Bug 74053

Summary:

[Chromium] Chrome: Crash Report - Stack Signature: `anonymous namespace'::do_free_with_callbac...

Product:

WebKit

Reporter:

Hironori Bono <hbono>

Component:

Images

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED WONTFIX

Severity:

Normal

CC:

abarth, caryclark, eric, noel.gordon, pkasting, schenney, tony

Priority:

Version:

528+ (Nightly build)

Hardware:

OS:

Windows 7

Attachments:

Description	Flags
Speculative fix 1	none

Hironori Bono

Reported 2011-12-07 20:47:13 PST

(copied from http://crbug.com/99936>) Reported by project member dharani@google.com, Oct 11, 2011 http://crash/reportdetail?reportid=011703797f83a705 Product, Version Chrome , 16.0.904.0 Stack Signature `anonymous namespace'::do_free_with_callback(void *,void (*)(void *))-396A05B New Stack Signature `anonymous namespace'::do_free_with_callback(void *,void (*)(void *)) 5eca60fc_d8890956_0ff67efc_82ad85b9_9701dbd3 Report Time (UTC) 2011/10/11 18:45:09, Tue Uptime 724538 ms OS Name, Version Windows NT , 6.1.7600 CPU Architecture, Info x86 , GenuineIntel family 6 model 23 stepping 10 channel canary num-extensions 0 num-switches 6 plat Win32 ptype renderer switch-1 --lang=pt-BR switch-2 --enable-print-preview Thread 0 *CRASHED* ( EXCEPTION_ACCESS_VIOLATION_READ @ 0x00e30c00 ) 0x641c68fa [chrome.dll - tcmalloc.cc:1205 `anonymous namespace'::do_free_with_callback(void *,void (*)(void *)) 0x65050181 [chrome.dll - jmemmgr.c:1008 free_pool 0x6504f84d [chrome.dll - jcomapi.c:41 chromium_jpeg_abort 0x6504cb88 [chrome.dll - jdapimin.c:393 chromium_jpeg_finish_decompress 0x64f7720b [chrome.dll - jpegimagedecoder.cpp:356 WebCore::JPEGImageReader::decode(WebCore::SharedBuffer const &,bool) 0x64f77586 [chrome.dll - jpegimagedecoder.cpp:544 WebCore::JPEGImageDecoder::decode(bool) 0x64f77323 [chrome.dll - jpegimagedecoder.cpp:455 WebCore::JPEGImageDecoder::frameBufferAtIndex(unsigned int) 0x64f42f0d [chrome.dll - imagesource.cpp:138 WebCore::ImageSource::createFrameAtIndex(unsigned int) 0x64f4c414 [chrome.dll - bitmapimage.cpp:127 WebCore::BitmapImage::cacheFrame(unsigned int) 0x64f4c65e [chrome.dll - bitmapimage.cpp:248 WebCore::BitmapImage::frameAtIndex(unsigned int) 0x64f4c1b3 [chrome.dll - bitmapimage.h:156 WebCore::BitmapImage::nativeImageForCurrentFrame() 0x64f6964f [chrome.dll - imageskia.cpp:415 WebCore::BitmapImage::draw(WebCore::GraphicsContext *,WebCore::FloatRect const &,WebCore::FloatRect const &,WebCore::ColorSpace,WebCore::CompositeOperator) 0x64f377c0 [chrome.dll - graphicscontext.cpp:487 WebCore::GraphicsContext::drawImage(WebCore::Image *,WebCore::ColorSpace,WebCore::FloatRect const &,WebCore::FloatRect const &,WebCore::CompositeOperator,bool) 0x64f3762b [chrome.dll - graphicscontext.cpp:457 WebCore::GraphicsContext::drawImage(WebCore::Image *,WebCore::ColorSpace,WebCore::IntRect const &,WebCore::IntRect const &,WebCore::CompositeOperator,bool) 0x64f375ed [chrome.dll - graphicscontext.cpp:447 WebCore::GraphicsContext::drawImage(WebCore::Image *,WebCore::ColorSpace,WebCore::IntRect const &,WebCore::CompositeOperator,bool) 0x64dd0d2c [chrome.dll - renderimage.cpp:403 WebCore::RenderImage::paintIntoRect(WebCore::GraphicsContext *,WebCore::IntRect const &) 0x64dd0798 [chrome.dll - renderimage.cpp:331 WebCore::RenderImage::paintReplaced(WebCore::PaintInfo &,WebCore::IntPoint const &) 0x64de3b22 [chrome.dll - renderreplaced.cpp:152 WebCore::RenderReplaced::paint(WebCore::PaintInfo &,WebCore::IntPoint const &) 0x64dd0b46 [chrome.dll - renderimage.cpp:337 WebCore::RenderImage::paint(WebCore::PaintInfo &,WebCore::IntPoint const &) 0x64dd3194 [chrome.dll - inlinebox.cpp:231 WebCore::InlineBox::paint(WebCore::PaintInfo &,WebCore::IntPoint const &,int,int) 0x64dd58d6 [chrome.dll - inlineflowbox.cpp:1061 WebCore::InlineFlowBox::paint(WebCore::PaintInfo &,WebCore::IntPoint const &,int,int) 0x64dd73b3 [chrome.dll - rootinlinebox.cpp:197 WebCore::RootInlineBox::paint(WebCore::PaintInfo &,WebCore::IntPoint const &,int,int) 0x64db7691 [chrome.dll - renderlineboxlist.cpp:262 WebCore::RenderLineBoxList::paint(WebCore::RenderBoxModelObject *,WebCore::PaintInfo &,WebCore::IntPoint const &) 0x64dac2fb [chrome.dll - renderblock.cpp:2460 WebCore::RenderBlock::paintContents(WebCore::PaintInfo &,WebCore::IntPoint const &) 0x64dac736 [chrome.dll - renderblock.cpp:2575 WebCore::RenderBlock::paintObject(WebCore::PaintInfo &,WebCore::IntPoint const &) 0x64dabe7a [chrome.dll - renderblock.cpp:2347 WebCore::RenderBlock::paint(WebCore::PaintInfo &,WebCore::IntPoint const &) 0x64d7465d [chrome.dll - renderlayer.cpp:2795 WebCore::RenderLayer::paintLayer(WebCore::RenderLayer *,WebCore::GraphicsContext *,WebCore::IntRect const &,unsigned int,WebCore::RenderObject *,WebCore::RenderRegion *,WTF::HashMap<WebCore::OverlapTestRequestClient *,WebCore::IntRect,WTF::PtrHash<WebCore::OverlapTestRequestClient *>,WTF::HashTraits<WebCore::OverlapTestRequestClient *>,WTF::HashTraits<WebCore::IntRect> > *,unsigned int) 0x64d748ac [chrome.dll - renderlayer.cpp:2854 WebCore::RenderLayer::paintList(WTF::Vector<WebCore::RenderLayer *,0> *,WebCore::RenderLayer *,WebCore::GraphicsContext *,WebCore::IntRect const &,unsigned int,WebCore::RenderObject *,WebCore::RenderRegion *,WTF::HashMap<WebCore::OverlapTestRequestClient *,WebCore::IntRect,WTF::PtrHash<WebCore::OverlapTestRequestClient *>,WTF::HashTraits<WebCore::OverlapTestRequestClient *>,WTF::HashTraits<WebCore::IntRect> > *,unsigned int) 0x64d7475c [chrome.dll - renderlayer.cpp:2816 WebCore::RenderLayer::paintLayer(WebCore::RenderLayer *,WebCore::GraphicsContext *,WebCore::IntRect const &,unsigned int,WebCore::RenderObject *,WebCore::RenderRegion *,WTF::HashMap<WebCore::OverlapTestRequestClient *,WebCore::IntRect,WTF::PtrHash<WebCore::OverlapTestRequestClient *>,WTF::HashTraits<WebCore::OverlapTestRequestClient *>,WTF::HashTraits<WebCore::IntRect> > *,unsigned int) 0x64d748ac [chrome.dll - renderlayer.cpp:2854 WebCore::RenderLayer::paintList(WTF::Vector<WebCore::RenderLayer *,0> *,WebCore::RenderLayer *,WebCore::GraphicsContext *,WebCore::IntRect const &,unsigned int,WebCore::RenderObject *,WebCore::RenderRegion *,WTF::HashMap<WebCore::OverlapTestRequestClient *,WebCore::IntRect,WTF::PtrHash<WebCore::OverlapTestRequestClient *>,WTF::HashTraits<WebCore::OverlapTestRequestClient *>,WTF::HashTraits<WebCore::IntRect> > *,unsigned int) ...... (10 stack frames dropped.) 0x6474e4c0 [chrome.dll - render_widget.cc:675 RenderWidget::InvalidationCallback() 0x647502c6 [chrome.dll - task.h:349 RunnableMethod<RenderWidget,void ( RenderWidget::*)(void),Tuple0>::Run() 0x642ec5e6 [chrome.dll - task.cc:71 base::subtle::TaskClosureAdapter::Run() 0x642e5545 [chrome.dll - message_loop.cc:481 MessageLoop::RunTask(MessageLoop::PendingTask const &) 0x642e55b1 [chrome.dll - message_loop.cc:497 MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const &) 0x642e5937 [chrome.dll - message_loop.cc:687 MessageLoop::DoWork() 0x642fe0fc [chrome.dll - message_pump_default.cc:50 base::MessagePumpDefault::Run(base::MessagePump::Delegate *) 0x642e546e [chrome.dll - message_loop.cc:444 MessageLoop::RunInternal() 0x642e53f3 [chrome.dll - message_loop.cc:417 MessageLoop::RunHandler() 0x642e5385 [chrome.dll - message_loop.cc:341 MessageLoop::Run() 0x64731521 [chrome.dll - renderer_main.cc:228 RendererMain(MainFunctionParams const &) 0x64306d0c [chrome.dll - content_main.cc:252 `anonymous namespace'::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,MainFunctionParams const &,content::ContentMainDelegate *) 0x643070a2 [chrome.dll - content_main.cc:442 content::ContentMain(HINSTANCE__ *,sandbox::SandboxInterfaceInfo *,content::ContentMainDelegate *) 0x641c2955 [chrome.dll - chrome_main.cc:28 ChromeMain 0x00d21dea [chrome.exe - client_util.cc:346 MainDllLoader::Launch(HINSTANCE__ *,sandbox::SandboxInterfaceInfo *) 0x00d210c8 [chrome.exe - chrome_exe_main_win.cc:36 wWinMain 0x00d7a1c7 [chrome.exe - crt0.c:263 __tmainCRTStartup 0x76ee1113 [kernel32.dll + 0x00051113] BaseThreadInitThunk 0x7763b428 [ntdll.dll + 0x0005b428] __RtlUserThreadStart 0x7763b3fb [ntdll.dll + 0x0005b3fb] _RtlUserThreadStart Even though I cannot reproduce this crash on my PC, it seems Chrome crashes in freeing memory not allocated by tcmalloc. Since WebKit r96970 <http://trac.webkit.org/changeset/96970> attached an empty color profile when USE_ICCJPEG is not defined, it causes this crash? Regards, Hironori Bono

Attachments
Speculative fix 1 (1.51 KB, patch) 2011-12-08 01:18 PST, Hironori Bono	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Hironori Bono

Comment 1 2011-12-08 01:18:10 PST

Created attachment 118346 [details] Speculative fix 1 Greetings, Even though I cannot reproduce this issue, I have created a change that emulates the behavior before r96970. (This is the only change in the blame list.) Regards, Hironori Bono

Cary Clark

Comment 2 2011-12-08 04:55:33 PST

LGTM

Eric Seidel (no email)

Comment 3 2011-12-13 15:56:28 PST

Can we also catch this crash with some sort of ASSERT?

noel gordon

Comment 4 2012-01-02 06:37:48 PST

Fixed by http://trac.webkit.org/changeset/103648 ?

Hironori Bono

Comment 5 2012-01-05 02:20:46 PST

Greetings, Thanks for your comments. In brief, minidumps for this issue do not provide much information about possible reasons of this crash. Libjpeg uses its own memory manager to encapsulate malloc() and this crash happens when libjpeg deletes memory allocated by its memory manager. I have uploaded my change just because WebKit r96970 is the most recent change before this issue started. I would like to see this crash still occurs in next dev builds. (Fortunately, WebKit r103648 seems to cover my change.) Regards, Hironori Bono E-mail: hbono@google.com

Tony Chang

Comment 6 2012-03-01 13:18:27 PST

Do you still want this patch reviewed or is it obsolete now?

Hironori Bono

Comment 7 2012-03-01 18:18:59 PST

Greetings Tony, Thanks for your interest. Unfortunately, we still see this crash on our crash server. Even though I have cancelled this review request, I investigate recent crashes and will upload a fix when I figure out possible solutions. Regards, Hironori Bono (In reply to comment #6) > Do you still want this patch reviewed or is it obsolete now?

Note You need to log in before you can comment on or make changes to this bug.