Bug 142726

Summary:	fast/images/animated-png.html is crashing / failing on Yosemite
Product:	WebKit	Reporter:	Chris Dumez <cdumez>
Component:	Platform	Assignee:	Nobody <webkit-unassigned>
Status:	NEW ---
Severity:	Normal	CC:	ap, barraclough, cgarcia, koivisto, simon.fraser, waldyrious
Priority:	P2
Version:	528+ (Nightly build)
Hardware:	Unspecified
OS:	Unspecified
Bug Depends on:
Bug Blocks:	17022

Description Chris Dumez 2015-03-16 09:27:12 PDT

Crash trace:
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.ImageIO.framework   	0x00007fff83d7b4d7 ImageIO_ExpandIndex_1Bit_to_8Bit + 200
1   com.apple.ImageIO.framework   	0x00007fff83d93cbd copyImageBlockSetAPNG + 4908
2   com.apple.ImageIO.framework   	0x00007fff83d639c2 ImageProviderCopyImageBlockSetCallback + 581
3   com.apple.CoreGraphics        	0x00007fff8ac2490d img_blocks_create + 651
4   com.apple.CoreGraphics        	0x00007fff8ac24658 img_blocks_extent + 96
5   com.apple.CoreGraphics        	0x00007fff8abd91c4 img_data_lock + 8327
6   com.apple.CoreGraphics        	0x00007fff8abd60de CGSImageDataLock + 151
7   libRIP.A.dylib                	0x000000010de062d2 ripc_AcquireImage + 906
8   libRIP.A.dylib                	0x000000010de04df5 ripc_DrawImage + 1037
9   com.apple.CoreGraphics        	0x00007fff8abd5c97 CGContextDrawImage + 457
10  com.apple.WebCore             	0x000000010b667e40 WebCore::GraphicsContext::drawNativeImage(CGImage*, WebCore::FloatSize const&, WebCore::ColorSpace, WebCore::FloatRect const&, WebCore::FloatRect const&, WebCore::CompositeOperator, WebCore::BlendMode, WebCore::ImageOrientation) + 1872 (GraphicsContextCG.cpp:245)
11  com.apple.WebCore             	0x000000010b34034a WebCore::BitmapImage::draw(WebCore::GraphicsContext*, WebCore::FloatRect const&, WebCore::FloatRect const&, WebCore::ColorSpace, WebCore::CompositeOperator, WebCore::BlendMode, WebCore::ImageOrientationDescription) + 714 (BitmapImageCG.cpp:250)
12  com.apple.WebCore             	0x000000010b658afb WebCore::GraphicsContext::drawImage(WebCore::Image*, WebCore::ColorSpace, WebCore::FloatRect const&, WebCore::FloatRect const&, WebCore::ImagePaintingOptions const&) + 155 (GraphicsContext.cpp:390)
13  com.apple.WebCore             	0x000000010b658b82 WebCore::GraphicsContext::drawImage(WebCore::Image*, WebCore::ColorSpace, WebCore::FloatRect const&, WebCore::ImagePaintingOptions const&) + 82 (GraphicsContext.cpp:380)
14  com.apple.WebCore             	0x000000010bd67f0c WebCore::RenderImage::paintIntoRect(WebCore::GraphicsContext*, WebCore::FloatRect const&) + 572 (PassRefPtr.h:58)
15  com.apple.WebCore             	0x000000010bd67645 WebCore::RenderImage::paintReplaced(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 3829 (RenderImage.cpp:482)
16  com.apple.WebCore             	0x000000010bde6276 WebCore::RenderReplaced::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 886 (RenderReplaced.cpp:188)
17  com.apple.WebCore             	0x000000010bd67f72 WebCore::RenderImage::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 18 (RenderImage.cpp:498)
18  com.apple.WebCore             	0x000000010b79e3e8 WebCore::InlineElementBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 312 (InlineElementBox.cpp:89)
19  com.apple.WebCore             	0x000000010b7a2fe6 WebCore::InlineFlowBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 1094 (InlineFlowBox.h:86)
20  com.apple.WebCore             	0x000000010be98e66 WebCore::RootInlineBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 198 (RootInlineBox.cpp:187)
21  com.apple.WebCore             	0x000000010bdaaffe WebCore::RenderLineBoxList::paint(WebCore::RenderBoxModelObject*, WebCore::PaintInfo&, WebCore::LayoutPoint const&) const + 1118 (RenderLineBoxList.cpp:266)
22  com.apple.WebCore             	0x000000010bcda1b3 WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 67 (RenderBlock.cpp:1430)
23  com.apple.WebCore             	0x000000010bcdaa2e WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 590 (RenderBlock.cpp:1580)
24  com.apple.WebCore             	0x000000010bcda029 WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 425 (RenderBlock.cpp:1411)
25  com.apple.WebCore             	0x000000010bcda54e WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) + 622 (RenderObject.h:385)
26  com.apple.WebCore             	0x000000010bcda2b8 WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) + 72 (RenderBlock.cpp:1450)
27  com.apple.WebCore             	0x000000010bcda260 WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 240 (RenderBlock.cpp:1445)
28  com.apple.WebCore             	0x000000010bcdaa2e WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 590 (RenderBlock.cpp:1580)
29  com.apple.WebCore             	0x000000010bcda029 WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 425 (RenderBlock.cpp:1411)
30  com.apple.WebCore             	0x000000010bd8aad9 WebCore::RenderLayer::paintForegroundForFragmentsWithPhase(WebCore::PaintPhase, WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow> const&, WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int, WebCore::RenderObject*) + 473 (RenderLayer.cpp:4720)
31  com.apple.WebCore             	0x000000010bd8857e WebCore::RenderLayer::paintForegroundForFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow> const&, WebCore::GraphicsContext*, WebCore::GraphicsContext*, WebCore::LayoutRect const&, bool, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int, WebCore::RenderObject*, bool) + 462 (RenderLayer.cpp:4685)
32  com.apple.WebCore             	0x000000010bd852d7 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 2679 (RenderLayer.cpp:4305)
33  com.apple.WebCore             	0x000000010bd83469 WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 905 (RenderLayer.cpp:3942)
34  com.apple.WebCore             	0x000000010bd85403 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 2979 (RenderLayer.cpp:4313)
35  com.apple.WebCore             	0x000000010bd9bb52 WebCore::RenderLayerBacking::paintIntoLayer(WebCore::GraphicsLayer const*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, unsigned int) + 514 (RenderLayerBacking.cpp:2269)
36  com.apple.WebCore             	0x000000010bd9be62 WebCore::RenderLayerBacking::paintContents(WebCore::GraphicsLayer const*, WebCore::GraphicsContext&, unsigned int, WebCore::FloatRect const&) + 626 (RenderLayerBacking.cpp:2321)
37  com.apple.WebCore             	0x000000010b66d4f4 WebCore::GraphicsLayer::paintGraphicsLayerContents(WebCore::GraphicsContext&, WebCore::FloatRect const&) + 132 (GraphicsLayer.cpp:414)
38  com.apple.WebCore             	0x000000010bc93989 WebCore::PlatformCALayer::drawLayerContents(CGContext*, WebCore::PlatformCALayer*, WTF::Vector<WebCore::FloatRect, 5ul, WTF::CrashOnOverflow>&) + 329 (PlatformCALayerMac.mm:1061)
39  com.apple.WebCore             	0x000000010c0e3187 WebCore::TileGrid::platformCALayerPaintContents(WebCore::PlatformCALayer*, WebCore::GraphicsContext&, WebCore::FloatRect const&) + 167 (TileGrid.cpp:677)
40  com.apple.WebCore             	0x000000010c163d9c -[WebSimpleLayer drawInContext:] + 172 (WebLayer.mm:129)

C.f. https://build.webkit.org/results/Apple%20Yosemite%20Release%20WK2%20(Tests)/r181553%20(3625)/fast/images/animated-png-crash-log.txt

Comment 1 Chris Dumez 2015-03-16 09:33:19 PDT

The crash seems to occur on Yosemite only so I skipped the test for now in:
<http://trac.webkit.org/changeset/181557>

Comment 2 Carlos Garcia Campos 2015-03-16 09:35:59 PDT

hmm, mac EWS was green. I wouldn't say this is a regression, r181553 added a new test that crashes in mac, but the code introduced in that revision is not used by mac, right? So whatever causes the crash was already there before r181553, but the new test revealed it.

Comment 3 Chris Dumez 2015-03-16 09:37:17 PDT

(In reply to comment #2)
> hmm, mac EWS was green. I wouldn't say this is a regression, r181553 added a
> new test that crashes in mac, but the code introduced in that revision is
> not used by mac, right? So whatever causes the crash was already there
> before r181553, but the new test revealed it.

EWS is running Mavericks I believe and the crash seems to happen on Yosemite only.

Comment 4 Carlos Garcia Campos 2015-03-16 09:41:03 PDT

(In reply to comment #3)
> (In reply to comment #2)
> > hmm, mac EWS was green. I wouldn't say this is a regression, r181553 added a
> > new test that crashes in mac, but the code introduced in that revision is
> > not used by mac, right? So whatever causes the crash was already there
> > before r181553, but the new test revealed it.
> 
> EWS is running Mavericks I believe and the crash seems to happen on Yosemite
> only.

aha, that makes sense :-)

Comment 5 Alexey Proskuryakov 2015-03-16 09:42:21 PDT

This test also fails on some bots, as opposed to crashing. Perhaps we should skip it?

Comment 6 Chris Dumez 2015-03-16 09:42:44 PDT

This may be a bug in ImageIO framework, specific to APNG as it crashes in copyImageBlockSetAPNG().

Comment 7 Chris Dumez 2015-03-16 09:45:09 PDT

(In reply to comment #5)
> This test also fails on some bots, as opposed to crashing. Perhaps we should
> skip it?

Alexey is right, it only crashes on Yosemite WK2. On Yosemite WK1, we get the following Image diff:
https://build.webkit.org/results/Apple%20Yosemite%20Debug%20WK1%20(Tests)/r181556%20(2993)/fast/images/animated-png-diffs.html

I'll update the TestExpectations accordingly.

Comment 8 Chris Dumez 2015-03-16 09:48:27 PDT

Updated Mac TestExpectations in <http://trac.webkit.org/changeset/181559>.

Comment 9 Simon Fraser (smfr) 2015-03-16 10:03:17 PDT

The crash may be rdar://problem/17490843

Comment 10 Alexey Proskuryakov 2015-03-17 22:34:55 PDT

> The crash may be rdar://problem/17490843

While that's possible, I'm not sure if that explains why crashing is WebKit2 only.

In the past, crashes of this sort were sometimes consequences of bugs in WebKit networking stack.

Also, I'm getting a somewhat different crash log on OS X 10.10.2:

Thread 6 Crashed:
0   com.apple.vImage              	0x00007fff881a526a sConvert_Planar1toPlanar8 + 122
1   com.apple.vImage              	0x00007fff8836a344 Convert1To8Bit + 212
2   com.apple.vImage              	0x00007fff883651e0 AnyToAnyBlock + 1392
3   com.apple.vImage              	0x00007fff883649a3 vImageConvert_AnyToAny + 2003
4   com.apple.ImageIO.framework   	0x00007fff8d997989 vImageExpandProc + 409
5   com.apple.ImageIO.framework   	0x00007fff8d9bbcbd copyImageBlockSetAPNG + 4908
6   com.apple.ImageIO.framework   	0x00007fff8d98b9c2 ImageProviderCopyImageBlockSetCallback + 581
7   com.apple.CoreGraphics        	0x00007fff857b590d img_blocks_create + 651
8   com.apple.CoreGraphics        	0x00007fff85768956 img_data_lock + 2073
9   com.apple.CoreGraphics        	0x00007fff857670de CGSImageDataLock + 151
10  libRIP.A.dylib                	0x00007fff8968d2d2 ripc_AcquireImage + 906
11  libRIP.A.dylib                	0x00007fff8968bdf5 ripc_DrawImage + 1037
12  com.apple.CoreGraphics        	0x00007fff85766c97 CGContextDrawImage + 457
13  com.apple.QuartzCore          	0x00007fff8d8bac0d CA::CG::ImageDelegate::draw(CGContext*) const + 375
14  com.apple.QuartzCore          	0x00007fff8d8b7adb CA::CG::MosaicBitmapDelegate::read(unsigned int, CA::Bounds const&, unsigned char*, long) const + 195
15  com.apple.QuartzCore          	0x00007fff8d8ce2ca CA::OGL::Mosaic::draw(CA::OGL::Context&, unsigned int, unsigned int, CA::OGL::Mosaic::Key const*, int, int, bool, CA::OGL::Mosaic::Delegate const&) + 1240
16  com.apple.QuartzCore          	0x00007fff8d8bb8e8 CA::CG::fill_image(CA::CG::Renderer&, CGImage*, CA::Rect const&, CA::Mat2<double> const&, bool, bool, CGInterpolationQuality, CA::Bounds const*) + 2287
17  com.apple.QuartzCore          	0x00007fff8d8bc18f CA::CG::DrawImage::draw_image(CA::CG::Renderer&, bool) const + 109
18  com.apple.QuartzCore          	0x00007fff8d8b8022 CA::CG::DrawOp::render(CA::CG::Renderer&) const + 1172
19  com.apple.QuartzCore          	0x00007fff8d8c9e8c CA::CG::Queue::render_callback(void*) + 332

Comment 11 Alexey Proskuryakov 2015-03-17 22:36:47 PDT

This is not a recent regression, this test crashes in shipping Safari (8.0.3).

Comment 12 Alexey Proskuryakov 2015-03-17 22:40:05 PDT

Further tweaked test expectations in http://trac.webkit.org/r181684.