Bug 66892 - SIGFPE (divide by zero) in Accelerate.framework during Canvas.getImageData
Summary: SIGFPE (divide by zero) in Accelerate.framework during Canvas.getImageData
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: Canvas (show other bugs)
Version: 528+ (Nightly build)
Hardware: Mac OS X 10.7
: P2 Major
Assignee: Matthew Delaney
URL:
Keywords: InRadar
: 68273 (view as bug list)
Depends on:
Blocks:
 
Reported: 2011-08-24 14:35 PDT by Kenneth Russell
Modified: 2011-09-16 13:32 PDT (History)
6 users (show)

See Also:

Attachments
Crashing test case (7.28 KB, text/html)
2011-08-24 14:35 PDT, Kenneth Russell 		no flags Details
System Profiler report from affected machine (3.09 MB, text/plain)
2011-08-24 16:49 PDT, Kenneth Russell 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Kenneth Russell 2011-08-24 14:35:47 PDT 
Created attachment 105069 [details]
Crashing test case

On Mac OS X 10.7 there is a new crash in Accelerate.framework that can be triggered by a Canvas.getImageData call. The crash occurs in Safari 5.1 (7534.48.3), the current WebKit nightly, and Chromium on Mac OS X. All share Source/WebCore/platform/graphics/cg/ImageBufferDataCG.cpp and its use of Accelerate.

The reproduction case is attached. It came from the Muon Baryon demo at http://www.bitsnbites.eu/?p=98 .

The unpacked JavaScript source for this demo at http://muonbaryon.bitsnbites.eu/demo-unpacked.js is first run through the Closure compiler at http://closure-compiler.appspot.com/home . Then the CrunchMe tool at http://crunchme.bitsnbites.eu/ is run over it. CrunchMe encodes the source code as a PNG which is turned back into a string by drawing it into a Canvas and then calling Canvas.getImageData(). It seems that the PNG CrunchMe produces somehow generates out-of-range pixels (alpha = 0 and r, g, or b > 0) that cause a divide by zero during the alpha unmultiplication step which is accelerated by vImageUnpremultiplyData_RGBA8888.

The crash report contains the following:

=====

Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Exception Type:  EXC_ARITHMETIC (SIGFPE)
Exception Codes: EXC_I386_DIV (divide by zero)

Application Specific Information:
objc[1790]: garbage collection is OFF

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.vImage              	0x00007fff9600deac vImageUnpremultiplyData_RGBA8888 + 508
1   com.apple.WebCore             	0x00007fff8e047b7f WebCore::ImageBufferData::getData(WebCore::IntRect const&, WebCore::IntSize const&, bool, bool) const + 915
2   com.apple.WebCore             	0x00007fff8e0477d1 WebCore::ImageBuffer::getUnmultipliedImageData(WebCore::IntRect const&) const + 79
3   com.apple.WebCore             	0x00007fff8e047610 WebCore::CanvasRenderingContext2D::getImageData(float, float, float, float, int&) const + 434
4   com.apple.WebCore             	0x00007fff8e04740d WebCore::jsCanvasRenderingContext2DPrototypeFunctionGetImageData(JSC::ExecState*) + 877
5   ???                           	0x000028f17be001e8 0 + 45017630507496
6   com.apple.JavaScriptCore      	0x00007fff8a75f4dd JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1053
7   com.apple.JavaScriptCore      	0x00007fff8a75f0ad JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 45
8   com.apple.WebCore             	0x00007fff8decdf2f WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) + 941
9   com.apple.WebCore             	0x00007fff8decdb04 WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul>&) + 494
10  com.apple.WebCore             	0x00007fff8ddec893 WebCore::EventTarget::fireEventListeners(WebCore::Event*) + 85
11  com.apple.WebCore             	0x00007fff8ddec980 WebCore::Node::handleLocalEvents(WebCore::Event*) + 180
12  com.apple.WebCore             	0x00007fff8ddec004 WebCore::EventDispatcher::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) + 832
13  com.apple.WebCore             	0x00007fff8ddebc88 WebCore::EventDispatchMediator::dispatchEvent(WebCore::EventDispatcher*) const + 40
14  com.apple.WebCore             	0x00007fff8ddebb89 WebCore::EventDispatcher::dispatchEvent(WebCore::Node*, WebCore::EventDispatchMediator const&) + 41
15  com.apple.WebCore             	0x00007fff8ddebaf7 WebCore::Node::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) + 55
16  com.apple.WebCore             	0x00007fff8df65b90 WebCore::HTMLImageLoader::dispatchLoadEvent() + 250
...
=====

I'd appreciate it if someone at Apple could route this report to the appropriate team. I haven't had much luck getting bugs fixed through the bug reporter at developer.apple.com.
Comment 1 Radar WebKit Bug Importer 2011-08-24 14:42:12 PDT 
<rdar://problem/10017969>
Comment 2 Matthew Delaney 2011-08-24 16:28:44 PDT 
On OSX 10.7, neither Safari, Chrome, nor a ToT build of WebKit crash for me...
Comment 3 Kenneth Russell 2011-08-24 16:49:52 PDT 
Created attachment 105095 [details]
System Profiler report from affected machine
Comment 4 Kenneth Russell 2011-08-24 16:50:58 PDT 
(In reply to comment #2)
> On OSX 10.7, neither Safari, Chrome, nor a ToT build of WebKit crash for me...

It crashes 100% of the time on the Lion laptop I have in the office running 10.7.1. Attached the System Profiler report from this machine. I'm sure it isn't machine specific because Gregg Tavares reported the same problem on his laptop. See http://crbug.com/92590 .
Comment 5 Matthew Delaney 2011-09-15 14:06:30 PDT 
Thanks Ken, the system profile helped. It appears only certain configs of physical cores vs. virtual cores hits the bug so it's unlikely that it affects many machines.

We may just have to avoid using this fast path until the bug is fixed, or perhaps just leave it. I'm not sure how to easily work around the issue at the moment.
Comment 6 Tim Horton 2011-09-16 13:32:22 PDT 
*** Bug 68273 has been marked as a duplicate of this bug. ***