Bug 170332

Summary: [GTK+] Crash in WebCore::ImageFrame::ImageFrame()
Product: WebKit Reporter: Miguel Gomez <magomez>
Component: WebKitGTKAssignee: Miguel Gomez <magomez>
Status: RESOLVED FIXED    
Severity: Normal CC: bugs-noreply, cgarcia, commit-queue, sabouhallawa, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
cgarcia: review+
Patch none

Miguel Gomez
Reported 2017-03-31 01:42:09 PDT
The web process is crashing when loading https://philip.html5.org/tests/apng/tests.html, which is a suite of png images and animations. The backtrace is #0 0x00000000012ecd93 in WebCore::ImageFrame::ImageFrame() () #1 0x00000000012eea14 in WebCore::ImageFrameCache::growFrames() () #2 0x00000000012f1087 in WebCore::ImageSource::dataChanged(WebCore::SharedBuffer*, bool) () #3 0x000000000113ffbc in WebCore::CachedImage::finishLoading(WebCore::SharedBuffer*) () #4 0x0000000001104742 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) () #5 0x00007f3d70309be6 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) () at /home/magomez/webkit/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #6 0x00007f3d7030994f in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) () at /home/magomez/webkit/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #7 0x00007f3d6ff9856b in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) () at /home/magomez/webkit/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #8 0x00007f3d6ff990d8 in IPC::Connection::dispatchOneMessage() () at /home/magomez/webkit/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #9 0x00007f3d6cdcc91d in WTF::RunLoop::performWork() () at /home/magomez/webkit/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #10 0x00007f3d6cdcb789 in WTF::RunLoop::RunLoop()::{lambda(void*)#1}::_FUN(void*) () at /home/magomez/webkit/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #11 0x00007f3d68401e52 in g_main_dispatch (context=0x1f95f00) at gmain.c:3203 #12 0x00007f3d68401e52 in g_main_context_dispatch (context=context@entry=0x1f95f00) at gmain.c:3856 #13 0x00007f3d684021d0 in g_main_context_iterate (context=0x1f95f00, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3929 #14 0x00007f3d684024f2 in g_main_loop_run (loop=0x20462d0) at gmain.c:4125 #15 0x00007f3d6cdcc050 in WTF::RunLoop::run() () at /home/magomez/webkit/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #16 0x00007f3d702c9cb9 in int WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain>(int, char**) () at /home/magomez/webkit/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #17 0x00007f3d62f46401 in __libc_start_main (main=0xa0c020 <main>, argc=2, argv=0x7fff6a2a5548, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fff6a2a5538) at ../csu/libc-start.c:289 #18 0x0000000000a0c1aa in _start () but I think that the problem is in the number of frames gotten from one of the animations.
Attachments
Patch (4.22 KB, patch)
2017-04-17 06:22 PDT, Miguel Gomez 		cgarcia: review+
DetailsFormatted DiffDiff
Patch (4.21 KB, patch)
2017-04-18 02:49 PDT, Miguel Gomez 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Miguel Gomez
Comment 1 2017-04-10 05:14:20 PDT
The problematic image is https://philip.html5.org/tests/apng/044.png, which belongs to a test that checks for invalid images. The rest reports 2 frames in its acTL segment, but then a single fdAT segment is found, meaning that there's only data from a single frame. ImageFrameCache::frameCount() initially reports 2 frames and ImageFrameCache::growFrames() is called to accomodate those 2 frames, but at some point ImageFrameCache::frameCount() starts returning 1 (I guess the decoder realizes there's no data for the second frame), and ImageFrameCache::growFrames() gets called again using a frameCount value smaller that the value it had, which causes the crash. There's an assertion ensuring that (m_frames.size() <= frameCount()) that gets triggered on debug mode warning about this.
Miguel Gomez
Comment 2 2017-04-17 06:22:30 PDT
Created attachment 307267 [details] Patch
Miguel Gomez
Comment 3 2017-04-18 02:49:00 PDT
Created attachment 307363 [details] Patch
WebKit Commit Bot
Comment 4 2017-04-18 04:54:57 PDT
Comment on attachment 307363 [details] Patch Clearing flags on attachment: 307363 Committed r215458: <http://trac.webkit.org/changeset/215458>
WebKit Commit Bot
Comment 5 2017-04-18 04:56:08 PDT
All reviewed patches have been landed. Closing bug.
Said Abou-Hallawa
Comment 6 2017-05-15 18:21:35 PDT
<rdar://problem/28905851>
Note You need to log in before you can comment on or make changes to this bug.