RESOLVED FIXED223843
Fix a crash caused by AVIF decoding failure 
https://bugs.webkit.org/show_bug.cgi?id=223843
Summary Fix a crash caused by AVIF decoding failure
ChangSeok Oh
Reported 2021-03-27 14:19:46 PDT
https://gif2avif.com/browser-test/ crashes where AVIF support is enabled. #0 0x00007fa33d834cf0 in WebCore::AVIFImageReader::imageCount() const () from target:/app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #1 0x00007fa33d834441 in WebCore::AVIFImageDecoder::tryDecodeSize(bool) () from target:/app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #2 0x00007fa33d813ef3 in WebCore::ScalableImageDecoder::setData(WebCore::SharedBuffer&, bool) () from target:/app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #3 0x00007fa33cfa765c in WebCore::ImageSource::dataChanged(WebCore::SharedBuffer*, bool) () from target:/app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #4 0x00007fa33cd07363 in WebCore::CachedImage::updateImageData(bool) () from target:/app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #5 0x00007fa33cd0d0e0 in WebCore::CachedImage::updateBufferInternal(WebCore::SharedBuffer&) () from target:/app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #6 0x00007fa33cd0d332 in WebCore::CachedImage::updateBuffer(WebCore::SharedBuffer&) () from target:/app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #7 0x00007fa33c9dfcad in WebCore::ImageDocumentParser::appendBytes(WebCore::DocumentWriter&, char const*, unsigned long) () from target:/app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #8 0x00007fa33b550696 in WebKit::WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, int) () from target:/app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #9 0x00007fa33cc527aa in WebCore::DocumentLoader::commitLoad(char const*, int) () from target:/app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #10 0x00007fa33cd1b6d8 in WebCore::CachedRawResource::notifyClientsDataWasReceived(char const*, unsigned int) [clone .part.0] () from target:/app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #11 0x00007fa33cd1bd5a in WebCore::CachedRawResource::updateBuffer(WebCore::SharedBuffer&) [clone .part.0] () from target:/app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #12 0x00007fa33ccd6c22 in WebCore::SubresourceLoader::didReceiveDataOrBuffer(char const*, int, WTF::RefPtr<WebCore::SharedBuffer, WTF::RawPtrTraits<WebCore::SharedBuffer>, WTF::DefaultRefDerefTraits<WebCore::Shar--Type <RET> for more, q to quit, c to continue without paging-- edBuffer> >&&, long long, WebCore::DataPayloadType) () from target:/app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #13 0x00007fa33ccd6dc5 in WebCore::SubresourceLoader::didReceiveData(char const*, unsigned int, long long, WebCore::DataPayloadType) () from target:/app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 Backtrace stopped: Cannot access memory at address 0x7fff96d4b698
Attachments
Patch (4.48 KB, patch)
2021-03-27 14:45 PDT, ChangSeok Oh 		no flags
DetailsFormatted DiffDiff
Patch (8.82 KB, patch)
2021-04-24 12:45 PDT, ChangSeok Oh 		no flags
DetailsFormatted DiffDiff
Patch (7.98 KB, patch)
2021-04-24 13:25 PDT, ChangSeok Oh 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
ChangSeok Oh
Comment 1 2021-03-27 14:45:30 PDT
Created attachment 424467 [details] Patch
Philippe Normand
Comment 2 2021-03-29 13:59:03 PDT
Comment on attachment 424467 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=424467&action=review > Source/WebCore/ChangeLog:14 > + No new tests since no functionality changed. I think a test ensuring we no longer crash when loading a specific file could still make sense. There's a few already for the video-as-img-tag scenario.
ChangSeok Oh
Comment 3 2021-03-30 07:37:48 PDT
Comment on attachment 424467 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=424467&action=review >> Source/WebCore/ChangeLog:14 >> + No new tests since no functionality changed. > > I think a test ensuring we no longer crash when loading a specific file could still make sense. There's a few already for the video-as-img-tag scenario. O.K. Let me look into if we can create a reliable test.
ChangSeok Oh
Comment 4 2021-04-02 13:32:26 PDT
The minimal test case that reproduces the crash is <iframe src='https://gif2avif.com/sample.avif'></iframe> However, the crash does not happen when the sample.avif is loaded from the local. <iframe src='sample.avif'></iframe> Is there a way to mimic a network delay in webkit test infrastructure?
ChangSeok Oh
Comment 5 2021-04-02 14:02:05 PDT
I found bug 194506. There was testRunner.setDefersLoading but it isn't for wk2 anymore.
ChangSeok Oh
Comment 6 2021-04-02 15:54:47 PDT
I could make a simplified test here. https://shivamidow.github.io/avif-crash.html But I don't know how to mimic it in the webkit test environment. It is hard to reproduce the crash because there is no way to reliably simulate the necessary network delay of the avif image transfer.
Philippe Normand
Comment 7 2021-04-03 10:22:10 PDT
One option could be to throttle the HTTP request? There´s a CGI script for videos: LayoutTests/http/tests/media/video-throttled-load.cgi Maybe a similar approach could be used?
Radar WebKit Bug Importer
Comment 8 2021-04-04 21:23:16 PDT
<rdar://problem/76205084>
Said Abou-Hallawa
Comment 9 2021-04-05 16:47:00 PDT
You may use LayoutTests/http/tests/images/resources/load-and-stall.php. It is used to mimic the network delay in many http layout tests.
ChangSeok Oh
Comment 10 2021-04-06 08:12:24 PDT
(In reply to Said Abou-Hallawa from comment #9) > You may use LayoutTests/http/tests/images/resources/load-and-stall.php. It > is used to mimic the network delay in many http layout tests. @Philippe and @Said, Thanks. Let me give a shot.
ChangSeok Oh
Comment 11 2021-04-24 12:45:45 PDT
Created attachment 426989 [details] Patch
ChangSeok Oh
Comment 12 2021-04-24 13:25:26 PDT
Created attachment 426990 [details] Patch
Philippe Normand
Comment 13 2021-04-25 08:28:38 PDT
Comment on attachment 426990 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=426990&action=review > LayoutTests/TestExpectations:125 > fast/images/avif-image-decoding.html [ Skip ] > fast/images/avif-as-image.html [ Skip ] > fast/images/animated-avif.html [ Skip ] > +http/tests/images/avif-partial-load-crash.html [ Skip ] Oh, I realize now I forgot to unskip these in the glib TestExpections! They should pass now that the avif decoder is enabled on the bots. Can you check it please? Either in this patch or a new one :)
ChangSeok Oh
Comment 14 2021-04-25 17:31:20 PDT
Comment on attachment 426990 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=426990&action=review Thanks! >> LayoutTests/TestExpectations:125 >> +http/tests/images/avif-partial-load-crash.html [ Skip ] > > Oh, I realize now I forgot to unskip these in the glib TestExpections! They should pass now that the avif decoder is enabled on the bots. Can you check it please? Either in this patch or a new one :) I will upload a separate patch to handle this.
EWS
Comment 15 2021-04-25 18:03:29 PDT
Committed r276578 (237014@main): <https://commits.webkit.org/237014@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 426990 [details].
Note You need to log in before you can comment on or make changes to this bug.