158150 – big images crash UIWebView after CA::Render::create_image_by_copying

Bug 158150 - big images crash UIWebView after CA::Render::create_image_by_copying

Summary: big images crash UIWebView after CA::Render::create_image_by_copying

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Images (show other bugs)
Version:	Other
Hardware:	iPhone / iPad iOS 9.3

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-05-27 04:31 PDT by Daniel
Modified:	2016-06-20 16:22 PDT (History)
CC List:	2 users (show)

See Also:

Attachments
A sample project to reproduce the crash. (13.11 MB, application/octet-stream) 2016-05-27 04:32 PDT, Daniel	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Daniel 2016-05-27 04:31:50 PDT

Clicking a link to a big size (big enough) image in UIWebView leads to an OOM crash.
I didn't find a way to recover by freeing the web view from didReceiveMemoryWarning.
In some cases didReceiveMemoryWarning is not even called.

A sample project with a big image is attached.
Start it on a device with 1 Gb RAM, and you'll probably get a crash.

Debugging this in Instruments (with Allocations template) shows 2 related call stacks.

Stack 1 (inverted):
  22 libsystem_pthread.dylib  948.78 MB     start_wqthread
  21 libsystem_pthread.dylib  948.78 MB     _pthread_wqthread
  20 libdispatch.dylib  948.78 MB     _dispatch_worker_thread3
  19 libdispatch.dylib  948.78 MB     _dispatch_root_queue_drain
  18 libdispatch.dylib  948.23 MB     _dispatch_queue_invoke
  17 libdispatch.dylib  948.23 MB     _dispatch_queue_drain
  16 libdispatch.dylib  948.22 MB     _dispatch_client_callout
  15 QuartzCore  948.15 MB     CA::CG::Queue::render_callback(void*)
  14 libdispatch.dylib  948.15 MB     _dispatch_sync_f_invoke
  13 libdispatch.dylib  948.15 MB     _dispatch_client_callout
  12 QuartzCore  948.15 MB     CA::CG::Queue::parallel_render_callback(void*)
  11 QuartzCore  948.15 MB     CA::CG::DrawOp::render(CA::CG::Renderer&) const
  10 QuartzCore  948.14 MB     CA::CG::DrawImage::draw_image(CA::CG::Renderer&, bool) const
   9 QuartzCore  948.14 MB     CA::CG::fill_image(CA::CG::Renderer&, CGImage*, CA::Rect const&, CA::Mat2<double> const&, bool, bool, CGInterpolationQuality, CA::Bounds const*)
   8 QuartzCore  948.14 MB     CA::Render::copy_image(CGImage*, CGColorSpace*, unsigned int, double)
   7 QuartzCore  948.14 MB     CA::Render::create_image(CGImage*, CGColorSpace*, unsigned int)
   6 QuartzCore  948.13 MB     CA::Render::(anonymous namespace)::create_image_by_copying(unsigned int, unsigned int, CGColorSpace*, CGDataProvider*, void const*, unsigned long, unsigned int, unsigned int)
   5 CoreGraphics  475.20 MB     imageProvider_getBytes
   4 CoreGraphics  475.20 MB     CGImageProviderCopyImageBlockSet
   3 ImageIO  475.20 MB     ImageProviderCopyImageBlockSetCallback
   2 ImageIO  475.20 MB     copyImageBlockSetAppleJPEG
   1 ImageIO  473.00 MB     ImageIO_Malloc
   0 libsystem_kernel.dylib  472.95 MB     mmap

Stack 2 (inverted):
  18 libsystem_pthread.dylib  948.78 MB     start_wqthread
  17 libsystem_pthread.dylib  948.78 MB     _pthread_wqthread
  16 libdispatch.dylib  948.78 MB     _dispatch_worker_thread3
  15 libdispatch.dylib  948.78 MB     _dispatch_root_queue_drain
  14 libdispatch.dylib  948.23 MB     _dispatch_queue_invoke
  13 libdispatch.dylib  948.23 MB     _dispatch_queue_drain
  12 libdispatch.dylib  948.22 MB     _dispatch_client_callout
  11 QuartzCore  948.15 MB     CA::CG::Queue::render_callback(void*)
  10 libdispatch.dylib  948.15 MB     _dispatch_sync_f_invoke
   9 libdispatch.dylib  948.15 MB     _dispatch_client_callout
   8 QuartzCore  948.15 MB     CA::CG::Queue::parallel_render_callback(void*)
   7 QuartzCore  948.15 MB     CA::CG::DrawOp::render(CA::CG::Renderer&) const
   6 QuartzCore  948.14 MB     CA::CG::DrawImage::draw_image(CA::CG::Renderer&, bool) const
   5 QuartzCore  948.14 MB     CA::CG::fill_image(CA::CG::Renderer&, CGImage*, CA::Rect const&, CA::Mat2<double> const&, bool, bool, CGInterpolationQuality, CA::Bounds const*)
   4 QuartzCore  948.14 MB     CA::Render::copy_image(CGImage*, CGColorSpace*, unsigned int, double)
   3 QuartzCore  948.14 MB     CA::Render::create_image(CGImage*, CGColorSpace*, unsigned int)
   2 QuartzCore  948.13 MB     CA::Render::(anonymous namespace)::create_image_by_copying(unsigned int, unsigned int, CGColorSpace*, CGDataProvider*, void const*, unsigned long, unsigned int, unsigned int)
   1 QuartzCore  472.94 MB     CA::Render::aligned_malloc(unsigned long, void**)
   0 libsystem_kernel.dylib  472.94 MB     mmap

Comment 1 Daniel 2016-05-27 04:32:39 PDT

Created attachment 279950 [details]
A sample project to reproduce the crash.

Comment 2 John Wilander 2016-06-14 15:17:00 PDT

This looks to me like a crasher that should be filed as a radar outside of WebKit's component tree.

Comment 3 Daniel 2016-06-20 01:24:05 PDT

Even that the root cause might be something else, I think that WebKit should do its checks and not allow this condition to happen.

Reported as rdar://26887676

Comment 4 John Wilander 2016-06-20 16:22:18 PDT

Thanks, Daniel!