Closed Bug 65821 Opened 24 years ago Closed 24 years ago

http://www.sipaz.org/ site crashes mozilla

Categories

(Core :: Graphics: ImageLib, defect)

Product:
Core
Component:
Graphics: ImageLib
Platform:
x86
Windows 98
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED DUPLICATE of bug 61756

People

(Reporter: twheeler, Assigned: pnunn)

References

(
URL
)

Details

(Keywords: crash, testcase)

Attachments

(2 files)

Testcase with only an image in body
154 bytes, text/html
Details
Original page without <img> tag at the end of the file.
4.33 KB, text/html
Details
From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; m18) Gecko/20010117 BuildID: 2001011704 when mozilla is refreshed or a link is clicked mozilla crashes. Reproducible: Always Steps to Reproduce: 1.load http://www.sipaz.org/ 2.reload 3.crash Actual Results: invalid page fault Expected Results: continue retreiving information MOZILLA caused an invalid page fault in module IMG3250.DLL at 016f:60af4a32. Registers: EAX=01566040 CS=016f EIP=60af4a32 EFLGS=00010246 EBX=00000011 SS=0177 ESP=0068f1e8 EBP=00000000 ECX=00000000 DS=0177 ESI=01527da0 FS=6367 EDX=00000002 ES=0177 EDI=01566040 GS=0000 Bytes at CS:EIP: 8b 49 0c ff b0 90 00 00 00 0f b6 49 0a 51 ff b0 Stack dump: 00000000 60af4a03 01527da0 01566040 011411d4 01493500 0068f250 01553874 60aa4066 014b02e0 01493500 60aa4026 01553870 60aa4348 00000001 601f4069
Crashes here too. Mozilla 2001011720 on Windows 2000 SP1. It freezes almost always the page loads (high CPU usage). It crashes always when I click on amy link or try to reload the page. Changed Component from Buil Config to Browser-General.
Component: Build Config → Browser-General
Summary: http://www.sipaz.org/ site crashes mozilla → http://www.sipaz.org/ site crashes mozilla
I see no problems at all with the above site using build 2001011308 (Win98). I also see no probs at said site when using build 2001011720 (Win98). Asking Tim (reporter) to attempt with this more recent build. If problems still occur, recommend deletion of profile details and creating a new one. Reccomend same to JLP ..
updated to build 2001011720. removed mozilla directory (and profile data) from application data directory. found no site. started to fill out this comment....decided to check one more time. site crashed mozilla :(
I freshly reinstalled Mozilla and the problem is still here.
on linux I got: 0x40036866 in il_delete_client () from /home/mike/package/libgkgfx.so after several reloads. looks like dupe of bug 61756
I created a testcase with only an image in body. That's the smallest HTML document that crashes my Mozilla.
Keywords: testcase
And another one with original page html from where I deleted <img> tag and it doesn't crash.
Confirming based on the above comments. I got a crash, too, on the first attached testcase (Talkback TB24838938Z, build 2001011720 on NT4), but somewhat different: I loaded the test case, pressed Ctrl-U (view source), closed the source window again, selected "view ... page info", played around a bit, closed the page info window, crash. Adding crash keyword and increasing severity.
Severity: normal → critical
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash
I confirm this, too (mid-air collision) build 1011308 / win2k I loaded testcase #1. If I hit the back button or open page source, mozilla crash. changing component browser general -=> Imagelib
Component: Browser-General → ImageLib
Talkback : TB24839850Q
Can anyone provide the begining of the stack trace please. This is a dup of bug 61756 but I need another strack trace than the one from kmike (thanks kmike) to confirm that it is. If the strack trace begins by il_delete_client or il_delete_container it's a dup. A fix has been reviewed in bug 61756 and will be checked in soon.
FWIW, the link http://www.serve.com/sipaz1/logger.cgi?src=index.htm returns a corrupt GIF. 0000 47 49 46 38 39 61 01 00 01 00 80 00 00 00 00 00 GIF89a.. ........ 0010 00 00 00 21 f9 04 01 00 00 00 00 2c 00 00 00 00 ...!.... ...,.... 0020 01 00 01 00 00 02 02 44 01 00 0a .......D ... Replacing the last byte with the correct trailer makes it work. 0000 47 49 46 38 39 61 01 00 01 00 80 00 00 00 00 00 GIF89a.. ........ 0010 00 00 00 21 f9 04 01 00 00 00 00 2c 00 00 00 00 ...!.... ...,.... 0020 01 00 01 00 00 02 02 44 01 00 3b .......D ..;
It looks like the trailing LF is an artifact I added, in which case this is the case of a GIF missing a trailer byte. I think there's some old bug on this.
Attaching stack trace from linux CVS build from 2001-01-16. The page loads the image from a different server, so you may have to change your image preferences to allow loading of all images to reproduce this crash. Looks like a dup based on the trace. #0 0x40378d21 in __kill () from /lib/libc.so.6 #1 0x402eb1f7 in raise (sig=6) at signals.c:65 #2 0x4037a0b8 in abort () at ../sysdeps/generic/abort.c:88 #3 0x402a5814 in PR_Assert (s=0x4006714e "ic->clients == NULL", file=0x40066fa1 "ilclient.cpp", ln=647) at prlog.c:477 #4 0x4004cedc in il_delete_container (ic=0x83f8500) at ilclient.cpp:647 #5 0x400498ae in IL_NetRequestDone (ic=0x83f8500, url=0x83f8718, status=0) at if.cpp:1179 #6 0x40044ecb in NetReaderImpl::NetRequestDone (this=0x84d2f08, urls=0x83f8718, status=0) at ilNetReader.cpp:139 #7 0x4003a3fe in ImageConsumer::OnStopRequest (this=0x83f8738, channel=0x83fafa0, aContext=0x0, status=0, aMsg=0x40187330) at nsImageNetContextAsync.cpp:550 #8 0x41058e83 in nsDocumentOpenInfo::OnStopRequest (this=0x84d2f20, aChannel=0x83fafa0, aCtxt=0x0, aStatus=0, errorMsg=0x40187330) at nsURILoader.cpp:274 #9 0x40e96636 in nsHTTPFinalListener::OnStopRequest (this=0x84d2f60, aChannel=0x83fafa0, aContext=0x0, aStatus=0, aStatusArg=0x40187330) at nsHTTPResponseListener.cpp:1167 #10 0x40e61caa in InterceptStreamListener::OnStopRequest (this=0x8600a80, channel=0x83fafa0, ctxt=0x0, aStatus=0, aStatusArg=0x40187330) at nsCachedNetData.cpp:1211 #11 0x40e581f1 in nsHTTPChunkConv::OnStopRequest (this=0x83f39f8, aChannel=0x83fafa0, aContext=0x0, aStatus=0, aStatusArg=0x40187330) at nsHTTPChunkConv.cpp:108 #12 0x40e8a104 in nsHTTPChannel::ResponseCompleted (this=0x83fafa0, aListener=0x83f39f8, aStatus=0, aStatusArg=0x40187330) at nsHTTPChannel.cpp:1923 #13 0x40e954f1 in nsHTTPServerListener::OnStopRequest (this=0x83e0fe0, channel=0x860d71c, i_pContext=0x83fafa0, i_Status=0, aStatusArg=0x40187330) at nsHTTPResponseListener.cpp:729 #14 0x40e276a9 in nsOnStopRequestEvent::HandleEvent (this=0x85fdd50) at nsAsyncStreamListener.cpp:300 #15 0x40e26c42 in nsStreamListenerEvent::HandlePLEvent (aEvent=0x85fdd5c) at nsAsyncStreamListener.cpp:92 #16 0x4012d83e in PL_HandleEvent (self=0x85fdd5c) at plevent.c:576 #17 0x4012d65c in PL_ProcessPendingEvents (self=0x80af9b8) at plevent.c:509 #18 0x4012f4f9 in nsEventQueueImpl::ProcessPendingEvents (this=0x80af990) at nsEventQueue.cpp:356 #19 0x40a50c44 in event_processor_callback (data=0x80af990, source=8, condition=GDK_INPUT_READ) at nsAppShell.cpp:158 #20 0x40a5087f in our_gdk_io_invoke (source=0x81e4648, condition=G_IO_IN, data=0x81fab38) at nsAppShell.cpp:58 #21 0x408c4aca in g_io_unix_dispatch () at ../../../dist/include/nsIPageSequenceFrame.h:112 #22 0x408c6186 in g_main_dispatch () at ../../../dist/include/nsIPageSequenceFrame.h:112 #23 0x408c6751 in g_main_iterate () at ../../../dist/include/nsIPageSequenceFrame.h:112 #24 0x408c68f1 in g_main_run () at ../../../dist/include/nsIPageSequenceFrame.h:112 #25 0x40822c69 in gtk_main () at ../../../dist/include/nsIPageSequenceFrame.h:112 #26 0x40a5133a in nsAppShell::Run (this=0x80af340) at nsAppShell.cpp:350 #27 0x40758b74 in nsAppShellService::Run (this=0x80ba448) at nsAppShellService.cpp:407 #28 0x8056615 in main1 (argc=1, argv=0xbffff8c4, nativeApp=0x0) at nsAppRunner.cpp:1030 #29 0x805718a in main (argc=1, argv=0xbffff8c4) at nsAppRunner.cpp:1298 #30 0x403729cb in __libc_start_main (main=0x8056f9c <main>, argc=1, argv=0xbffff8c4, init=0x8051224 <_init>, fini=0x8065538 <_fini>, rtld_fini=0x4000ae60 <_dl_fini>, stack_end=0xbffff8bc) at ../sysdeps/generic/libc-start.c:92
reassigning to default component owner.
Assignee: cls → pnunn
QA Contact: granrose → tpreston
Dup of bug 61756, thanks for the confirmation with the stack trace, boris. *** This bug has been marked as a duplicate of 61756 ***
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → DUPLICATE
Verified dupe of bug 61756: "crash stack: il_delete_container" Same stack trace.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: