Created attachment 105069 [details] Crashing test case On Mac OS X 10.7 there is a new crash in Accelerate.framework that can be triggered by a Canvas.getImageData call. The crash occurs in Safari 5.1 (7534.48.3), the current WebKit nightly, and Chromium on Mac OS X. All share Source/WebCore/platform/graphics/cg/ImageBufferDataCG.cpp and its use of Accelerate. The reproduction case is attached. It came from the Muon Baryon demo at http://www.bitsnbites.eu/?p=98 . The unpacked JavaScript source for this demo at http://muonbaryon.bitsnbites.eu/demo-unpacked.js is first run through the Closure compiler at http://closure-compiler.appspot.com/home . Then the CrunchMe tool at http://crunchme.bitsnbites.eu/ is run over it. CrunchMe encodes the source code as a PNG which is turned back into a string by drawing it into a Canvas and then calling Canvas.getImageData(). It seems that the PNG CrunchMe produces somehow generates out-of-range pixels (alpha = 0 and r, g, or b > 0) that cause a divide by zero during the alpha unmultiplication step which is accelerated by vImageUnpremultiplyData_RGBA8888. The crash report contains the following: ===== Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_ARITHMETIC (SIGFPE) Exception Codes: EXC_I386_DIV (divide by zero) Application Specific Information: objc[1790]: garbage collection is OFF Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.vImage 0x00007fff9600deac vImageUnpremultiplyData_RGBA8888 + 508 1 com.apple.WebCore 0x00007fff8e047b7f WebCore::ImageBufferData::getData(WebCore::IntRect const&, WebCore::IntSize const&, bool, bool) const + 915 2 com.apple.WebCore 0x00007fff8e0477d1 WebCore::ImageBuffer::getUnmultipliedImageData(WebCore::IntRect const&) const + 79 3 com.apple.WebCore 0x00007fff8e047610 WebCore::CanvasRenderingContext2D::getImageData(float, float, float, float, int&) const + 434 4 com.apple.WebCore 0x00007fff8e04740d WebCore::jsCanvasRenderingContext2DPrototypeFunctionGetImageData(JSC::ExecState*) + 877 5 ??? 0x000028f17be001e8 0 + 45017630507496 6 com.apple.JavaScriptCore 0x00007fff8a75f4dd JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1053 7 com.apple.JavaScriptCore 0x00007fff8a75f0ad JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 45 8 com.apple.WebCore 0x00007fff8decdf2f WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) + 941 9 com.apple.WebCore 0x00007fff8decdb04 WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul>&) + 494 10 com.apple.WebCore 0x00007fff8ddec893 WebCore::EventTarget::fireEventListeners(WebCore::Event*) + 85 11 com.apple.WebCore 0x00007fff8ddec980 WebCore::Node::handleLocalEvents(WebCore::Event*) + 180 12 com.apple.WebCore 0x00007fff8ddec004 WebCore::EventDispatcher::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) + 832 13 com.apple.WebCore 0x00007fff8ddebc88 WebCore::EventDispatchMediator::dispatchEvent(WebCore::EventDispatcher*) const + 40 14 com.apple.WebCore 0x00007fff8ddebb89 WebCore::EventDispatcher::dispatchEvent(WebCore::Node*, WebCore::EventDispatchMediator const&) + 41 15 com.apple.WebCore 0x00007fff8ddebaf7 WebCore::Node::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) + 55 16 com.apple.WebCore 0x00007fff8df65b90 WebCore::HTMLImageLoader::dispatchLoadEvent() + 250 ... ===== I'd appreciate it if someone at Apple could route this report to the appropriate team. I haven't had much luck getting bugs fixed through the bug reporter at developer.apple.com.