Bugzilla – Bug 140416
firefox crashes on streaming jpeg image
Last modified: 2006-03-02 05:06:28 UTC
Hi, the following code snippet (in a html file) crashes firefox. <img src="http://www.airport-nuernberg.de/_/tools/webcam.html?_FRAME=64&refresh=0&datei=webcam-0-0.jpg"> Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1445741824 (LWP 11363)] 0x55a27800 in gdk_rgb_init () from /opt/gnome/lib/libgdk-x11-2.0.so.0 (gdb) bt #0 0x55a27800 in gdk_rgb_init () from /opt/gnome/lib/libgdk-x11-2.0.so.0 #1 0x55a29fd8 in gdk_rgb_find_color () from /opt/gnome/lib/libgdk-x11-2.0.so.0 #2 0x081acf0f in operator!=<char> () #3 0x081ada8f in operator!=<char> () #4 0x086d9b58 in nsCOMTypeInfo<nsIBinaryInputStream>::GetIID () #5 0x0820eaf5 in nsCOMPtr<nsIBidirectionalEnumerator>::nsCOMPtr () #6 0x083e37bc in nsCOMPtr<nsIObjectInputStream>::nsCOMPtr () #7 0x083d8ad3 in nsCOMPtr<nsIObjectInputStream>::nsCOMPtr () #8 0x083da5f3 in nsCOMPtr<nsIObjectInputStream>::nsCOMPtr () #9 0x083e6f3a in nsCOMPtr<nsIObjectInputStream>::nsCOMPtr () #10 0x083d8d9d in nsCOMPtr<nsIObjectInputStream>::nsCOMPtr () #11 0x083e37bc in nsCOMPtr<nsIObjectInputStream>::nsCOMPtr () #12 0x083d8ad3 in nsCOMPtr<nsIObjectInputStream>::nsCOMPtr () #13 0x083da5f3 in nsCOMPtr<nsIObjectInputStream>::nsCOMPtr () #14 0x083e6f3a in nsCOMPtr<nsIObjectInputStream>::nsCOMPtr () #15 0x083d8d9d in nsCOMPtr<nsIObjectInputStream>::nsCOMPtr () #16 0x083e37bc in nsCOMPtr<nsIObjectInputStream>::nsCOMPtr () #17 0x083e2e42 in nsCOMPtr<nsIObjectInputStream>::nsCOMPtr () #18 0x083e67d9 in nsCOMPtr<nsIObjectInputStream>::nsCOMPtr () #19 0x083e765c in nsCOMPtr<nsIObjectInputStream>::nsCOMPtr () #20 0x0821559b in nsCOMPtr<nsIBidirectionalEnumerator>::nsCOMPtr () #21 0x08368f61 in nsCOMTypeInfo<nsICollection>::GetIID () #22 0x0836b89e in nsCOMTypeInfo<nsICollection>::GetIID () #23 0x0836eedf in nsCOMTypeInfo<nsICollection>::GetIID () #24 0x0836f8b5 in nsCOMTypeInfo<nsICollection>::GetIID () #25 0x0836fc5f in nsCOMTypeInfo<nsICollection>::GetIID () #26 0x08369002 in nsCOMTypeInfo<nsICollection>::GetIID () #27 0x081fe29b in nsCOMPtr<nsISupports>::nsCOMPtr () #28 0x081fa4a8 in nsCOMPtr<nsISupports>::nsCOMPtr () #29 0x081fa4e3 in nsCOMPtr<nsISupports>::nsCOMPtr () #30 0x5583fe60 in gtk_marshal_VOID__UINT_STRING () from /opt/gnome/lib/libgtk-x11-2.0.so.0 #31 0x55b49d19 in g_closure_invoke () from /opt/gnome/lib/libgobject-2.0.so.0 #32 0x55b59816 in g_signal_stop_emission () from /opt/gnome/lib/libgobject-2.0.so.0 #33 0x55b5abee in g_signal_emit_valist () from /opt/gnome/lib/libgobject-2.0.so.0 #34 0x55b5b1f5 in g_signal_emit () from /opt/gnome/lib/libgobject-2.0.so.0 #35 0x559323b4 in gtk_widget_activate () from /opt/gnome/lib/libgtk-x11-2.0.so.0 #36 0x5583e845 in gtk_main_do_event () from /opt/gnome/lib/libgtk-x11-2.0.so.0 #37 0x55a313fd in gdk_window_clear_area_e () from /opt/gnome/lib/libgdk-x11-2.0.so.0 #38 0x55a314df in gdk_window_process_all_updates () from /opt/gnome/lib/libgdk-x11-2.0.so.0 #39 0x55a31565 in gdk_window_process_all_updates () from /opt/gnome/lib/libgdk-x11-2.0.so.0 #40 0x55ba7941 in g_child_watch_add () from /opt/gnome/lib/libglib-2.0.so.0 #41 0x55ba535c in g_main_context_dispatch () from /opt/gnome/lib/libglib-2.0.so.0 #42 0x55ba87cb in g_main_context_check () from /opt/gnome/lib/libglib-2.0.so.0 #43 0x55ba8ae7 in g_main_loop_run () from /opt/gnome/lib/libglib-2.0.so.0 #44 0x5583d861 in gtk_main () from /opt/gnome/lib/libgtk-x11-2.0.so.0 #45 0x081fdb1a in nsCOMPtr<nsISupports>::nsCOMPtr () #46 0x086f0180 in nsCOMTypeInfo<nsIBinaryInputStream>::GetIID () #47 0x080810db in ?? () #48 0x00000002 in ?? () #49 0xffffb834 in ?? () #50 0x086f88d0 in _IO_stdin_used () #51 0xffffb808 in ?? () #52 0x5611fea0 in __libc_start_main () from /lib/tls/libc.so.6 #53 0x5611fea0 in __libc_start_main () from /lib/tls/libc.so.6 #54 0x08081031 in ?? () (gdb) x /i $eip 0x55a27800 <gdk_rgb_init+5120>: movzbl 0x2(%edx),%eax (gdb) print $edx $1 = 0 (gdb) (sorry, debuginfo on amd64 does not really work) also happened with 10.1 Alpha3Plus snapshot.
Created attachment 61545 [details] debug.log debugging session on current autobuild state with debuginfo and line numbers.
Do you have an public URL where this is done?
So it happens for you with 1.0.7 on 10.0 and 1.5 on 10.1alpha?
hmm, upstream Firefox 1.5 doesn't crash. I don't think that our patches are to blame but maybe some gtk issue.
Created attachment 61686 [details] simple testcase
It's a Mozilla bug. See the bottom of the log in comment #1; mImageBits is 0. It ends up passing "buf = 0" to gdkrgb.
OK, do you have an idea why the upstream binary doesn't show this behaviour? Could it be because it's linked against older versions of gtk etc.?
No idea. But GTK+ is not the problem here - it is getting passed a null pointer instead of a valid buffer. If you are testing that particular image, you could set a conditional breakpoint in gdk_draw_rgb_image_core() when rowstride==1032. Compare the stack traces for our version and the upstream version, and see what changed.
looks like the nsImageGTK destructor was called, but the UpdateCachedImage() was called after that
I've filed upstream bug 328684: https://bugzilla.mozilla.org/show_bug.cgi?id=328684 with a possible patch. I need some upstream feedback to be sure it's the right patch.
My patch was accepted upstream. We can take it for our FF1.5 releases if we want to. Whether we do or not, this is fixed.
I have it already in my local tree, thanks ;-) It will be submitted with next checkin for beta7