[xlib] Memory corruption in nsRegionXlib::GetRects()

RESOLVED WORKSFORME

Status

()

Core
XUL
P2
blocker
RESOLVED WORKSFORME
17 years ago
16 years ago

People

(Reporter: Roland Mainz, Assigned: Roland Mainz)

Tracking

Trunk
mozilla1.0
Sun
Solaris
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Assignee)

Description

17 years ago
Mozilla 2001-07-16-08-trunk Xlib-toolkit build on Solaris 7 SPARC.
Build started with export LD_PRELOAD=watchmalloc.so.1 to catch memory corruption
issues _early_ (see watchmalloc(3x)):

Browsing the example URL and moving the pointer during loading results in a
SIGBUS error:
-- snip --
Disabling Quirk StyleSheet
Enabling Quirk StyleSheet
xmlencoding detect- iso-8859-1
###!!! ASSERTION: new cache entry for READ-ONLY request: '*accessGranted', file
../../../../../../src/2001-07-16-08-trunk/mozilla/netwerk/cache/src/nsCacheEntry.cpp,
line 233
###!!! ASSERTION: new cache entry for READ-ONLY request: '*accessGranted', file
../../../../../../src/2001-07-16-08-trunk/mozilla/netwerk/cache/src/nsCacheEntry.cpp,
line 233
/
Reading libimgjpeg.so
t@1 (l@1) signal BUS (invalid address alignment) in BURIGHT2 at 0xff381f2c
0xff381f2c: BURIGHT2+0x0054:    st      %i1, [%o0 + 0x8]
Current function is nsRegionXlib::GetRects
  227       void *buf = PR_Realloc(rects, sizeof(nsRegionRectSet) +
(sizeof(nsRegionRect
(/opt/SUNWspro/bin/../WS6U2/bin/sparcv9/dbx) where
current thread: t@1
  [1] BURIGHT2(0x743f78, 0xb2ef88, 0x4b22e0, 0xffbeec2c, 0x0, 0x9), at
0xff381f2c
  [2] t_splay(0x4b22e0, 0x10a88, 0xb2ef88, 0x743f78, 0xfd97acf0, 0x1835f8), at
0xff38232c
  [3] t_delete(0x4b22e0, 0xff392b6c, 0x0, 0xffffff60, 0x0, 0x0), at 0xff38214c
  [4] malloc_unlocked(0x30, 0x30, 0x76fda8, 0xff392b6c, 0x4b22e0, 0x0), at
0xff3810ac
  [5] realloc(0x0, 0x2c, 0xff392b6c, 0x4, 0xff392e6c, 0x0), at 0xff38127c
  [6] PR_Realloc(0x0, 0x2c, 0xfe29c000, 0x0, 0x6e72d88, 0x1b9cb620), at
0xfef97928
=>[7] nsRegionXlib::GetRects(this = 0x3b44e0, aRects = 0xffbeef14), line 227 in
"nsRegionXlib.cpp"
  [8] nsWindow::Update(this = ???) (optimized), at 0xfd93b670 (line ~577) in
"nsWindow.cpp"
  [9] nsWindow::UpdateIdle(data = ???) (optimized), at 0xfd93a940 (line ~150) in
"nsWindow.cpp"
  [10] nsAppShell::Run(this = ???) (optimized), at 0xfd9210e0 (line ~497) in
"nsAppShell.cpp"
  [11] nsAppShellService::Run(this = ???) (optimized), at 0xfdea76c4 (line ~423)
in "nsAppShellService.cpp"
  [12] main1(argc = ???, argv = ???, nativeApp = ???) (optimized), at 0x17b20
(line ~1184) in "nsAppRunner.cpp"
  [13] main(argc = ???, argv = ???) (optimized), at 0x18510 (line ~1490) in
"nsAppRunner.cpp"
-- snip --
(Assignee)

Comment 1

17 years ago
More fun... ;-(
Assignee: trudelle → Roland.Mainz
Blocks: 79119
(Assignee)

Comment 2

17 years ago
This kills http://www.cnn.com/ , http://www.netscape.com/ and many other pages.
Setting milestone/severty/priority...

... unfortunately I do not have any clue yet why it crashes there...
Severity: normal → blocker
Priority: -- → P2
Target Milestone: --- → mozilla0.9.3

Comment 3

17 years ago
There is a clone of GTK nsRegion code waiting for review at bug #89918.
This will probably fix whatever problems happen here.
Check it out.

pocemit
Depends on: 89918
(Assignee)

Comment 4

17 years ago
pocemit:
Nope, patch in bug 89918 does not help... ;-(

Or this is a general memory corruption issue... maybe none tested the Zilla with
the watchmalloc.so.1 stuff... ;-((

Comment 5

17 years ago
looks like in GetRects() we access internal xlib structures (= Regions) to get
the  total number of rectangles in a given region... this is achieved by copying
xregion.h from somewhere in X11 sources and using it to directly access private
members of region structure.  I am sure this improves speed but might not be too
portable. perhaps this is the reason.

The thing is, X provides no way to get the current list of rectangles from the
Region structure, so we are screwed to doing something like this anyway.
(Assignee)

Comment 6

17 years ago
richb: Wanna forward this to the X11_gurus@sun, please ? GTK+ toolkit is doing
the same stuff...

----

pocemit: Maybe there is no other way... but there should be a comment in the bug
that this piece of code is an _evil_ hack... ;-((
(Assignee)

Comment 7

17 years ago
Retargeting to milestone 0.9.4... ;-(
Target Milestone: mozilla0.9.3 → mozilla0.9.4
(Assignee)

Comment 8

17 years ago
Another weired region crasher:
-- snip --
t@1 (l@1) signal BUS (invalid address alignment) in t_splay at 0xfedc6374
0xfedc6374: t_splay+0x0014:     ld      [%o7 + 0x10], %o1
Current function is nsRegionXlib::Subtract (optimized)
  214         ::XSubtractRegion(mRegion, pRegion->mRegion, nRegion);
(/opt/SUNWspro/bin/../WS6U2/bin/sparcv9/dbx) where
current thread: t@1
  [1] t_splay(0xb9a548, 0x6f944, 0xfee3c450, 0xfee35ad4, 0xbe7180, 0x9), at
0xfedc6374
  [2] t_delete(0xb9a548, 0xfee35ad4, 0xfee3c3c4, 0xfee3c444, 0xfee3c440, 0x2),
at 0xfedc61dc
  [3] _malloc_unlocked(0x0, 0x90, 0xb9a548, 0xb9a548, 0x0, 0xfee35ad4), at
0xfedc58cc
  [4] malloc(0x90, 0x90, 0x0, 0x0, 0x0, 0xfee35ad4), at 0xfedc572c
  [5] miRegionOp(0xc99b08, 0xfda4b89c, 0xbd8a20, 0xfda4b89c, 0xfda4b7c0, 0x0),
at 0xfda4ad8c
  [6] XSubtractRegion(0xb7b508, 0xbd8a20, 0xc99b08, 0x1ef2, 0x44, 0xc99b08), at
0xfda1d4b0
=>[7] nsRegionXlib::Subtract(this = ???, aRegion = CLASS) (optimized), at
0xfcfbed5c (line ~214) in "nsRegionXlib.cpp"
  [8] nsViewManager::OptimizeDisplayList(this = ???, aDamageRect = STRUCT,
aFinalTransparentRect = STRUCT) (optimized), at 0xfc9ef1f4 (line ~3478) in
"nsViewManager.cpp"
  [9] nsViewManager::RenderViews(this = ???, aRootView = ???, aRC = CLASS, aRect
= STRUCT, aResult = ???) (optimized), at 0xfc9ea748 (line ~1296) in
"nsViewManager.cpp"
  [10] nsViewManager::Refresh(this = ???, aView = ???, aContext = ???, rect =
???, aUpdateFlags = ???) (optimized), at 0xfc9e9730 (line ~901) in
"nsViewManager.cpp"
  [11] nsViewManager::DispatchEvent(this = ???, aEvent = ???, aStatus = ???)
(optimized), at 0xfc9ebdbc (line ~1958) in "nsViewManager.cpp"
  [12] HandleEvent(aEvent = ???) (optimized), at 0xfc9ddfc4 (line ~67) in
"nsView.cpp"
  [13] nsWidget::DispatchEvent(this = 0x8bfbc0, aEvent = 0xffbeede0, aStatus =
nsEventStatus_eIgnore), line 1227 in "nsWidget.cpp"
  [14] nsWidget::DispatchWindowEvent(this = 0x8bfbc0, aEvent = STRUCT), line
1134 in "nsWidget.cpp"
  [15] nsWidget::OnPaint(this = 0x8bfbc0, event = STRUCT), line 885 in
"nsWidget.cpp"
  [16] nsWindow::Update(this = 0x8bfbc0), line 609 in "nsWindow.cpp"
  [17] nsWindow::UpdateIdle(data = (nil)), line 150 in "nsWindow.cpp"
  [18] CallProcessTimeoutsXtProc(dummy1 = 0xffbef0c8, dummy2 = 0xffbeef88), line
402 in "nsAppShell.cpp"
  [19] DoOtherSources(0x11df58, 0xfdb72000, 0x1, 0xf4240, 0x0, 0x1), at
0xfdb3ad9c
  [20] XtAppNextEvent(0x11df58, 0x0, 0x1, 0x0, 0xffbef068, 0x1), at 0xfdb3aa14
  [21] nsAppShell::Run(this = 0x18fd60), line 454 in "nsAppShell.cpp"
  [22] nsAppShellService::Run(this = ???) (optimized), at 0xfe127994 (line ~424)
in "nsAppShellService.cpp"
  [23] main1(argc = ???, argv = ???, nativeApp = ???) (optimized), at 0x188ac
(line ~1306) in "nsAppRunner.cpp"
  [24] main(argc = ???, argv = ???) (optimized), at 0x19298 (line ~1622) in
"nsAppRunner.cpp"
-- snip --

Any ideas ?
(Assignee)

Comment 9

17 years ago
Retargeting to 1.0 to get this off my 0.9.4/0.9.5 radar for now... ;-(
Target Milestone: mozilla0.9.4 → mozilla1.0

Comment 10

17 years ago
May God have mercy on us all. The 212 bug spam-o-rama is Now!
QA Contact: aegis → jrgm
(Assignee)

Comment 11

16 years ago
I cannot reproduce this issue anymore, nor does Rational Purify show up any
issues while purifying the Xprint module (which makes use of this part of XLlib
toolkit).

Marking WorksForMe ...
Status: NEW → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.