05-19 15:20:28 PDT
I removed the favicon from each page and it appears to no longer crash. Anyone know why this would cause a crash?
Comment 12 Marcia Knous [:marcia - use ni] 2011-05-23 15:01:33 PDT
https://crash-stats.mozilla.com/query/query?query_type=simple&do_query=1&query=imgFrame%3A%3AOptimize() - 236 crashes in the last week, all Windows.
Comment 13 Sheila Mooney 2011-05-23 15:06:42 PDT
We are not going to track this but if there is a fix ready it should be nominated for beta approval with a risk analysis.
Comment 14 chris hofmann 2011-05-23 15:17:57 PDT
looks like this is also seen on other sites

domains/pages:

  85 www.mafia2multiplayer.com
  66 www.sendmepc.com
   2 http://www.sendmepc.com/toshiba/191-toshiba-satellite-l650-15g.html
   2 http://www.sendmepc.com/acer/204-acer-aspire-5741-i5-ati.html
   2 http://www.sendmepc.com/208-dell-inspiron-n5010-new-shape-.html
   2 http://www.sendmepc.com/14-2500-le-to-3000-le
   1 http://www.sendmepc.com/toshiba/306-toshiba-satellite-c660-162-i3-253-ghz-320-gb-ram-2-gb.html
   1 http://www.sendmepc.com/toshiba/178-toshiba-satellite-c650-1cg.html
   1 http://www.sendmepc.com/search.php?orderby=position&orderway=desc&search_query=N5110&submit_search=Search
   1 http://www.sendmepc.com/lang-fr/308-hp-pavilion-g6-1040ee-core-i3-4g-ram-ati-5650-win7.html
   1 http://www.sendmepc.com/hp-laptop/239-hp-pavilion-dv6-3170ee-core-i7-.html
   1 http://www.sendmepc.com/hp-laptop/182-hp-pavilion-dv6-3053ee.html
   1 http://www.sendmepc.com/fujitsu-siemens/251-fujitsu-lifebook-core-i5-500gb-ati.html
   1 http://www.sendmepc.com/dell/252-dell-inspiron-n5010-i7-6mb-cache-4-gb-ram-1-year-warantee.html
   1 http://www.sendmepc.com/dell/244-dell-inspiron-n5010-i7-6mb-cache-4-gb-ram-3-years-warantee.html
   1 http://www.sendmepc.com/asus/295-laptop-asus-x42jy-i5-266ghz-3g-ram-ddr3-500g-hd-ati-hd-1gb-2-yrs-ltd-warranty.html
   1 http://www.sendmepc.com/asus/294-asus-x42jy-i3-253ghz-3g-ram-ddr3-500g-2yr-ltd-warranty.html
   1 http://www.sendmepc.com/acer/301-acer-aspire-5742g-i5-nvidia-geforce.html
   1 http://www.sendmepc.com/acer/301-acer-aspire-5740g-i5.html
   1 http://www.sendmepc.com/acer/300-acer-aspire-5740g-i5.html
   1 http://www.sendmepc.com/acer/151-acer-aspire-5741g-i5-226-ghz-up-to-253ghz-ati-hd-5470-512mb-up-2234mb-hd-500gb-4gb-ddr3-win-7.html
   1 http://www.sendmepc.com/316-inspiron-n5010-253-ghz-i5-320-gb-hd-3-gb-ram-ati-512mb-.html
   1 http://www.sendmepc.com/315-dell-inspiron-n5110-i7-win7-3years-6gb-ram.html
   1 http://www.sendmepc.com/308-hp-pavilion-g6-1040ee-core-i3-4g-ram-ati-5650-win7.html
   1 http://www.sendmepc.com/285-dell-inspiron-n5010-i5-3-gb-253-ghz-320-gb-ati-512-mb.html
   1 http://www.sendmepc.com/237-dell-inspiron-n5010-i5-266-ghz-290-ghz-ram-4gb-500-gb-hd-ati-1gb-windows-7.html
   1 http://www.sendmepc.com/236-inspiron-n5010-266-ghz-i5-500-gb-hd-4-gb-ram-ati-hd-5650-1gb-up-2775mb-.html


  35 www.facebook.com
  21 www.beanrunnercafe.com
  2 http://www.beanrunnercafe.com/test/webyep-system/program/l-save.php

  15 www.google.com.eg
  14 gobowling.com.au
  11 www.youtube.com
  10 www.heritagehumanesociety.org
   9 hurrichips.com
   9 bugzilla.mozilla.org
      9 https://bugzilla.mozilla.org/attachment.cgi?id=533813

   8 mafia2multiplayer.com
   7 www.samradford.com
   1 http://www.samradford.com/post/5583012305/is-the-anc-fit-to-lead-south-africa-anymore
   1 http://www.samradford.com/post/5417121537/the-importance-of-unwritten-plans
   1 http://www.samradford.com/post/5360994454/skype-only-makes-money-when-it-changes-hands
   1 http://www.samradford.com/post/5268435883/cameron-and-clegg-one-year-on-from-the-times
   1 http://www.samradford.com/


   7 www.leutesdorf-rhein.de
   1 http://www.leutesdorf-rhein.de/weingut-emmerich/download/weinliste.pdf
   1 http://www.leutesdorf-rhein.de/service/web-quiz-mai-2011.html
   1 http://www.leutesdorf-rhein.de/pension-will/index.html
   1 http://www.leutesdorf-rhein.de/gastronomie.html
   1 http://www.leutesdorf-rhein.de/

   7 www.google.com
Comment 15 Asa Dotzler [:asa] 2011-05-24 14:29:59 PDT
per comment 13, we're not going to be tracking this specific issue.
Comment 16 Joe Drew (not getting mail) 2011-06-28 13:59:03 PDT
*** Bug 667624 has been marked as a duplicate of this bug. ***
Comment 17 Joe Drew (not getting mail) 2011-06-28 14:00:55 PDT
Created attachment 542585 [details] [diff] [review]
handle zero-sized images in imgFrame::Optimize

Zero-sized images are special-cased in gfxImageSurface by leaving mData set to null. We should not even try to optimize zero-sized images.
Comment 18 Joe Drew (not getting mail) 2011-06-28 14:01:43 PDT
Created attachment 542587 [details] [diff] [review]
zero sized image crashtest
Comment 19 Jeff Muizelaar [:jrmuizel] 2011-06-28 14:15:20 PDT
Comment on attachment 542585 [details] [diff] [review]
handle zero-sized images in imgFrame::Optimize

Go straight to hell.
Comment 20 Jeff Muizelaar [:jrmuizel] 2011-06-28 14:16:31 PDT
(In reply to comment #19)
> Comment on attachment 542585 [details] [diff] [review] [review]
> handle zero-sized images in imgFrame::Optimize
> 
> Go straight to hell.

The reasons for which have been communicated out of band.
Comment 21 Joe Drew (not getting mail) 2011-06-28 15:45:15 PDT
The reason this came up is because our ICO decoder (potentially) incorrectly says images with a width or height of 0 actually have that width or height, but various other places disagree and say that its width/height are actually 256. I filed bug 668068 on that issue.

We already handled a 0-height image, but we didn't handle 0-width.
Comment 22 Jeff Muizelaar [:jrmuizel] 2011-06-28 15:46:44 PDT
Comment on attachment 542587 [details] [diff] [review]
zero sized image crashtest

This is a poor name for the crash test.
Comment 23 Joe Drew (not getting mail) 2011-06-28 15:46:50 PDT
Created attachment 542632 [details] [diff] [review]
Correctly reject both 0-width and 0-height images

Jeff didn't like us allowing 0-height and 0-width images. It turned out that we already rejected 0-height, so I just extended that to reject 0-width too.
Comment 24 Joe Drew (not getting mail) 2011-06-28 15:48:08 PDT
Created attachment 542634 [details] [diff] [review]
max-sized image crashtest

Due to the above revelations, I'm retitling this crashtest to be max-width, not zero-width.
Comment 25 Jeff Muizelaar [:jrmuizel] 2011-06-28 15:48:15 PDT
Comment on attachment 542632 [details] [diff] [review]
Correctly reject both 0-width and 0-height images

<= is better than ==
Comment 26 Joe Drew (not getting mail) 2011-06-28 15:51:48 PDT
Created attachment 542635 [details] [diff] [review]
correctly reject invalid sizes
Comment 27 Joe Drew (not getting mail) 2011-06-28 15:53:50 PDT
Created attachment 542638 [details] [diff] [review]
correctly reject invalid sizes

forgot to qref
Comment 28 Jeff Muizelaar [:jrmuizel] 2011-06-28 15:55:51 PDT
Created attachment 542639 [details]
256 height
Comment 29 Jeff Muizelaar [:jrmuizel] 2011-06-28 15:56:20 PDT
Created attachment 542640 [details]
256 width
Comment 30 Joe Drew (not getting mail) 2011-06-28 15:59:16 PDT
Created attachment 542643 [details] [diff] [review]
maximum-width and maximum-height icon crashtests
Comment 31 Joe Drew (not getting mail) 2011-06-30 19:02:24 PDT
http://hg.mozilla.org/integration/mozilla-inbound/rev/ff318d0e5d72
http://hg.mozilla.org/integration/mozilla-inbound/rev/098f5469308d

Accidentally labeled the second push under the wrong bug, though.
Comment 32 Marco Bonardo [::mak] 2011-07-01 03:50:44 PDT
this push, along with bug 552605, greatly increased random oranges in the followint reftest: layout/reftests/svg/as-image/img-and-image-1.html
Comment 33 Marco Bonardo [::mak] 2011-07-01 09:11:57 PDT
backed out from inbound since the reftests failures were not something I'd love to merge to central.
fixing the above one or marking as random may be enough, but I don't know what this code does and what the test is supposed to do.
Comment 34 Joe Drew (not getting mail) 2011-07-01 10:14:48 PDT
I marked that reftest as random until dholbert gets a chance to fix the bug.

http://hg.mozilla.org/integration/mozilla-inbound/rev/17f5ec50a7f1
http://hg.mozilla.org/integration/mozilla-inbound/rev/3bc48f2e9899
Comment 36 Benjamin Smedberg [:bsmedberg] 2011-08-17 08:20:03 PDT
*** Bug 679645 has been marked as a duplicate of this bug. ***
Comment 37 Mihaela Velimiroviciu (:mihaelav) 2011-08-24 02:31:11 PDT
Build identifier: Mozilla/5.0 (X11; Linux x86_64; rv:7.0) Gecko/20100101 Firefox/7.0

Verified as fixed on Ubuntu: none of the pages specified in comment 3 and comment 14 crashed.
Comment 38 Gabriela [:gaby2300] 2011-08-29 12:41:28 PDT
Build identifier: Mozilla/5.0 (Windows NT 6.1; rv:7.0) Gecko/20100101 Firefox/7.0

Verified as fixed on Windows: none of the pages specified in comment 3 and comment 14 crashed.

Note You need to log in before you can comment on or make changes to this bug.