Bug 170332

Summary: [GTK+] Crash in WebCore::ImageFrame::ImageFrame()
Product: WebKit Reporter: Miguel Gomez <magomez>
Component: WebKitGTKAssignee: Miguel Gomez <magomez>
Status: RESOLVED FIXED    
Severity: Normal CC: bugs-noreply, cgarcia, commit-queue, sabouhallawa, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
cgarcia: review+
Patch none

Description Miguel Gomez 2017-03-31 01:42:09 PDT 
The web process is crashing when loading https://philip.html5.org/tests/apng/tests.html, which is a suite of png images and animations.

The backtrace is
#0  0x00000000012ecd93 in WebCore::ImageFrame::ImageFrame() ()
#1  0x00000000012eea14 in WebCore::ImageFrameCache::growFrames() ()
#2  0x00000000012f1087 in WebCore::ImageSource::dataChanged(WebCore::SharedBuffer*, bool) ()
#3  0x000000000113ffbc in WebCore::CachedImage::finishLoading(WebCore::SharedBuffer*) ()
#4  0x0000000001104742 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) ()
#5  0x00007f3d70309be6 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) () at /home/magomez/webkit/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#6  0x00007f3d7030994f in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) () at /home/magomez/webkit/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#7  0x00007f3d6ff9856b in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) () at /home/magomez/webkit/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#8  0x00007f3d6ff990d8 in IPC::Connection::dispatchOneMessage() () at /home/magomez/webkit/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#9  0x00007f3d6cdcc91d in WTF::RunLoop::performWork() () at /home/magomez/webkit/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#10 0x00007f3d6cdcb789 in WTF::RunLoop::RunLoop()::{lambda(void*)#1}::_FUN(void*) () at /home/magomez/webkit/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#11 0x00007f3d68401e52 in g_main_dispatch (context=0x1f95f00) at gmain.c:3203
#12 0x00007f3d68401e52 in g_main_context_dispatch (context=context@entry=0x1f95f00) at gmain.c:3856
#13 0x00007f3d684021d0 in g_main_context_iterate (context=0x1f95f00, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3929
#14 0x00007f3d684024f2 in g_main_loop_run (loop=0x20462d0) at gmain.c:4125
#15 0x00007f3d6cdcc050 in WTF::RunLoop::run() () at /home/magomez/webkit/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#16 0x00007f3d702c9cb9 in int WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain>(int, char**) () at /home/magomez/webkit/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#17 0x00007f3d62f46401 in __libc_start_main (main=0xa0c020 <main>, argc=2, argv=0x7fff6a2a5548, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fff6a2a5538) at ../csu/libc-start.c:289
#18 0x0000000000a0c1aa in _start ()

but I think that the problem is in the number of frames gotten from one of the animations.
Comment 1 Miguel Gomez 2017-04-10 05:14:20 PDT 
The problematic image is https://philip.html5.org/tests/apng/044.png, which belongs to a test that checks for invalid images.

The rest reports 2 frames in its acTL segment, but then a single fdAT segment is found, meaning that there's only data from a single frame. ImageFrameCache::frameCount() initially reports 2 frames and ImageFrameCache::growFrames() is called to accomodate those 2 frames, but at some point ImageFrameCache::frameCount() starts returning 1 (I guess the decoder realizes there's no data for the second frame), and ImageFrameCache::growFrames() gets called again using a frameCount value smaller that the value it had, which causes the crash. There's an assertion ensuring that (m_frames.size() <= frameCount()) that gets triggered on debug mode warning about this.
Comment 2 Miguel Gomez 2017-04-17 06:22:30 PDT 
Created attachment 307267 [details]
Patch
Comment 3 Miguel Gomez 2017-04-18 02:49:00 PDT 
Created attachment 307363 [details]
Patch
Comment 4 WebKit Commit Bot 2017-04-18 04:54:57 PDT 
Comment on attachment 307363 [details]
Patch

Clearing flags on attachment: 307363

Committed r215458: <http://trac.webkit.org/changeset/215458>
Comment 5 WebKit Commit Bot 2017-04-18 04:56:08 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 6 Said Abou-Hallawa 2017-05-15 18:21:35 PDT 
<rdar://problem/28905851>