Closed
Bug 974825
Opened 10 years ago
Closed 10 years ago
Firefox hangs on a specific PNG image
Categories
(Core :: Graphics: ImageLib, defect)
Tracking
()
RESOLVED
FIXED
mozilla30
People
(Reporter: gerken, Assigned: glennrp+bmo)
References
()
Details
(Keywords: crashreportid, hang, regression, Whiteboard: [qa-])
Crash Data
Attachments
(2 files, 2 obsolete files)
570 bytes,
image/png
|
Details | |
2.39 KB,
patch
|
jrmuizel
:
review+
Sylvestre
:
approval-mozilla-aurora+
lsblakk
:
approval-mozilla-beta+
lsblakk
:
approval-mozilla-release-
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/32.0.1700.102 Chrome/32.0.1700.102 Safari/537.36 Steps to reproduce: Open a website. Log in to the extranet. --- To Debug the issue, I tried to load the page in safe mode and with a nightly browser. The problem exists in 27 and in nightly. It does not appear in 26. It happens on 27 on other peopls computer too. I created a crash report which is here: https://crash-stats.mozilla.com/report/index/f757b297-7961-4866-9f20-e6a982140220 I installed the debugging symbols and tried to run a backtrace in gdb. This is the output of the backtrace: Program received signal SIGABRT, Aborted. __lll_lock_wait () at ../nptl/sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:135 135 ../nptl/sysdeps/unix/sysv/linux/x86_64/lowlevellock.S: No such file or directory. (gdb) (gdb) backtrace #0 __lll_lock_wait () at ../nptl/sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:135 #1 0x00007ffff7bc7192 in _L_lock_1142 () from /lib/x86_64-linux-gnu/libpthread.so.0 #2 0x00007ffff7bc7110 in __GI___pthread_mutex_lock (mutex=0x7fffb3e527e8) at pthread_mutex_lock.c:104 #3 0x00007ffff69e3b19 in PR_Lock (lock=lock@entry=0x7fffb3e527e8) at /build/buildd/firefox-27.0+build1/./nsprpub/pr/src/pthreads/ptsynch.c:174 #4 0x00007ffff69e40cd in PR_EnterMonitor (mon=0x7fffb3e527e0) at /build/buildd/firefox-27.0+build1/./nsprpub/pr/src/pthreads/ptsynch.c:529 #5 0x00007ffff3182d53 in ReentrantMonitorAutoEnter (aReentrantMonitor=..., this=0x7fffffffc7c8) at ../../dist/include/mozilla/ReentrantMonitor.h:182 #6 mozilla::image::RasterImage::DecodeDoneWorker::Run (this=0x7fffb4ca65c0) at /build/buildd/firefox-27.0+build1/image/src/RasterImage.cpp:3456 #7 0x00007ffff3dc94a1 in nsThread::ProcessNextEvent (this=0x7ffff6c26ca0, mayWait=<optimized out>, result=0x7fffffffc87f) at /build/buildd/firefox-27.0+build1/xpcom/threads/nsThread.cpp:617 #8 0x00007ffff3d9cc29 in NS_ProcessNextEvent (thread=<optimized out>, mayWait=mayWait@entry=false) at /build/buildd/firefox-27.0+build1/xpcom/glue/nsThreadUtils.cpp:251 #9 0x00007ffff39dde4c in mozilla::ipc::MessagePump::Run (this=0x7fffe967bf40, aDelegate=0x7fffe9667240) at /build/buildd/firefox-27.0+build1/ipc/glue/MessagePump.cpp:85 #10 0x00007ffff3e03891 in RunHandler (this=0x7fffe9667240) at /build/buildd/firefox-27.0+build1/ipc/chromium/src/base/message_loop.cc:213 #11 MessageLoop::Run (this=0x7fffe9667240) at /build/buildd/firefox-27.0+build1/ipc/chromium/src/base/message_loop.cc:187 #12 0x00007ffff3962041 in nsBaseAppShell::Run (this=0x7fffe0b14be0) at /build/buildd/firefox-27.0+build1/widget/xpwidgets/nsBaseAppShell.cpp:161 #13 0x00007ffff38231a5 in nsAppStartup::Run (this=0x7fffe0b16d30) at /build/buildd/firefox-27.0+build1/toolkit/components/startup/nsAppStartup.cpp:268 #14 0x00007ffff2f72fb5 in XREMain::XRE_mainRun (this=this@entry=0x7fffffffcaf0) at /build/buildd/firefox-27.0+build1/toolkit/xre/nsAppRunner.cpp:3976 #15 0x00007ffff2f73235 in XREMain::XRE_main (this=this@entry=0x7fffffffcaf0, argc=argc@entry=1, argv=argv@entry=0x7fffffffdfe8, aAppData=aAppData@entry=0x7fffffffccf0) at /build/buildd/firefox-27.0+build1/toolkit/xre/nsAppRunner.cpp:4044 #16 0x00007ffff2f73491 in XRE_main (argc=1, argv=0x7fffffffdfe8, aAppData=0x7fffffffccf0, aFlags=<optimized out>) at /build/buildd/firefox-27.0+build1/toolkit/xre/nsAppRunner.cpp:4246 #17 0x00005555555582f3 in do_main (argc=argc@entry=1, argv=argv@entry=0x7fffffffdfe8, xreDirectory=0x7ffff6c2f780) at /build/buildd/firefox-27.0+build1/browser/app/nsBrowserApp.cpp:280 #18 0x0000555555557ccc in main (argc=1, argv=0x7fffffffdfe8) at /build/buildd/firefox-27.0+build1/browser/app/nsBrowserApp.cpp:640 (gdb) run I downloaded the page and gradually removed javascript and css includes. The result was that indpendent on which includes I removed, the page loaded, but not reliable. Removing something like 5 resources the page loaded half of the time. More or less independent on which resources I removed. My js and css resources are concatenated but there are still 20-30 resources. I'd love to provide more debug information but I am not sure, what else I could provide. Actual results: Firefox reports in the bottom left that it is loading resources. After a while, it just darkens and does not react to user input any more. Expected results: The page should have loaded.
Reporter | ||
Comment 1•10 years ago
|
||
I removed the linux flag, as it happens on windows too.
OS: Linux → All
Reporter | ||
Updated•10 years ago
|
Crash Signature: https://crash-stats.mozilla.com/report/index/f757b297-7961-4866-9f20-e6a982140220
Reporter | ||
Comment 2•10 years ago
|
||
We were finally able to track it down to actually a single image that seems to break the page loading. I added the image to the URL field. Its a white png image. It seems to be good when opening it with gimp. It breaks firefox 27 on windows and linux, it does not break firefox 26 and earlier.
Summary: Firefox hangs on a specific page and claims to be waiting for a resource → Firefox hangs on a specific image
Updated•10 years ago
|
Keywords: crashreportid
Summary: Firefox hangs on a specific image → Firefox hangs on a specific PNG image
Comment 3•10 years ago
|
||
i can confirm that the png file hangs the browser, didbt crash though.
Comment 4•10 years ago
|
||
Stack on hang: bp-90afe792-0f2c-4e2f-a77a-b66c62140220 Regression window Not Crash: http://hg.mozilla.org/integration/mozilla-inbound/rev/3e359c0a0d7a Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0 ID:20130926092245 Crash: http://hg.mozilla.org/integration/mozilla-inbound/rev/8b84e9b8e24d Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0 ID:20130926115747 Pushlog: http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=3e359c0a0d7a&tochange=8b84e9b8e24d Regressed by: 8b84e9b8e24d Glenn Randers-Pehrson — Bug 841734 - Update libpng to version 1.6.6. r=jmuizelaar
Blocks: 841734
Severity: normal → critical
status-firefox27:
--- → affected
status-firefox28:
--- → affected
status-firefox29:
--- → affected
status-firefox30:
--- → affected
status-firefox-esr24:
--- → unaffected
Keywords: crash,
regression
Updated•10 years ago
|
Updated•10 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee | ||
Comment 5•10 years ago
|
||
glenn.rp> pngcheck -v news*png File: newsportlet_background.png (272 bytes) chunk IHDR at offset 0x0000c, length 13 1 x 93 image, 8-bit palette, non-interlaced chunk tEXt at offset 0x00025, length 25, keyword: Software chunk PLTE at offset 0x0004a, length 81: 27 palette entries chunk tRNS at offset 0x000a7, length 1: 1 transparency entry chunk IDAT at offset 0x000b4, length 0 CRC error in chunk IDAT (computed 35af061e, expected 78da6c87) ERRORS DETECTED in newsportlet_background.png
Assignee: nobody → glennrp+bmo
Assignee | ||
Comment 6•10 years ago
|
||
It seems that libpng16 is not detecting end-of-file, and not bailing out on the bad CRC in the IDAT chunk.
Comment 7•10 years ago
|
||
I'm seeing Firefox 27.0.1 lock up when it tries to open a certain png (encountered as a favicon on the site http://www.burghvivant.com originally). Windows 8.1, Firefox's hardware accelerator disabled, all plugins disabled, in Firefox's safe mode. I suspect it's the same bug. Firefox hangs even if I just use File Open to view the png. Various image editors (Paint.net, Irfanview) report it's an invalid png, but don't crash. I'll attach the png to this bug report.
Comment 8•10 years ago
|
||
An invalid png that makes Firefox 27 hang. See #7 for details.
Comment 9•10 years ago
|
||
Confirmed on Linux with Aurora by just viewing this bug because I have the BugzillaJS addon installed which shows previews of attachments inline. :/
Hardware: x86_64 → All
Updated•10 years ago
|
Component: General → ImageLib
Assignee | ||
Comment 10•10 years ago
|
||
Confirmed that the problem is in libpng's progressive reader. The "rpng2-x" program, in libpng/contrib/gregbook, exhibits the behavior as well. rpng2-x built with libpng-1.6.0beta17 exits with an error message quickly while rpng2-x built with libpng-1.6.0beta18 hangs.
Assignee | ||
Comment 11•10 years ago
|
||
I had the regression range in libpng-1.6 wrong. It's libpng-1.6.0beta27 that works and libpng-1.6.0beta28 that hangs. There is a tight loop that happens when a file is truncated. I'm not sure how to fix it, though, because I don't know how to tell the difference (within libpng) between a truncated file and a file that's coming in slowly, such that the loop should spin for a while and then resume when more data arrives.
Assignee | ||
Comment 12•10 years ago
|
||
Testing a one-line fix to the libpng progressive reader now. It was failing to update the process_mode when it recognizes the first IDAT chunk.
Assignee | ||
Comment 13•10 years ago
|
||
Tested locally, needs try server. Bug has been reported to CERT VRF#HRZ9LFD9
Flags: needinfo?(ryanvm)
Assignee | ||
Comment 14•10 years ago
|
||
Don't revise the MOZCHANGES file, to avoid conflicts when applying the patch to prior mozilla releases. The v00 patch can and should be applied to the head instead.
Assignee | ||
Comment 15•10 years ago
|
||
This bug is CERT VU#684412 and CVE-2014-0333.
Assignee | ||
Comment 17•10 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM UTC-5] from comment #16) > Can we add a crashtest for this too? :) I'll make one.
Assignee | ||
Comment 18•10 years ago
|
||
Fixes bit rot due to libpng-1.6.9 checkin. This patch should work against earlier versions as well as against the tip. Includes a crash test. Needs a try server run.
Attachment #8380223 -
Attachment is obsolete: true
Attachment #8380345 -
Attachment is obsolete: true
Flags: needinfo?(ryanvm)
Comment 19•10 years ago
|
||
Thanks, Glenn :) https://tbpl.mozilla.org/?tree=Try&rev=45b7de81b959
Assignee | ||
Comment 20•10 years ago
|
||
Comment on attachment 8382508 [details] [diff] [review] v02 fix libpng16 hang with zero-length IDAT Try run is almost all green (two IOS builds failed for some other reason). The new crash tests show up as expected in the "C" logs.
Attachment #8382508 -
Flags: review?(jmuizelaar)
Assignee | ||
Comment 21•10 years ago
|
||
"IOS builds" -> "OS X builds"
Comment 22•10 years ago
|
||
Yes, those all look fine. The G orange is a known-bad test that was disabled.
Updated•10 years ago
|
Attachment #8382508 -
Flags: review?(jmuizelaar) → review+
Assignee | ||
Updated•10 years ago
|
Keywords: checkin-needed
Comment 23•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/ad3b57404218
Flags: in-testsuite+
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/ad3b57404218
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
Assignee | ||
Comment 25•10 years ago
|
||
Comment on attachment 8382508 [details] [diff] [review] v02 fix libpng16 hang with zero-length IDAT [Approval Request Comment] Regression caused by (bug #): 886499 User impact if declined: Browser can be caused to hang by a malformed PNG Testing completed (on m-c, etc.): yes on m-c, using the included crash test Risk to taking this patch (and alternatives if risky):DoS String or IDL/UUID changes made by this patch: none
Attachment #8382508 -
Flags: approval-mozilla-release?
Attachment #8382508 -
Flags: approval-mozilla-beta?
Attachment #8382508 -
Flags: approval-mozilla-aurora?
Assignee | ||
Comment 26•10 years ago
|
||
Filled out the form wrong: I don't know of a risk to taking the patch. The DoS is the risk of *not* taking the patch.
Comment 27•10 years ago
|
||
Comment on attachment 8382508 [details] [diff] [review] v02 fix libpng16 hang with zero-length IDAT I am approving the patch for aurora. I will leave Lukas decide for 28.
Attachment #8382508 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Updated•10 years ago
|
tracking-firefox28:
--- → +
Comment 29•10 years ago
|
||
Comment on attachment 8382508 [details] [diff] [review] v02 fix libpng16 hang with zero-length IDAT We can take this to 28 (and tracking as such) since it's a regression from 27 and there's enough risk to *not* taking it.
Attachment #8382508 -
Flags: approval-mozilla-release?
Attachment #8382508 -
Flags: approval-mozilla-release-
Attachment #8382508 -
Flags: approval-mozilla-beta?
Attachment #8382508 -
Flags: approval-mozilla-beta+
Updated•10 years ago
|
Updated•10 years ago
|
status-b2g-v1.3T:
--- → fixed
Updated•9 years ago
|
Crash Signature: https://crash-stats.mozilla.com/report/index/f757b297-7961-4866-9f20-e6a982140220 → [@ libpthread-2.17.so@0xe80c ]
You need to log in
before you can comment on or make changes to this bug.
Description
•