Closed Bug 619048 Opened 14 years ago Closed 13 years ago

Crash when trying to optimize zero-sized image

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla7
Tracking Flags:
Tracking Status
firefox5 - ---
firefox6 - ---
blocking2.0 --- -

People

(Reporter: wsmwk, Assigned: joe)

References

Details

(4 keywords, Whiteboard: [sg:dos null-deref][inbound])

Crash Data

Attachments

(3 files, 7 obsolete files)

Crash image
(deleted), image/x-icon
Details
correctly reject invalid sizes
(deleted), patch
jrmuizel
: review+
Details | Diff | Splinter Review
maximum-width and maximum-height icon crashtests
(deleted), patch
jrmuizel
: review+
Details | Diff | Splinter Review
crash [@ imgFrame::Optimize()] bp-3a4443c1-0914-4bcf-9855-e90742101204 EXCEPTION_ACCESS_VIOLATION_READ 0x0 0 xul.dll imgFrame::Optimize modules/libpr0n/src/imgFrame.cpp:259 1 xul.dll mozilla::imagelib::RasterImage::DecodingComplete modules/libpr0n/src/RasterImage.cpp:1046 2 xul.dll mozilla::imagelib::Decoder::Finish modules/libpr0n/src/Decoder.cpp:132 3 xul.dll mozilla::imagelib::RasterImage::ShutdownDecoder modules/libpr0n/src/RasterImage.cpp:2138 4 xul.dll mozilla::imagelib::imgDecodeWorker::Run modules/libpr0n/src/RasterImage.cpp:2609 5 xul.dll mozilla::imagelib::RasterImage::SourceDataComplete modules/libpr0n/src/RasterImage.cpp:1269 6 xul.dll imgRequest::OnStopRequest modules/libpr0n/src/imgRequest.cpp:926 7 mozcrt19.dll arena_dalloc obj-firefox/memory/jemalloc/crtsrc/jemalloc.c:4284 8 xul.dll nsStreamListenerTee::OnStopRequest netwerk/base/src/nsStreamListenerTee.cpp:71 9 xul.dll nsHttpChannel::OnStopRequest netwerk/protocol/http/nsHttpChannel.cpp:4030 10 xul.dll nsInputStreamPump::OnStateStop netwerk/base/src/nsInputStreamPump.cpp:578
A comment from one user that crashed: "This problem seems to confirm some Display Driver bug with Radeon Catalyst 2011.0308.2325.42017 - Repeated many times..."
Reproducible url http://www.beanrunnercafe.com/ Regression window(m-c hourly):: Works; http://hg.mozilla.org/mozilla-central/rev/484bd866905e Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b6pre) Gecko/20100911 Firefox/4.0b6pre ID:20100912040749 Crash: http://hg.mozilla.org/mozilla-central/rev/389e836517bc Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b6pre) Gecko/20100911 Firefox/4.0b6pre ID:20100912085645 Pushlog: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=484bd866905e&tochange=389e836517bc
OS: Windows Vista → All
Hardware: x86 → All
blocking2.0: --- → ?
tracking-firefox5: --- → ?
tracking-firefox6: --- → ?
Keywords: regression
Keywords: reproducible
Has this spiked in the crash data or something? Why has it been nominated as a concern for Firefox 5?
The reproducible url listed here: http://www.beanrunnercafe.com/ is a site that I created and just put online on 5.16.11. It was created in Freeway Pro 5.5 (developer Softpress). Uses an inline box model, with some CMS (WebYep) and some javascript feeds.
Blocks: 514033
ARe you suggesting I should remove the favicon.ico?
Attached image Crash image (deleted) —
I removed the favicon from each page and it appears to no longer crash. Anyone know why this would cause a crash?
We are not going to track this but if there is a fix ready it should be nominated for beta approval with a risk analysis.
tracking-firefox5: ?-
blocking2.0: ? → -
Keywords: testcase
Whiteboard: [sg:dos null-deref]
looks like this is also seen on other sites domains/pages: 85 www.mafia2multiplayer.com 66 www.sendmepc.com 2 http://www.sendmepc.com/toshiba/191-toshiba-satellite-l650-15g.html 2 http://www.sendmepc.com/acer/204-acer-aspire-5741-i5-ati.html 2 http://www.sendmepc.com/208-dell-inspiron-n5010-new-shape-.html 2 http://www.sendmepc.com/14-2500-le-to-3000-le 1 http://www.sendmepc.com/toshiba/306-toshiba-satellite-c660-162-i3-253-ghz-320-gb-ram-2-gb.html 1 http://www.sendmepc.com/toshiba/178-toshiba-satellite-c650-1cg.html 1 http://www.sendmepc.com/search.php?orderby=position&orderway=desc&search_query=N5110&submit_search=Search 1 http://www.sendmepc.com/lang-fr/308-hp-pavilion-g6-1040ee-core-i3-4g-ram-ati-5650-win7.html 1 http://www.sendmepc.com/hp-laptop/239-hp-pavilion-dv6-3170ee-core-i7-.html 1 http://www.sendmepc.com/hp-laptop/182-hp-pavilion-dv6-3053ee.html 1 http://www.sendmepc.com/fujitsu-siemens/251-fujitsu-lifebook-core-i5-500gb-ati.html 1 http://www.sendmepc.com/dell/252-dell-inspiron-n5010-i7-6mb-cache-4-gb-ram-1-year-warantee.html 1 http://www.sendmepc.com/dell/244-dell-inspiron-n5010-i7-6mb-cache-4-gb-ram-3-years-warantee.html 1 http://www.sendmepc.com/asus/295-laptop-asus-x42jy-i5-266ghz-3g-ram-ddr3-500g-hd-ati-hd-1gb-2-yrs-ltd-warranty.html 1 http://www.sendmepc.com/asus/294-asus-x42jy-i3-253ghz-3g-ram-ddr3-500g-2yr-ltd-warranty.html 1 http://www.sendmepc.com/acer/301-acer-aspire-5742g-i5-nvidia-geforce.html 1 http://www.sendmepc.com/acer/301-acer-aspire-5740g-i5.html 1 http://www.sendmepc.com/acer/300-acer-aspire-5740g-i5.html 1 http://www.sendmepc.com/acer/151-acer-aspire-5741g-i5-226-ghz-up-to-253ghz-ati-hd-5470-512mb-up-2234mb-hd-500gb-4gb-ddr3-win-7.html 1 http://www.sendmepc.com/316-inspiron-n5010-253-ghz-i5-320-gb-hd-3-gb-ram-ati-512mb-.html 1 http://www.sendmepc.com/315-dell-inspiron-n5110-i7-win7-3years-6gb-ram.html 1 http://www.sendmepc.com/308-hp-pavilion-g6-1040ee-core-i3-4g-ram-ati-5650-win7.html 1 http://www.sendmepc.com/285-dell-inspiron-n5010-i5-3-gb-253-ghz-320-gb-ati-512-mb.html 1 http://www.sendmepc.com/237-dell-inspiron-n5010-i5-266-ghz-290-ghz-ram-4gb-500-gb-hd-ati-1gb-windows-7.html 1 http://www.sendmepc.com/236-inspiron-n5010-266-ghz-i5-500-gb-hd-4-gb-ram-ati-hd-5650-1gb-up-2775mb-.html 35 www.facebook.com 21 www.beanrunnercafe.com 2 http://www.beanrunnercafe.com/test/webyep-system/program/l-save.php 15 www.google.com.eg 14 gobowling.com.au 11 www.youtube.com 10 www.heritagehumanesociety.org 9 hurrichips.com 9 bugzilla.mozilla.org 9 https://bugzilla.mozilla.org/attachment.cgi?id=533813 8 mafia2multiplayer.com 7 www.samradford.com 1 http://www.samradford.com/post/5583012305/is-the-anc-fit-to-lead-south-africa-anymore 1 http://www.samradford.com/post/5417121537/the-importance-of-unwritten-plans 1 http://www.samradford.com/post/5360994454/skype-only-makes-money-when-it-changes-hands 1 http://www.samradford.com/post/5268435883/cameron-and-clegg-one-year-on-from-the-times 1 http://www.samradford.com/ 7 www.leutesdorf-rhein.de 1 http://www.leutesdorf-rhein.de/weingut-emmerich/download/weinliste.pdf 1 http://www.leutesdorf-rhein.de/service/web-quiz-mai-2011.html 1 http://www.leutesdorf-rhein.de/pension-will/index.html 1 http://www.leutesdorf-rhein.de/gastronomie.html 1 http://www.leutesdorf-rhein.de/ 7 www.google.com
per comment 13, we're not going to be tracking this specific issue.
tracking-firefox6: ?-
Crash Signature: [@ imgFrame::Optimize()]
Assignee: nobody → joe
Summary: crash [@ imgFrame::Optimize()] → Crash when trying to optimize zero-sized image
Attached patch handle zero-sized images in imgFrame::Optimize (obsolete) (deleted) — Splinter Review
Zero-sized images are special-cased in gfxImageSurface by leaving mData set to null. We should not even try to optimize zero-sized images.
Attachment #542585 - Flags: review?(jmuizelaar)
Attached patch zero sized image crashtest (obsolete) (deleted) — Splinter Review
Attachment #542587 - Flags: review?(jmuizelaar)
Comment on attachment 542585 [details] [diff] [review] handle zero-sized images in imgFrame::Optimize Go straight to hell.
Attachment #542585 - Flags: review?(jmuizelaar) → review-
(In reply to comment #19) > Comment on attachment 542585 [details] [diff] [review] [review] > handle zero-sized images in imgFrame::Optimize > > Go straight to hell. The reasons for which have been communicated out of band.
The reason this came up is because our ICO decoder (potentially) incorrectly says images with a width or height of 0 actually have that width or height, but various other places disagree and say that its width/height are actually 256. I filed bug 668068 on that issue. We already handled a 0-height image, but we didn't handle 0-width.
Comment on attachment 542587 [details] [diff] [review] zero sized image crashtest This is a poor name for the crash test.
Attachment #542587 - Flags: review?(jmuizelaar) → review-
Jeff didn't like us allowing 0-height and 0-width images. It turned out that we already rejected 0-height, so I just extended that to reject 0-width too.
Attachment #542585 - Attachment is obsolete: true
Attachment #542632 - Flags: review?(jmuizelaar)
Attached patch max-sized image crashtest (obsolete) (deleted) — Splinter Review
Due to the above revelations, I'm retitling this crashtest to be max-width, not zero-width.
Attachment #542587 - Attachment is obsolete: true
Comment on attachment 542632 [details] [diff] [review] Correctly reject both 0-width and 0-height images <= is better than ==
Attachment #542632 - Flags: review?(jmuizelaar) → review-
Attachment #542634 - Flags: review?(jmuizelaar)
Attached patch correctly reject invalid sizes (obsolete) (deleted) — Splinter Review
Attachment #542632 - Attachment is obsolete: true
Attachment #542635 - Flags: review?(jmuizelaar)
Attached patch correctly reject invalid sizes (deleted) — Splinter Review
forgot to qref
Attachment #542635 - Attachment is obsolete: true
Attachment #542638 - Flags: review?(jmuizelaar)
Attachment #542635 - Flags: review?(jmuizelaar)
Attached image 256 height (obsolete) (deleted) —
Attached image 256 width (obsolete) (deleted) —
Attachment #542634 - Flags: review?(jmuizelaar) → review-
Attachment #542638 - Flags: review?(jmuizelaar) → review+
Attachment #542634 - Attachment is obsolete: true
Attachment #542639 - Attachment is obsolete: true
Attachment #542640 - Attachment is obsolete: true
Attachment #542643 - Flags: review?(jmuizelaar)
Attachment #542643 - Flags: review?(jmuizelaar) → review+
Crash Signature: [@ imgFrame::Optimize()] → [@ imgFrame::Optimize() ]
http://hg.mozilla.org/integration/mozilla-inbound/rev/ff318d0e5d72 http://hg.mozilla.org/integration/mozilla-inbound/rev/098f5469308d Accidentally labeled the second push under the wrong bug, though.
Whiteboard: [sg:dos null-deref] → [sg:dos null-deref][inbound]
this push, along with bug 552605, greatly increased random oranges in the followint reftest: layout/reftests/svg/as-image/img-and-image-1.html
backed out from inbound since the reftests failures were not something I'd love to merge to central. fixing the above one or marking as random may be enough, but I don't know what this code does and what the test is supposed to do.
Whiteboard: [sg:dos null-deref][inbound] → [sg:dos null-deref]
I marked that reftest as random until dholbert gets a chance to fix the bug. http://hg.mozilla.org/integration/mozilla-inbound/rev/17f5ec50a7f1 http://hg.mozilla.org/integration/mozilla-inbound/rev/3bc48f2e9899
Whiteboard: [sg:dos null-deref] → [sg:dos null-deref][inbound]
http://hg.mozilla.org/mozilla-central/rev/17f5ec50a7f1 http://hg.mozilla.org/mozilla-central/rev/3bc48f2e9899
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla7
Build identifier: Mozilla/5.0 (X11; Linux x86_64; rv:7.0) Gecko/20100101 Firefox/7.0 Verified as fixed on Ubuntu: none of the pages specified in comment 3 and comment 14 crashed.
Build identifier: Mozilla/5.0 (Windows NT 6.1; rv:7.0) Gecko/20100101 Firefox/7.0 Verified as fixed on Windows: none of the pages specified in comment 3 and comment 14 crashed.

(In reply to chris hofmann from comment #14)

looks like this is also seen on other sites

domains/pages:

85 www.mafia2multiplayer.com
66 www.sendmepc.com
2 http://www.sendmepc.com/toshiba/191-toshiba-satellite-l650-15g.html
2 http://www.sendmepc.com/acer/204-acer-aspire-5741-i5-ati.html
2 http://www.sendmepc.com/208-dell-inspiron-n5010-new-shape-.html
2 http://www.sendmepc.com/14-2500-le-to-3000-le
1
http://www.sendmepc.com/toshiba/306-toshiba-satellite-c660-162-i3-253-ghz-
320-gb-ram-2-gb.html
1 http://www.sendmepc.com/toshiba/178-toshiba-satellite-c650-1cg.html
1
http://www.sendmepc.com/search.
php?orderby=position&orderway=desc&search_query=N5110&submit_search=Search
1
http://www.sendmepc.com/lang-fr/308-hp-pavilion-g6-1040ee-core-i3-4g-ram-ati-
5650-win7.html
1
http://www.sendmepc.com/hp-laptop/239-hp-pavilion-dv6-3170ee-core-i7-.html
1 http://www.sendmepc.com/hp-laptop/182-hp-pavilion-dv6-3053ee.html
1
http://www.sendmepc.com/fujitsu-siemens/251-fujitsu-lifebook-core-i5-500gb-
ati.html
1
http://www.sendmepc.com/dell/252-dell-inspiron-n5010-i7-6mb-cache-4-gb-ram-1-
year-warantee.html
1
http://www.sendmepc.com/dell/244-dell-inspiron-n5010-i7-6mb-cache-4-gb-ram-3-
years-warantee.html
1
http://www.sendmepc.com/asus/295-laptop-asus-x42jy-i5-266ghz-3g-ram-ddr3-
500g-hd-ati-hd-1gb-2-yrs-ltd-warranty.html
1
http://www.sendmepc.com/asus/294-asus-x42jy-i3-253ghz-3g-ram-ddr3-500g-2yr-
ltd-warranty.html
1
http://www.sendmepc.com/acer/301-acer-aspire-5742g-i5-nvidia-geforce.html
1 http://www.sendmepc.com/acer/301-acer-aspire-5740g-i5.html
1 http://www.sendmepc.com/acer/300-acer-aspire-5740g-i5.html
1
http://www.sendmepc.com/acer/151-acer-aspire-5741g-i5-226-ghz-up-to-253ghz-
ati-hd-5470-512mb-up-2234mb-hd-500gb-4gb-ddr3-win-7.html
1
http://www.sendmepc.com/316-inspiron-n5010-253-ghz-i5-320-gb-hd-3-gb-ram-ati-
512mb-.html
1
http://www.sendmepc.com/315-dell-inspiron-n5110-i7-win7-3years-6gb-ram.html
1
http://www.sendmepc.com/308-hp-pavilion-g6-1040ee-core-i3-4g-ram-ati-5650-
win7.html
1
http://www.sendmepc.com/285-dell-inspiron-n5010-i5-3-gb-253-ghz-320-gb-ati-
512-mb.html
1
http://www.sendmepc.com/237-dell-inspiron-n5010-i5-266-ghz-290-ghz-ram-4gb-
500-gb-hd-ati-1gb-windows-7.html
1
http://www.sendmepc.com/236-inspiron-n5010-266-ghz-i5-500-gb-hd-4-gb-ram-ati-
hd-5650-1gb-up-2775mb-.html

35 www.facebook.com
21 www.beanrunnercafe.com
2 http://www.beanrunnercafe.com/test/webyep-system/program/l-save.php

15 www.google.com.eg
14 gobowling.com.au
11 www.youtube.com
10 www.heritagehumanesociety.org
9 hurrichips.com
9 bugzilla.mozilla.org
9 https://bugzilla.mozilla.org/attachment.cgi?id=533813

8 mafia2multiplayer.com
7 www.samradford.com
1
http://www.samradford.com/post/5583012305/is-the-anc-fit-to-lead-south-
africa-anymore
1
http://www.samradford.com/post/5417121537/the-importance-of-unwritten-plans
1
http://www.samradford.com/post/5360994454/skype-only-makes-money-when-it-
changes-hands
1
http://www.samradford.com/post/5268435883/cameron-and-clegg-one-year-on-from-
the-times
1 http://www.samradford.com/

7 www.leutesdorf-rhein.de
1 http://www.leutesdorf-rhein.de/weingut-emmerich/download/weinliste.pdf
1 http://www.leutesdorf-rhein.de/service/web-quiz-mai-2011.html
1 http://www.leutesdorf-rhein.de/pension-will/index.html
1 http://www.leutesdorf-rhein.de/gastronomie.html
1 http://www.leutesdorf-rhein.de/

7 www.google.com

(In reply to Gabriela [:gaby2300] from comment #38)

Build identifier: Mozilla/5.0 (Windows NT 6.1; rv:7.0) Gecko/20100101
Firefox/7.0

Verified as fixed on Windows: none of the pages specified in comment 3 and
comment 14 crashed.

(In reply to chris hofmann from comment #14)

looks like this is also seen on other sites

domains/pages:

85 www.mafia2multiplayer.com
66 www.sendmepc.com
2 http://www.sendmepc.com/toshiba/191-toshiba-satellite-l650-15g.html
2 http://www.sendmepc.com/acer/204-acer-aspire-5741-i5-ati.html
2 http://www.sendmepc.com/208-dell-inspiron-n5010-new-shape-.html
2 http://www.sendmepc.com/14-2500-le-to-3000-le
1
http://www.sendmepc.com/toshiba/306-toshiba-satellite-c660-162-i3-253-ghz-
320-gb-ram-2-gb.html
1 http://www.sendmepc.com/toshiba/178-toshiba-satellite-c650-1cg.html
1
http://www.sendmepc.com/search.
php?orderby=position&orderway=desc&search_query=N5110&submit_search=Search
1
http://www.sendmepc.com/lang-fr/308-hp-pavilion-g6-1040ee-core-i3-4g-ram-ati-
5650-win7.html
1
http://www.sendmepc.com/hp-laptop/239-hp-pavilion-dv6-3170ee-core-i7-.html
1 http://www.sendmepc.com/hp-laptop/182-hp-pavilion-dv6-3053ee.html
1
http://www.sendmepc.com/fujitsu-siemens/251-fujitsu-lifebook-core-i5-500gb-
ati.html
1
http://www.sendmepc.com/dell/252-dell-inspiron-n5010-i7-6mb-cache-4-gb-ram-1-
year-warantee.html
1
http://www.sendmepc.com/dell/244-dell-inspiron-n5010-i7-6mb-cache-4-gb-ram-3-
years-warantee.html
1
http://www.sendmepc.com/asus/295-laptop-asus-x42jy-i5-266ghz-3g-ram-ddr3-
500g-hd-ati-hd-1gb-2-yrs-ltd-warranty.html
1
http://www.sendmepc.com/asus/294-asus-x42jy-i3-253ghz-3g-ram-ddr3-500g-2yr-
ltd-warranty.html
1
http://www.sendmepc.com/acer/301-acer-aspire-5742g-i5-nvidia-geforce.html
1 http://www.sendmepc.com/acer/301-acer-aspire-5740g-i5.html
1 http://www.sendmepc.com/acer/300-acer-aspire-5740g-i5.html
1
http://www.sendmepc.com/acer/151-acer-aspire-5741g-i5-226-ghz-up-to-253ghz-
ati-hd-5470-512mb-up-2234mb-hd-500gb-4gb-ddr3-win-7.html
1
http://www.sendmepc.com/316-inspiron-n5010-253-ghz-i5-320-gb-hd-3-gb-ram-ati-
512mb-.html
1
http://www.sendmepc.com/315-dell-inspiron-n5110-i7-win7-3years-6gb-ram.html
1
http://www.sendmepc.com/308-hp-pavilion-g6-1040ee-core-i3-4g-ram-ati-5650-
win7.html
1
http://www.sendmepc.com/285-dell-inspiron-n5010-i5-3-gb-253-ghz-320-gb-ati-
512-mb.html
1
http://www.sendmepc.com/237-dell-inspiron-n5010-i5-266-ghz-290-ghz-ram-4gb-
500-gb-hd-ati-1gb-windows-7.html
1
http://www.sendmepc.com/236-inspiron-n5010-266-ghz-i5-500-gb-hd-4-gb-ram-ati-
hd-5650-1gb-up-2775mb-.html

35 www.facebook.com
21 www.beanrunnercafe.com
2 http://www.beanrunnercafe.com/test/webyep-system/program/l-save.php

15 www.google.com.eg
14 gobowling.com.au
11 www.youtube.com
10 www.heritagehumanesociety.org
9 hurrichips.com
9 bugzilla.mozilla.org
9 https://bugzilla.mozilla.org/attachment.cgi?id=533813

8 mafia2multiplayer.com
7 www.samradford.com
1
http://www.samradford.com/post/5583012305/is-the-anc-fit-to-lead-south-
africa-anymore
1
http://www.samradford.com/post/5417121537/the-importance-of-unwritten-plans
1
http://www.samradford.com/post/5360994454/skype-only-makes-money-when-it-
changes-hands
1
http://www.samradford.com/post/5268435883/cameron-and-clegg-one-year-on-from-
the-times
1 http://www.samradford.com/

7 www.leutesdorf-rhein.de
1 http://www.leutesdorf-rhein.de/weingut-emmerich/download/weinliste.pdf
1 http://www.leutesdorf-rhein.de/service/web-quiz-mai-2011.html
1 http://www.leutesdorf-rhein.de/pension-will/index.html
1 http://www.leutesdorf-rhein.de/gastronomie.html
1 http://www.leutesdorf-rhein.de/

7 www.google.com

https://www.digitalstudyhindi.com

looks like this is also seen on other sites
www.shabdshiksha.com

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: