Bug 6286

Summary:

Very large (~500MB) images cause reproducible Safari crash

Product:

WebKit

Reporter:

Brad Jones <odbug>

Component:

Images

Assignee:

Chris Brichford <chrisb>

Status:

RESOLVED FIXED

Severity:

Major

CC:

alice.barraclough, ddkilzer, ian

Priority:

Keywords:

HasReduction, InRadar

Version:

420+

Hardware:

Mac

OS:

OS X 10.4

URL:

http://themis.asu.edu/featuresimg/vallesmosaic.png

Attachments:

Description	Flags
Sample	none
Proposed fix.	mjs: review-
Proposed fix.	none
Proposed fix.	sam: review-
Proposed fix.	none
Proposed fix.	none
Proposed fix.	none
Proposed fix.	none
Proposed fix.	beidson: review+

Brad Jones

Reported 2005-12-29 09:43:58 PST

Attempting to load the above image causes Safari to crash every time. (I have some smaller (in bytes, not pixels) images which cause the same effect, and an image that is the same number of pixels but greyscale which does _not_ cause a crash, but they're unreleased at this time so I can't make them available. I will update the bug when they've been released.) Machine tested on: dual G4 1.42GHz, 2GB RAM, OSX 10.4.3, Safari 2.0.2.

Attachments
Sample (30.57 KB, text/plain) 2005-12-29 09:59 PST, Geoffrey Garen	no flags	Details
Proposed fix. (2.23 KB, patch) 2007-02-07 16:10 PST, Chris Brichford	mjs: review-	Details Formatted Diff Diff
Proposed fix. (2.44 KB, patch) 2007-02-07 17:49 PST, Chris Brichford	no flags	Details Formatted Diff Diff
Proposed fix. (2.23 KB, patch) 2007-02-07 17:52 PST, Chris Brichford	sam: review-	Details Formatted Diff Diff
Proposed fix. (2.32 KB, patch) 2007-02-07 19:34 PST, Chris Brichford	no flags	Details Formatted Diff Diff
Proposed fix. (2.33 KB, patch) 2007-02-07 19:48 PST, Chris Brichford	no flags	Details Formatted Diff Diff
Proposed fix. (2.33 KB, patch) 2007-02-07 19:50 PST, Chris Brichford	no flags	Details Formatted Diff Diff
Proposed fix. (2.31 KB, patch) 2007-02-07 19:53 PST, Chris Brichford	no flags	Details Formatted Diff Diff
Proposed fix. (2.29 KB, patch) 2007-02-07 19:58 PST, Chris Brichford	beidson: review+	Details Formatted Diff Diff
Show Obsolete (7) View All Add attachment proposed patch, testcase, etc.

Geoffrey Garen

Comment 1 2005-12-29 09:58:43 PST

Does Safari actually crash, or just hang? I got a hang when I tested, but didn't wait around to see if it would crash. Sample attached.

Geoffrey Garen

Comment 2 2005-12-29 09:59:52 PST

Created attachment 5355 [details] Sample

Brad Jones

Comment 3 2005-12-29 11:09:27 PST

I get a crash (dump follows) on the dual G4. On my PowerBook (10.4.3, Safari 2.0.2, 1.33GHz G4, 768MB memory) I get a hang on attempting to load the image. ---- crash dump ---- Date/Time: 2005-12-29 12:04:35.226 -0700 OS Version: 10.4.3 (Build 8F46) Report Version: 3 Command: Safari Path: /Applications/Safari.app/Contents/MacOS/Safari Parent: WindowServer [76] Version: 2.0.2 (416.13) Build Version: 1 Project Name: WebBrowser Source Version: 4161300 PID: 2050 Thread: 0 Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_INVALID_ADDRESS (0x0001) at 0x074defff Thread 0 Crashed: 0 <<00000000>> 0xffff8c5c __memcpy + 1212 (cpu_capabilities.h:189) 1 com.apple.WebKit 0x95981648 -[WebMainResourceClient addData:] + 64 2 com.apple.WebKit 0x95981588 -[WebBaseResourceHandleDelegate didReceiveData:lengthReceived:] + 68 3 com.apple.WebKit 0x959db930 -[WebMainResourceClient didReceiveData:lengthReceived:] + 136 4 com.apple.WebKit 0x95981524 -[WebBaseResourceHandleDelegate connection:didReceiveData:lengthReceived:] + 60 5 com.apple.Foundation 0x92910a64 -[NSURLConnection(NSURLConnectionInternal) _sendDidReceiveDataCallback] + 564 6 com.apple.Foundation 0x9290ef04 -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] + 488 7 com.apple.Foundation 0x9290eca0 _sendCallbacks + 156 8 com.apple.CoreFoundation 0x9075da68 __CFRunLoopDoSources0 + 384 9 com.apple.CoreFoundation 0x9075cf98 __CFRunLoopRun + 452 10 com.apple.CoreFoundation 0x9075ca18 CFRunLoopRunSpecific + 268 11 com.apple.HIToolbox 0x931861e0 RunCurrentEventLoopInMode + 264 12 com.apple.HIToolbox 0x93185874 ReceiveNextEventCommon + 380 13 com.apple.HIToolbox 0x931856e0 BlockUntilNextEventMatchingListInMode + 96 14 com.apple.AppKit 0x93683904 _DPSNextEvent + 384 15 com.apple.AppKit 0x936835c8 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 116 16 com.apple.Safari 0x00007910 0x1000 + 26896 17 com.apple.AppKit 0x9367fb0c -[NSApplication run] + 472 18 com.apple.AppKit 0x93770618 NSApplicationMain + 452 19 com.apple.Safari 0x0000307c 0x1000 + 8316 20 com.apple.Safari 0x00057758 0x1000 + 354136 Thread 1: 0 libSystem.B.dylib 0x9000b208 mach_msg_trap + 8 1 libSystem.B.dylib 0x9000b15c mach_msg + 60 2 com.apple.CoreFoundation 0x9075d114 __CFRunLoopRun + 832 3 com.apple.CoreFoundation 0x9075ca18 CFRunLoopRunSpecific + 268 4 com.apple.Foundation 0x928ed664 -[NSRunLoop runMode:beforeDate:] + 172 5 com.apple.Foundation 0x928ed59c -[NSRunLoop run] + 76 6 com.apple.WebKit 0x95972690 +[WebFileDatabase _syncLoop:] + 176 7 com.apple.Foundation 0x928de6d4 forkThreadForFunction + 108 8 libSystem.B.dylib 0x9002b200 _pthread_body + 96 Thread 2: 0 libSystem.B.dylib 0x9018eab8 dyld_stub_pthread_self + 24 1 libSystem.B.dylib 0x90032ac4 pthread_main_np + 16 2 com.apple.CoreFoundation 0x9075a3ec CFRunLoopGetCurrent + 28 3 com.apple.CoreFoundation 0x907aa06c _CFStreamSignalEvent + 356 4 com.apple.CFNetwork 0x90f29870 _SocketCallBack + 956 5 com.apple.CoreFoundation 0x90770950 __CFSocketDoCallback + 532 6 com.apple.CoreFoundation 0x90770674 __CFSocketPerformV0 + 288 7 com.apple.CoreFoundation 0x9075da68 __CFRunLoopDoSources0 + 384 8 com.apple.CoreFoundation 0x9075cf98 __CFRunLoopRun + 452 9 com.apple.CoreFoundation 0x9075ca18 CFRunLoopRunSpecific + 268 10 com.apple.Foundation 0x92905b9c +[NSURLConnection(NSURLConnectionInternal) _resourceLoadLoop:] + 264 11 com.apple.Foundation 0x928de6d4 forkThreadForFunction + 108 12 libSystem.B.dylib 0x9002b200 _pthread_body + 96 Thread 3: 0 libSystem.B.dylib 0x9000b208 mach_msg_trap + 8 1 libSystem.B.dylib 0x9000b15c mach_msg + 60 2 com.apple.CoreFoundation 0x9075d114 __CFRunLoopRun + 832 3 com.apple.CoreFoundation 0x9075ca18 CFRunLoopRunSpecific + 268 4 com.apple.Foundation 0x92906cdc +[NSURLCache _diskCacheSyncLoop:] + 152 5 com.apple.Foundation 0x928de6d4 forkThreadForFunction + 108 6 libSystem.B.dylib 0x9002b200 _pthread_body + 96 Thread 4: 0 libSystem.B.dylib 0x9000b208 mach_msg_trap + 8 1 libSystem.B.dylib 0x9000b15c mach_msg + 60 2 com.apple.CoreFoundation 0x90770520 __CFSendTrivialMachMessage + 80 3 com.apple.CoreFoundation 0x907704a4 CFRunLoopWakeUp + 32 4 com.apple.CoreFoundation 0x907702ac __CFSocketHandleRead + 1224 5 com.apple.CoreFoundation 0x9076fcf4 __CFSocketManager + 1316 6 libSystem.B.dylib 0x9002b200 _pthread_body + 96 Thread 5: 0 libSystem.B.dylib 0x9002b8a8 semaphore_wait_signal_trap + 8 1 libSystem.B.dylib 0x9003001c pthread_cond_wait + 488 2 com.apple.Foundation 0x928e5840 -[NSConditionLock lockWhenCondition:] + 68 3 com.apple.Syndication 0x9af769ec -[AsyncDB _run:] + 192 4 com.apple.Foundation 0x928de6d4 forkThreadForFunction + 108 5 libSystem.B.dylib 0x9002b200 _pthread_body + 96 Thread 6: 0 libSystem.B.dylib 0x9002b8a8 semaphore_wait_signal_trap + 8 1 libSystem.B.dylib 0x9003001c pthread_cond_wait + 488 2 com.apple.Foundation 0x928e5840 -[NSConditionLock lockWhenCondition:] + 68 3 com.apple.AppKit 0x937204dc -[NSUIHeartBeat _heartBeatThread:] + 324 4 com.apple.Foundation 0x928de6d4 forkThreadForFunction + 108 5 libSystem.B.dylib 0x9002b200 _pthread_body + 96 Thread 7: 0 libSystem.B.dylib 0x9000b208 mach_msg_trap + 8 1 libSystem.B.dylib 0x9000b15c mach_msg + 60 2 com.apple.CoreFoundation 0x9075d114 __CFRunLoopRun + 832 3 com.apple.CoreFoundation 0x9075ca18 CFRunLoopRunSpecific + 268 4 com.apple.Foundation 0x928ed664 -[NSRunLoop runMode:beforeDate:] + 172 5 com.apple.Foundation 0x928ed59c -[NSRunLoop run] + 76 6 com.apple.Safari 0x000362f4 0x1000 + 217844 7 com.apple.Foundation 0x928de6d4 forkThreadForFunction + 108 8 libSystem.B.dylib 0x9002b200 _pthread_body + 96 Thread 0 crashed with PPC Thread State 64: srr0: 0x00000000ffff8c5c srr1: 0x000000000200d030 vrsave: 0x00000000ff000000 cr: 0x48002220 xer: 0x0000000020000007 lr: 0x0000000095981648 ctr: 0x00000000001d37c0 r0: 0x0000000000000001 r1: 0x00000000bfffe720 r2: 0x0000000000000000 r3: 0x0000000010f4e9b0 r4: 0x00000000074df010 r5: 0x00000000129c23d0 r6: 0x00000000ffffffef r7: 0x00000000ffffffdf r8: 0x00000000ffffffcf r9: 0x00000000ffffffff r10: 0x00000000ffffff9f r11: 0x00000000ffffff7f r12: 0x000000001842d9c0 r13: 0x0000000000000000 r14: 0x0000000000000001 r15: 0x0000000000000000 r16: 0x0000000000000000 r17: 0x00000000bffff220 r18: 0x000000000000ae2f r19: 0x0000000000463410 r20: 0x000000002465847e r21: 0x00000000a28e0830 r22: 0x0000000006308c00 r23: 0x0000000000000000 r24: 0x00000000129c23e0 r25: 0x0000000000000000 r26: 0x0000000006308c00 r27: 0x0000000000000000 r28: 0x0000000006308c00 r29: 0x00000000063bdcf0 r30: 0x00000000063bdcf0 r31: 0x0000000095981608 Binary Images Description: 0x1000 - 0xdafff com.apple.Safari 2.0.2 (416.13) /Applications/Safari.app/Contents/MacOS/ Safari 0x17a2000 - 0x17a4fff com.apple.textencoding.unicode 2.0 /System/Library/TextEncodings/Unicode Encodings.bundle/Contents/MacOS/Unicode Encodings 0x5b35000 - 0x5b37fff com.apple.AutomatorCMM 1.0 (48) /System/Library/Contextual Menu Items/AutomatorCMM.plugin/Contents/MacOS/AutomatorCMM 0x5b3a000 - 0x5b3afff com.apple.SpotLightCM 1.0 (121.20.2) /System/Library/Contextual Menu Items/SpotlightCM.plugin/Contents/MacOS/SpotlightCM 0x5bf2000 - 0x5bf6fff com.apple.FolderActionsMenu 1.3 /System/Library/Contextual Menu Items/FolderActionsMenu.plugin/Contents/MacOS/FolderActionsMenu 0x8fe00000 - 0x8fe54fff dyld 44.2 /usr/lib/dyld 0x90000000 - 0x901b3fff libSystem.B.dylib /usr/lib/libSystem.B.dylib 0x9020b000 - 0x9020ffff libmathCommon.A.dylib /usr/lib/system/libmathCommon.A.dylib 0x90211000 - 0x90264fff com.apple.CoreText 1.0.1 (???) /System/Library/Frameworks/ ApplicationServices.framework/Versions/A/Frameworks/CoreText.framework/Versions/A/CoreText 0x90291000 - 0x90342fff ATS /System/Library/Frameworks/ApplicationServices.framework/ Versions/A/Frameworks/ATS.framework/Versions/A/ATS 0x90371000 - 0x906aefff com.apple.CoreGraphics 1.256.27 (???) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ CoreGraphics.framework/Versions/A/CoreGraphics 0x9073a000 - 0x90813fff com.apple.CoreFoundation 6.4.4 (368.25) /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation 0x9085c000 - 0x9085cfff com.apple.CoreServices 10.4 (???) /System/Library/Frameworks/ CoreServices.framework/Versions/A/CoreServices 0x9085e000 - 0x90960fff libicucore.A.dylib /usr/lib/libicucore.A.dylib 0x909ba000 - 0x90a3efff libobjc.A.dylib /usr/lib/libobjc.A.dylib 0x90a68000 - 0x90ad6fff com.apple.framework.IOKit 1.4 (???) /System/Library/Frameworks/ IOKit.framework/Versions/A/IOKit 0x90aed000 - 0x90afffff libauto.dylib /usr/lib/libauto.dylib 0x90b06000 - 0x90dddfff com.apple.CoreServices.CarbonCore 671.2 /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/ CarbonCore.framework/Versions/A/CarbonCore 0x90e43000 - 0x90ec3fff com.apple.CoreServices.OSServices 4.1 /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/ OSServices.framework/Versions/A/OSServices 0x90f0d000 - 0x90f4efff com.apple.CFNetwork 10.4.3 (129.2) /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/ CFNetwork.framework/Versions/A/CFNetwork 0x90f63000 - 0x90f7bfff com.apple.WebServices 1.1.2 (1.1.0) /System/Library/Frameworks/ CoreServices.framework/Versions/A/Frameworks/WebServicesCore.framework/Versions/A/ WebServicesCore 0x90f8b000 - 0x9100cfff com.apple.SearchKit 1.0.4 /System/Library/Frameworks/ CoreServices.framework/Versions/A/Frameworks/SearchKit.framework/Versions/A/SearchKit 0x91052000 - 0x9107bfff com.apple.Metadata 10.4.3 (121.20.2) /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/ Metadata.framework/Versions/A/Metadata 0x9108c000 - 0x9109afff libz.1.dylib /usr/lib/libz.1.dylib 0x9109d000 - 0x9125ffff com.apple.security 4.2 (24844) /System/Library/Frameworks/ Security.framework/Versions/A/Security 0x91362000 - 0x9136bfff com.apple.DiskArbitration 2.1 /System/Library/Frameworks/ DiskArbitration.framework/Versions/A/DiskArbitration 0x91372000 - 0x91399fff com.apple.SystemConfiguration 1.8.1 /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration 0x913ac000 - 0x913b4fff libgcc_s.1.dylib /usr/lib/libgcc_s.1.dylib 0x913b9000 - 0x913d9fff libmx.A.dylib /usr/lib/libmx.A.dylib 0x913df000 - 0x913e7fff libbsm.dylib /usr/lib/libbsm.dylib 0x913eb000 - 0x91469fff com.apple.audio.CoreAudio 3.0.1 /System/Library/Frameworks/ CoreAudio.framework/Versions/A/CoreAudio 0x914a7000 - 0x914a7fff com.apple.ApplicationServices 10.4 (???) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices 0x914a9000 - 0x914e1fff com.apple.AE 1.5 (297) /System/Library/Frameworks/ ApplicationServices.framework/Versions/A/Frameworks/AE.framework/Versions/A/AE 0x914fc000 - 0x915c9fff com.apple.ColorSync 4.4.3 /System/Library/Frameworks/ ApplicationServices.framework/Versions/A/Frameworks/ColorSync.framework/Versions/A/ColorSync 0x9161e000 - 0x916b1fff com.apple.print.framework.PrintCore 4.3 (172.3) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ PrintCore.framework/Versions/A/PrintCore 0x916f8000 - 0x917b5fff com.apple.QD 3.8.18 (???) /System/Library/Frameworks/ ApplicationServices.framework/Versions/A/Frameworks/QD.framework/Versions/A/QD 0x917f3000 - 0x91851fff com.apple.HIServices 1.5.1 (???) /System/Library/Frameworks/ ApplicationServices.framework/Versions/A/Frameworks/HIServices.framework/Versions/A/HIServices 0x9187f000 - 0x918a3fff com.apple.LangAnalysis 1.6.1 /System/Library/Frameworks/ ApplicationServices.framework/Versions/A/Frameworks/LangAnalysis.framework/Versions/A/ LangAnalysis 0x918b7000 - 0x918dcfff com.apple.FindByContent 1.5 /System/Library/Frameworks/ ApplicationServices.framework/Versions/A/Frameworks/FindByContent.framework/Versions/A/ FindByContent 0x918ef000 - 0x91931fff com.apple.LaunchServices 10.4.5 (168) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ LaunchServices.framework/Versions/A/LaunchServices 0x9194d000 - 0x91961fff com.apple.speech.synthesis.framework 3.3 /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ SpeechSynthesis.framework/Versions/A/SpeechSynthesis 0x9196f000 - 0x919a8fff com.apple.ImageIO.framework 1.4.3 /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ ImageIO.framework/Versions/A/ImageIO 0x919bd000 - 0x91a85fff libcrypto.0.9.7.dylib /usr/lib/libcrypto.0.9.7.dylib 0x91ad3000 - 0x91ae8fff libcups.2.dylib /usr/lib/libcups.2.dylib 0x91aed000 - 0x91b09fff libJPEG.dylib /System/Library/Frameworks/ApplicationServices.framework/ Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libJPEG.dylib 0x91b0e000 - 0x91b7dfff libJP2.dylib /System/Library/Frameworks/ApplicationServices.framework/ Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libJP2.dylib 0x91b94000 - 0x91b98fff libGIF.dylib /System/Library/Frameworks/ApplicationServices.framework/ Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libGIF.dylib 0x91b9a000 - 0x91bcbfff libRaw.dylib /System/Library/Frameworks/ApplicationServices.framework/ Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libRaw.dylib 0x91bcf000 - 0x91c12fff libTIFF.dylib /System/Library/Frameworks/ApplicationServices.framework/ Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libTIFF.dylib 0x91c19000 - 0x91c32fff libPng.dylib /System/Library/Frameworks/ApplicationServices.framework/ Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libPng.dylib 0x91c37000 - 0x91c3afff libRadiance.dylib /System/Library/Frameworks/ ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/ libRadiance.dylib 0x91c3c000 - 0x91c3cfff com.apple.Accelerate 1.1.1 (Accelerate 1.1.1) /System/Library/Frameworks/Accelerate.framework/Versions/A/Accelerate 0x91c3e000 - 0x91d28fff com.apple.vImage 2.0 /System/Library/Frameworks/ Accelerate.framework/Versions/A/Frameworks/vImage.framework/Versions/A/vImage 0x91d30000 - 0x91d4ffff com.apple.Accelerate.vecLib 3.1.1 (vecLib 3.1.1) /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/ Versions/A/vecLib 0x91dbb000 - 0x91e20fff libvMisc.dylib /System/Library/Frameworks/Accelerate.framework/ Versions/A/Frameworks/vecLib.framework/Versions/A/libvMisc.dylib 0x91e2a000 - 0x91ebcfff libvDSP.dylib /System/Library/Frameworks/Accelerate.framework/ Versions/A/Frameworks/vecLib.framework/Versions/A/libvDSP.dylib 0x91ed6000 - 0x92466fff libBLAS.dylib /System/Library/Frameworks/Accelerate.framework/ Versions/A/Frameworks/vecLib.framework/Versions/A/libBLAS.dylib 0x924ae000 - 0x927befff libLAPACK.dylib /System/Library/Frameworks/Accelerate.framework/ Versions/A/Frameworks/vecLib.framework/Versions/A/libLAPACK.dylib 0x927eb000 - 0x92877fff com.apple.DesktopServices 1.3.1 /System/Library/PrivateFrameworks/ DesktopServicesPriv.framework/Versions/A/DesktopServicesPriv 0x928b9000 - 0x92ae3fff com.apple.Foundation 6.4.2 (567.21) /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation 0x92c01000 - 0x92cdffff libxml2.2.dylib /usr/lib/libxml2.2.dylib 0x92cff000 - 0x92dedfff libiconv.2.dylib /usr/lib/libiconv.2.dylib 0x92dff000 - 0x92e1dfff libGL.dylib /System/Library/Frameworks/OpenGL.framework/Versions/ A/Libraries/libGL.dylib 0x92e28000 - 0x92e82fff libGLU.dylib /System/Library/Frameworks/OpenGL.framework/Versions/ A/Libraries/libGLU.dylib 0x92ea0000 - 0x92ea0fff com.apple.Carbon 10.4 (???) /System/Library/Frameworks/ Carbon.framework/Versions/A/Carbon 0x92ea2000 - 0x92eb6fff com.apple.ImageCapture 3.0 /System/Library/Frameworks/ Carbon.framework/Versions/A/Frameworks/ImageCapture.framework/Versions/A/ImageCapture 0x92ece000 - 0x92edefff com.apple.speech.recognition.framework 3.4 /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/ SpeechRecognition.framework/Versions/A/SpeechRecognition 0x92eea000 - 0x92efffff com.apple.securityhi 2.0 (203) /System/Library/Frameworks/ Carbon.framework/Versions/A/Frameworks/SecurityHI.framework/Versions/A/SecurityHI 0x92f11000 - 0x92f98fff com.apple.ink.framework 101.2 (69) /System/Library/Frameworks/ Carbon.framework/Versions/A/Frameworks/Ink.framework/Versions/A/Ink 0x92fac000 - 0x92fb7fff com.apple.help 1.0.3 (32) /System/Library/Frameworks/Carbon.framework/ Versions/A/Frameworks/Help.framework/Versions/A/Help 0x92fc1000 - 0x92feefff com.apple.openscripting 1.2.3 (???) /System/Library/Frameworks/ Carbon.framework/Versions/A/Frameworks/OpenScripting.framework/Versions/A/OpenScripting 0x93008000 - 0x93018fff com.apple.print.framework.Print 5.0 (190.1) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/Print.framework/ Versions/A/Print 0x93024000 - 0x9308afff com.apple.htmlrendering 1.1.2 /System/Library/Frameworks/ Carbon.framework/Versions/A/Frameworks/HTMLRendering.framework/Versions/A/HTMLRendering 0x930bb000 - 0x9310dfff com.apple.NavigationServices 3.4.2 /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/ NavigationServices.framework/Versions/A/NavigationServices 0x93139000 - 0x93156fff com.apple.audio.SoundManager 3.9 /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/ CarbonSound.framework/Versions/A/CarbonSound 0x93168000 - 0x93175fff com.apple.CommonPanels 1.2.2 (73) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/ CommonPanels.framework/Versions/A/CommonPanels 0x9317e000 - 0x93490fff com.apple.HIToolbox 1.4.4 (???) /System/Library/Frameworks/ Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox 0x935dc000 - 0x935e8fff com.apple.opengl 1.4.6 /System/Library/Frameworks/OpenGL.framework/ Versions/A/OpenGL 0x935ed000 - 0x9360efff com.apple.DirectoryService.Framework 3.0 /System/Library/Frameworks/DirectoryService.framework/Versions/A/DirectoryService 0x93679000 - 0x93679fff com.apple.Cocoa 6.4 (???) /System/Library/Frameworks/ Cocoa.framework/Versions/A/Cocoa 0x9367b000 - 0x93caefff com.apple.AppKit 6.4.3 (824.23) /System/Library/Frameworks/ AppKit.framework/Versions/C/AppKit 0x9403a000 - 0x940a9fff com.apple.CoreData 50 (77) /System/Library/Frameworks/ CoreData.framework/Versions/A/CoreData 0x940e2000 - 0x941acfff com.apple.audio.toolbox.AudioToolbox 1.4.1 /System/Library/Frameworks/AudioToolbox.framework/Versions/A/AudioToolbox 0x94200000 - 0x94200fff com.apple.audio.units.AudioUnit 1.4 /System/Library/Frameworks/AudioUnit.framework/Versions/A/AudioUnit 0x94202000 - 0x9437afff com.apple.QuartzCore 1.4.3 /System/Library/Frameworks/ QuartzCore.framework/Versions/A/QuartzCore 0x943c4000 - 0x94401fff libsqlite3.0.dylib /usr/lib/libsqlite3.0.dylib 0x94409000 - 0x94459fff libGLImage.dylib /System/Library/Frameworks/OpenGL.framework/ Versions/A/Libraries/libGLImage.dylib 0x944e8000 - 0x94520fff com.apple.vmutils 4.0.0 (85) /System/Library/PrivateFrameworks/ vmutils.framework/Versions/A/vmutils 0x94563000 - 0x9457ffff com.apple.securityfoundation 2.1 (24988) /System/Library/Frameworks/SecurityFoundation.framework/Versions/A/SecurityFoundation 0x94593000 - 0x945d7fff com.apple.securityinterface 2.1 (24981) /System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface 0x945fb000 - 0x9460afff libCGATS.A.dylib /System/Library/Frameworks/ ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/ Resources/libCGATS.A.dylib 0x94612000 - 0x9461efff libCSync.A.dylib /System/Library/Frameworks/ ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/ Resources/libCSync.A.dylib 0x94663000 - 0x9467bfff libRIP.A.dylib /System/Library/Frameworks/ApplicationServices.framework/ Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libRIP.A.dylib 0x94ac3000 - 0x94bf1fff com.apple.AddressBook.framework 4.0.3 (483) /System/Library/Frameworks/AddressBook.framework/Versions/A/AddressBook 0x94c83000 - 0x94c92fff com.apple.DSObjCWrappers.Framework 1.1 /System/Library/PrivateFrameworks/DSObjCWrappers.framework/Versions/A/DSObjCWrappers 0x94c9a000 - 0x94cc7fff com.apple.LDAPFramework 1.4.1 (69.0.1) /System/Library/Frameworks/LDAP.framework/Versions/A/LDAP 0x94cce000 - 0x94cdefff libsasl2.2.dylib /usr/lib/libsasl2.2.dylib 0x94ce2000 - 0x94d11fff libssl.0.9.7.dylib /usr/lib/libssl.0.9.7.dylib 0x94d21000 - 0x94d3efff libresolv.9.dylib /usr/lib/libresolv.9.dylib 0x95970000 - 0x959fcfff com.apple.WebKit 416.12 /System/Library/Frameworks/WebKit.framework/ Versions/A/WebKit 0x95a57000 - 0x95b4bfff com.apple.JavaScriptCore 416.14 /System/Library/Frameworks/ WebKit.framework/Versions/A/Frameworks/JavaScriptCore.framework/Versions/A/JavaScriptCore 0x95b9c000 - 0x95ea0fff com.apple.WebCore 416.14 /System/Library/Frameworks/ WebKit.framework/Versions/A/Frameworks/WebCore.framework/Versions/A/WebCore 0x96025000 - 0x9604efff libxslt.1.dylib /usr/lib/libxslt.1.dylib 0x9af74000 - 0x9afa7fff com.apple.Syndication 1.0.2 (42) /System/Library/PrivateFrameworks/ Syndication.framework/Versions/A/Syndication 0x9afc3000 - 0x9afd3fff com.apple.SyndicationUI 1.0.2 (42) /System/Library/PrivateFrameworks/ SyndicationUI.framework/Versions/A/SyndicationUI Model: PowerMac3,6, BootROM 4.6.0f1, 2 processors, PowerPC G4 (3.3), 1.42 GHz, 2 GB Graphics: NVIDIA GeForce4 Ti, GeForce4 Ti 4600, AGP, 128 MB Memory Module: DIMM0/J21, 512 MB, DDR SDRAM, PC2700U-25330 Memory Module: DIMM1/J22, 512 MB, DDR SDRAM, PC2700U-25330 Memory Module: DIMM2/J23, 512 MB, DDR SDRAM, PC2700U-25330 Memory Module: DIMM3/J20, 512 MB, DDR SDRAM, PC2700U-25330 Bluetooth: Version 1.6.6f22, 2 service, 1 devices, 1 incoming serial ports Network Service: Built-in Ethernet, Ethernet, en0 Parallel ATA Device: IBM-IC35L180AVV207-1, 172.56 GB Parallel ATA Device: PIONEER DVD-RW DVR-105, Parallel ATA Device: IBM-IC35L180AVV207-1, 172.56 GB Parallel ATA Device: IBM-IC35L180AVV207-1, 172.56 GB USB Device: Bluetooth HCI, , Up to 12 Mb/sec, 500 mA USB Device: Hub, , Up to 12 Mb/sec, 500 mA USB Device: Hub, , Up to 12 Mb/sec, 500 mA USB Device: Trackball, Logitech, Up to 1.5 Mb/sec, 100 mA USB Device: Microsoft Internet Keyboard Pro, , Up to 1.5 Mb/sec, 236 mA USB Device: Studio Display, , Up to 1.5 Mb/sec, 500 mA USB Device: Back-UPS ES 725 FW:802.n2.D USB FW:n2, APC, Up to 1.5 Mb/sec, 500 mA

Eric Seidel (no email)

Comment 4 2005-12-29 11:14:55 PST

I wonder if a malloc() could be failing, thus returning NULL. That NULL when passed to memcpy could cause such a crash.

Brad Jones

Comment 5 2006-03-30 10:34:19 PST

http://themis.asu.edu/featuresimg/vallesmosaic.png also displays the same problem, but is only ~500MB. (test.png, above, is an altered version of this image; I couldn't release the original image until it went public.) http://themis.asu.edu/featuresimg/valles_100m_9_v4.png is the same image, only greyscale instead of color and only 168MB; it does not cause the crash. I've reduced the size stated in the summary line based on the smaller image.

David Kilzer (:ddkilzer)

Comment 6 2006-03-30 14:10:14 PST

I tried opening both of these images with Firefox 1.5.0.1 on Win XP SP2, and received the following error message: The image "http://URL/to/image.png" cannot be displayed, because it contains errors. Could this be a problem with the images themselves? http://www.mars.asu.edu/~bjones/test.png http://themis.asu.edu/featuresimg/valles_100m_9_v4.png

David Kilzer (:ddkilzer)

Comment 7 2006-03-30 14:11:32 PST

(In reply to comment #6) > I tried opening both of these images with Firefox 1.5.0.1 on Win XP SP2, [...] In MSIE 6 on the same laptop, I simply get broken images for both URLs.

David Kilzer (:ddkilzer)

Comment 8 2006-03-30 14:15:13 PST

(In reply to comment #7) > (In reply to comment #6) > > I tried opening both of these images with Firefox 1.5.0.1 on Win XP SP2, [...] > In MSIE 6 on the same laptop, I simply get broken images for both URLs. Or perhaps these browsers are being realistic since the 168MB image will take over 1 hour to download at 20-25Kb/s, and the 1.1GB image will take over 6 hours at the same rate!

Brad Jones

Comment 9 2006-03-30 14:20:57 PST

Interesting. I'm also getting the 'contains errors' message for test.png and the greyscale image. However, the vallesmosaic.png file does load properly in Firefox 1.5.0.1/OSX. (I can't test on IE/Win at the moment, because I suspect trying to load this thing under VirtualPC would cause my machine to die screaming.) I'll see if I can get corrected versions of the other two; for now, I've updated the URL listed to point to the one image that does seem to be correct.

Brad Jones

Comment 10 2006-03-30 14:38:54 PST

Also worth noting: valles_100m_9_v4.png _works_ in Safari, but not Firefox. (Trying to get a version that Firefox can cope with now. Resaving the file from Photoshop doesn't appear to do it. Trying netpbm now.)

David Kilzer (:ddkilzer)

Comment 11 2006-03-30 15:25:09 PST

When I try to open valles_100m_9_v4.png in MSIE 6, Microsoft Photo Editor opens instead and prints this error message: Illegal image width. Is it possible that the width of the image is overflowing the width byte(s) for the PNG format? Or is something else going on?

Eric Seidel (no email)

Comment 12 2006-04-25 01:49:32 PDT

reproducible crashers are p1s

Alice Liu

Comment 13 2006-05-16 09:39:06 PDT

<rdar://problem/4549722>

Chris Brichford

Comment 14 2007-02-07 11:58:43 PST

I'm working on this bug.

Chris Brichford

Comment 15 2007-02-07 12:15:02 PST

When I load the file off of local disk, crash in CachedImage::bufferData at memcpy(buffer.data() + oldSize, bytes, addedSize); buffer.data() is null. I suspect, malloc failed as someone theorized in a previous comment.

Chris Brichford

Comment 16 2007-02-07 14:02:35 PST

Malloc is returning null, when asked to allocate 528970655 bytes. I'm using a local copy of vallesmosaic.png. Partial trace below: #0 0x0054008f in WTF::fastMalloc at FastMalloc.cpp:88 #1 0x014d517c in WTF::VectorBuffer<char, 0ul>::allocateBuffer at Vector.h:248 #2 0x014d5220 in WTF::Vector<char, 0ul>::reserveCapacity at Vector.h:574 #3 0x014d52b4 in WTF::Vector<char, 0ul>::expandCapacity at Vector.h:531 #4 0x014d5322 in WTF::Vector<char, 0ul>::resize at Vector.h:560 #5 0x01106ef8 in WebCore::CachedImage::bufferData at CachedImage.cpp:173 #6 0x0128a5ad in WebCore::ImageTokenizer::writeRawData at ImageDocument.cpp:96 #7 0x013bb968 in WebCore::FrameLoader::write at FrameLoader.cpp:870

Chris Brichford

Comment 17 2007-02-07 16:10:36 PST

Created attachment 13019 [details] Proposed fix. Attaching patch with proposed fix. In WebCore::CachedImage::bufferData ( WebCore/loader/CachedImage.cpp ): Instead of just calling Vector<>::resize on the Vector<> in a Image: 1. create a temporary Vector<> on the stack big enough for the new size 2. Check that the new Vector<> successfully allocated its buffer. 3. copy the old data into the temporary buffer 4. copy the new data into the temporary buffer 5. call Vector<>::swap to swap the temporary buffer with the buffer in the Image. If we are unable to create the temporary Vector<>, call error() on the CachedImage which results in a broken image icon being rendered. All the tests passed, release and debug builds. Seems to fix the bug in question.

Chris Brichford

Comment 18 2007-02-07 16:13:56 PST

Comment on attachment 13019 [details] Proposed fix. Flagging patch for review.

Maciej Stachowiak

Comment 19 2007-02-07 17:25:05 PST

Comment on attachment 13019 [details] Proposed fix. The basic code change looks great! However, I suggest fixing the following technicalities: 1) This needs a ChangeLog entry 2) There are some misplaced spaces, per our coding style, we don't use spaces inside the parens for if statements and function calls. 3) The comment seem longer than necessary, we usually just stick to brief comments explaining why something possibly mysterious is being done, rather than focusing on what the code is doing. Ideally the "what" part should be self-evident. 4) Single-line if conditions don't take braces, so for instance this: + if ( ! success ) + { + error(); + } Should just be: if (!success) error();

Chris Brichford

Comment 20 2007-02-07 17:49:41 PST

Created attachment 13029 [details] Proposed fix. Revised patch to conform with webkit.org style guidelines

Chris Brichford

Comment 21 2007-02-07 17:52:48 PST

Created attachment 13030 [details] Proposed fix. Fixing another style issue.

Chris Brichford

Comment 22 2007-02-07 17:53:33 PST

Comment on attachment 13029 [details] Proposed fix. Obsoleting previous patch.

Maciej Stachowiak

Comment 23 2007-02-07 18:12:40 PST

Looks great, but still has a few style issues: + if ( addedSize > 0 ) + if ( newSize > oldSize ) + if ( tempBufferBytes ) These shouldn't have spaces inside the parentheses. r- for the style technicality.

Sam Weinig

Comment 24 2007-02-07 18:15:48 PST

Comment on attachment 13030 [details] Proposed fix. Hi, still a bunch of style issues. First, we do not use tabs at all, so please remove all the tabs you added to both the Changelog and CachedImage.cpp Please add your email address to the Changelog +2007-02-07 Christopher Brichford <set EMAIL_ADDRESS environment variable> We don't put spaces inside the parenthesis and we put the brace on the same line, so + if ( addedSize > 0 ) + { should be + if (addedSize > 0) { same here + if ( newSize > oldSize ) + { and here + if ( tempBufferBytes ) + { Please put a space before the comment. + //Check for overflow

Sam Weinig

Comment 25 2007-02-07 18:17:10 PST

Oops, looks like Maciej got to it first.

Chris Brichford

Comment 26 2007-02-07 19:34:13 PST

Created attachment 13033 [details] Proposed fix. Removing more whitespace from patch converting tabs to 4 spaces.

Chris Brichford

Comment 27 2007-02-07 19:48:12 PST

Created attachment 13034 [details] Proposed fix. Removing tabs from ChangeLog.

Chris Brichford

Comment 28 2007-02-07 19:50:21 PST

Created attachment 13036 [details] Proposed fix. Fixing whitespace in ChangeLog.

Chris Brichford

Comment 29 2007-02-07 19:53:55 PST

Created attachment 13037 [details] Proposed fix. Adding my email address to the ChangeLog.

Chris Brichford

Comment 30 2007-02-07 19:58:59 PST

Created attachment 13038 [details] Proposed fix. Fixing braces on if statements.

Brady Eidson

Comment 31 2007-02-07 21:04:50 PST

Comment on attachment 13038 [details] Proposed fix. I think this one looks good! r=me For future reference, http://webkit.org/coding/coding-style.html is a pretty great resource in learning our style guidelines. And if we ever recc. a style that isn't mentioned, please submit a patch against it!

Brady Eidson

Comment 32 2007-02-07 21:05:43 PST

I don't have ToT available right now otherwise I'd submit this - any other committers are welcome to jump on it ;)

Mark Rowe (bdash)

Comment 33 2007-02-07 21:17:36 PST

Landed in r19491. I'm not sure what happened when creating the patch, but 'patch' claimed it was malformed on line 47. I applied the change manually and checked it against your diff and couldn't see the issue. Also note that your patch still had tabs used for indentation on two lines. Thanks for the patch!

Note You need to log in before you can comment on or make changes to this bug.