Closed Bug 853536 Opened 9 years ago Closed 9 years ago

Intermittent security/ssl/mixedcontent/test_unsecurePictureDup.html | application crashed [@ msvcr100.dll + 0x1ed7 | mozilla::image::nsBMPDecoder::WriteInternal(char const *,unsigned int)]

Categories

(Core :: ImageLib, defect)

22 Branch
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla22
Tracking Status
firefox21 --- unaffected
firefox22 + fixed

People

(Reporter: emorley, Assigned: joe)

References

Details

(4 keywords)

Crash Data

Attachments

(1 file)

Guessing this might be due to bug 716140, seeing as it was last to tough the file :-)

Rev3 WINNT 6.1 mozilla-central opt test mochitest-5 on 2013-03-21 06:18:59 PDT for push a73a2b5c423b

slave: talos-r3-w7-008

https://tbpl.mozilla.org/php/getParsedLog.php?id=20927978&tree=Firefox#error0

{
06:22:34     INFO -  163810 INFO TEST-START | /tests/security/ssl/mixedcontent/test_unsecurePictureDup.html
06:22:37  WARNING -  TEST-UNEXPECTED-FAIL | /tests/security/ssl/mixedcontent/test_unsecurePictureDup.html | Exited with code -1073741819 during test run
06:22:37     INFO -  INFO | automation.py | Application ran for: 0:03:35.255000
06:22:37     INFO -  INFO | automation.py | Reading PID log: c:\users\cltbld\appdata\local\temp\tmpfar5wkpidlog
06:22:37     INFO -  Downloading symbols from: http://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-win32/1363866762/firefox-22.0a1.en-US.win32.crashreporter-symbols.zip
06:22:48     INFO -  PROCESS-CRASH | /tests/security/ssl/mixedcontent/test_unsecurePictureDup.html | application crashed [@ msvcr100.dll + 0x1ed7]
06:22:48     INFO -  Crash dump filename: c:\users\cltbld\appdata\local\temp\tmpey7na9\minidumps\824448d6-9cfd-49c7-a987-3f7f8cf41b44.dmp
06:22:48     INFO -  Operating system: Windows NT
06:22:48     INFO -                    6.1.7600
06:22:48     INFO -  CPU: x86
06:22:48     INFO -       GenuineIntel family 6 model 23 stepping 10
06:22:48     INFO -       2 CPUs
06:22:48     INFO -  Crash reason:  EXCEPTION_ACCESS_VIOLATION_WRITE
06:22:48     INFO -  Crash address: 0x0
06:22:48     INFO -  Thread 0 (crashed)
06:22:48     INFO -   0  msvcr100.dll + 0x1ed7
06:22:48     INFO -      eip = 0x6fcc1ed7   esp = 0x002decf8   ebp = 0x002ded00   ebx = 0x00000780
06:22:48     INFO -      esi = 0x18509008   edi = 0x00000000   eax = 0x18509788   ecx = 0x000001e0
06:22:48     INFO -      edx = 0x00000000   efl = 0x00210216
06:22:48     INFO -      Found by: given as instruction pointer in context
06:22:48     INFO -   1  xul.dll!mozilla::image::nsBMPDecoder::WriteInternal(char const *,unsigned int) [nsBMPDecoder.cpp:a73a2b5c423b : 408 + 0x11]
06:22:48     INFO -      eip = 0x6c16464b   esp = 0x002ded08   ebp = 0x002ded44
06:22:48     INFO -      Found by: previous frame's frame pointer
06:22:48     INFO -   2  xul.dll!mozilla::image::Decoder::Write(char const *,unsigned int) [Decoder.cpp:a73a2b5c423b : 110 + 0x8]
06:22:48     INFO -      eip = 0x6c14cc12   esp = 0x002ded4c   ebp = 0x002ded60
06:22:48     INFO -      Found by: call frame info
06:22:48     INFO -   3  xul.dll!mozilla::image::RasterImage::WriteToDecoder(char const *,unsigned int) [RasterImage.cpp:a73a2b5c423b : 2697 + 0x17]
06:22:48     INFO -      eip = 0x6c14ec04   esp = 0x002ded68   ebp = 0x002ded7c
06:22:48     INFO -      Found by: call frame info
06:22:48     INFO -   4  xul.dll!mozilla::image::RasterImage::DecodeSomeData(unsigned int) [RasterImage.cpp:a73a2b5c423b : 3262 + 0xd]
06:22:48     INFO -      eip = 0x6c14ed49   esp = 0x002ded84   ebp = 0x002ded98
06:22:48     INFO -      Found by: call frame info
06:22:48     INFO -   5  xul.dll!mozilla::image::RasterImage::DecodeWorker::DecodeSomeOfImage(mozilla::image::RasterImage *,mozilla::image::RasterImage::DecodeWorker::DecodeType,unsigned int) [RasterImage.cpp:a73a2b5c423b : 3766 + 0x7]
06:22:48     INFO -      eip = 0x6c14ee84   esp = 0x002deda0   ebp = 0x002dee08
06:22:48     INFO -      Found by: call frame info
06:22:48     INFO -   6  xul.dll!mozilla::image::RasterImage::DecodeWorker::DecodeUntilSizeAvailable(mozilla::image::RasterImage *) [RasterImage.cpp:a73a2b5c423b : 3689 + 0xd]
06:22:48     INFO -      eip = 0x6c14f7a2   esp = 0x002dee10   ebp = 0x002dee24
06:22:48     INFO -      Found by: call frame info
06:22:48     INFO -   7  xul.dll!mozilla::image::RasterImage::DoImageDataComplete() [RasterImage.cpp:a73a2b5c423b : 1797 + 0xc]
06:22:48     INFO -      eip = 0x6c150581   esp = 0x002dee2c   ebp = 0x002dee4c
06:22:48     INFO -      Found by: call frame info
06:22:48     INFO -   8  xul.dll!mozilla::image::RasterImage::OnImageDataComplete(nsIRequest *,nsISupports *,tag_nsresult,bool) [RasterImage.cpp:a73a2b5c423b : 1835 + 0x4]
06:22:48     INFO -      eip = 0x6c151cca   esp = 0x002dee54   ebp = 0x002dee5c
06:22:48     INFO -      Found by: call frame info
06:22:48     INFO -   9  xul.dll!imgRequest::OnStopRequest(nsIRequest *,nsISupports *,tag_nsresult) [imgRequest.cpp:a73a2b5c423b : 631 + 0x13]
}
It's #2 top crasher in 22.0a1/20130321090706. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=1d6fe70c79c5&tochange=a73a2b5c423b

More reports at:
https://crash-stats.mozilla.com/report/list?signature=memcpy+|+mozilla%3A%3Aimage%3A%3AnsBMPDecoder%3A%3AWriteInternal%28char+const*%2C+unsigned+int%29

(In reply to Ed Morley [:edmorley UTC+0] from comment #0)
> Guessing this might be due to bug 716140
It seems so.
Crash Signature: [@ msvcr100.dll@0x1ed7 | mozilla::image::nsBMPDecoder::WriteInternal(char const *,unsigned int)] → [@ msvcr100.dll@0x1ed7 | mozilla::image::nsBMPDecoder::WriteInternal(char const *,unsigned int)] [@ memcpy | mozilla::image::nsBMPDecoder::WriteInternal(char const*, unsigned int) ]
Keywords: regression, topcrash
Hardware: x86 → All
Version: Trunk → 22 Branch
Crash Signature: [@ msvcr100.dll@0x1ed7 | mozilla::image::nsBMPDecoder::WriteInternal(char const *,unsigned int)] [@ memcpy | mozilla::image::nsBMPDecoder::WriteInternal(char const*, unsigned int) ] → [@ msvcr100.dll@0x1ed7 | mozilla::image::nsBMPDecoder::WriteInternal(char const *,unsigned int)] [@ memcpy | mozilla::image::nsBMPDecoder::WriteInternal(char const*, unsigned int) ] [@ libsystem_c.dylib@0x1b07 ] [@ libsystem_c.dylib@0x281b7 ]
OS: Windows 7 → All
Crash Signature: [@ msvcr100.dll@0x1ed7 | mozilla::image::nsBMPDecoder::WriteInternal(char const *,unsigned int)] [@ memcpy | mozilla::image::nsBMPDecoder::WriteInternal(char const*, unsigned int) ] [@ libsystem_c.dylib@0x1b07 ] [@ libsystem_c.dylib@0x281b7 ] → [@ msvcr100.dll@0x1ed7 | mozilla::image::nsBMPDecoder::WriteInternal(char const *,unsigned int)] [@ memcpy | mozilla::image::nsBMPDecoder::WriteInternal(char const*, unsigned int) ] [@ libsystem_c.dylib@0x1b07 ] [@ libsystem_c.dylib@0x1ac7 ] [@ libsys…
Feels like a backout is in order, at least temporarily.
Assignee: nobody → joe
(Whoever gets to this review first wins)

Rather than playing whack-a-mole, let's just ignore all writes to size-only decoders after we've gotten the size. That solves an entire class of problems, in addition to solving this particular problem with the BMP decoder.
Attachment #728574 - Flags: review?(seth)
Attachment #728574 - Flags: review?(jmuizelaar)
Crash Signature: , unsigned int) ] [@ libsystem_c.dylib@0x1b07 ] [@ libsystem_c.dylib@0x1ac7 ] [@ libsystem_c.dylib@0x1a4d ] [@ libsystem_c.dylib@0x281b7 ] [@ libsystem_c.dylib@0x282d7 ] → , unsigned int) ] [@ _VEC_memcpy | mozilla::image::nsBMPDecoder::WriteInternal(char const*, unsigned int) ] [@ mozilla::image::nsBMPDecoder::WriteInternal(char const*, unsigned int) ] [@ libsystem_c.dylib@0x1b07 ] [@ libsystem_c.dylib@0x1ac7 ] [@ lib…
Comment on attachment 728574 [details] [diff] [review]
ignore writes after we get the size

Review of attachment 728574 [details] [diff] [review]:
-----------------------------------------------------------------

This seems like it makes things simpler to reason about.
Attachment #728574 - Flags: review?(jmuizelaar) → review+
https://hg.mozilla.org/mozilla-central/rev/43073653db4a
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Duplicate of this bug: 854364
Comment on attachment 728574 [details] [diff] [review]
ignore writes after we get the size

Just removing myself from the reviewers list, since Jeff already reviewed this.
Attachment #728574 - Flags: review?(seth)
You need to log in before you can comment on or make changes to this bug.