big images crash UIWebView after CA::Render::create_image_by_copying 
https://bugs.webkit.org/show_bug.cgi?id=158150
Summary big images crash UIWebView after CA::Render::create_image_by_copying
Daniel
Reported 2016-05-27 04:31:50 PDT
Clicking a link to a big size (big enough) image in UIWebView leads to an OOM crash. I didn't find a way to recover by freeing the web view from didReceiveMemoryWarning. In some cases didReceiveMemoryWarning is not even called. A sample project with a big image is attached. Start it on a device with 1 Gb RAM, and you'll probably get a crash. Debugging this in Instruments (with Allocations template) shows 2 related call stacks. Stack 1 (inverted): 22 libsystem_pthread.dylib 948.78 MB start_wqthread 21 libsystem_pthread.dylib 948.78 MB _pthread_wqthread 20 libdispatch.dylib 948.78 MB _dispatch_worker_thread3 19 libdispatch.dylib 948.78 MB _dispatch_root_queue_drain 18 libdispatch.dylib 948.23 MB _dispatch_queue_invoke 17 libdispatch.dylib 948.23 MB _dispatch_queue_drain 16 libdispatch.dylib 948.22 MB _dispatch_client_callout 15 QuartzCore 948.15 MB CA::CG::Queue::render_callback(void*) 14 libdispatch.dylib 948.15 MB _dispatch_sync_f_invoke 13 libdispatch.dylib 948.15 MB _dispatch_client_callout 12 QuartzCore 948.15 MB CA::CG::Queue::parallel_render_callback(void*) 11 QuartzCore 948.15 MB CA::CG::DrawOp::render(CA::CG::Renderer&) const 10 QuartzCore 948.14 MB CA::CG::DrawImage::draw_image(CA::CG::Renderer&, bool) const 9 QuartzCore 948.14 MB CA::CG::fill_image(CA::CG::Renderer&, CGImage*, CA::Rect const&, CA::Mat2<double> const&, bool, bool, CGInterpolationQuality, CA::Bounds const*) 8 QuartzCore 948.14 MB CA::Render::copy_image(CGImage*, CGColorSpace*, unsigned int, double) 7 QuartzCore 948.14 MB CA::Render::create_image(CGImage*, CGColorSpace*, unsigned int) 6 QuartzCore 948.13 MB CA::Render::(anonymous namespace)::create_image_by_copying(unsigned int, unsigned int, CGColorSpace*, CGDataProvider*, void const*, unsigned long, unsigned int, unsigned int) 5 CoreGraphics 475.20 MB imageProvider_getBytes 4 CoreGraphics 475.20 MB CGImageProviderCopyImageBlockSet 3 ImageIO 475.20 MB ImageProviderCopyImageBlockSetCallback 2 ImageIO 475.20 MB copyImageBlockSetAppleJPEG 1 ImageIO 473.00 MB ImageIO_Malloc 0 libsystem_kernel.dylib 472.95 MB mmap Stack 2 (inverted): 18 libsystem_pthread.dylib 948.78 MB start_wqthread 17 libsystem_pthread.dylib 948.78 MB _pthread_wqthread 16 libdispatch.dylib 948.78 MB _dispatch_worker_thread3 15 libdispatch.dylib 948.78 MB _dispatch_root_queue_drain 14 libdispatch.dylib 948.23 MB _dispatch_queue_invoke 13 libdispatch.dylib 948.23 MB _dispatch_queue_drain 12 libdispatch.dylib 948.22 MB _dispatch_client_callout 11 QuartzCore 948.15 MB CA::CG::Queue::render_callback(void*) 10 libdispatch.dylib 948.15 MB _dispatch_sync_f_invoke 9 libdispatch.dylib 948.15 MB _dispatch_client_callout 8 QuartzCore 948.15 MB CA::CG::Queue::parallel_render_callback(void*) 7 QuartzCore 948.15 MB CA::CG::DrawOp::render(CA::CG::Renderer&) const 6 QuartzCore 948.14 MB CA::CG::DrawImage::draw_image(CA::CG::Renderer&, bool) const 5 QuartzCore 948.14 MB CA::CG::fill_image(CA::CG::Renderer&, CGImage*, CA::Rect const&, CA::Mat2<double> const&, bool, bool, CGInterpolationQuality, CA::Bounds const*) 4 QuartzCore 948.14 MB CA::Render::copy_image(CGImage*, CGColorSpace*, unsigned int, double) 3 QuartzCore 948.14 MB CA::Render::create_image(CGImage*, CGColorSpace*, unsigned int) 2 QuartzCore 948.13 MB CA::Render::(anonymous namespace)::create_image_by_copying(unsigned int, unsigned int, CGColorSpace*, CGDataProvider*, void const*, unsigned long, unsigned int, unsigned int) 1 QuartzCore 472.94 MB CA::Render::aligned_malloc(unsigned long, void**) 0 libsystem_kernel.dylib 472.94 MB mmap
Attachments
A sample project to reproduce the crash. (13.11 MB, application/octet-stream)
2016-05-27 04:32 PDT, Daniel 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Daniel
Comment 1 2016-05-27 04:32:39 PDT
Created attachment 279950 [details] A sample project to reproduce the crash.
John Wilander
Comment 2 2016-06-14 15:17:00 PDT
This looks to me like a crasher that should be filed as a radar outside of WebKit's component tree.
Daniel
Comment 3 2016-06-20 01:24:05 PDT
Even that the root cause might be something else, I think that WebKit should do its checks and not allow this condition to happen. Reported as rdar://26887676
John Wilander
Comment 4 2016-06-20 16:22:18 PDT
Thanks, Daniel!
Note You need to log in before you can comment on or make changes to this bug.