RESOLVED WONTFIX 74053
[Chromium] Chrome: Crash Report - Stack Signature: `anonymous namespace'::do_free_with_callbac... 
https://bugs.webkit.org/show_bug.cgi?id=74053
Summary [Chromium] Chrome: Crash Report - Stack Signature: `anonymous namespace'::do_...
Hironori Bono
Reported 2011-12-07 20:47:13 PST
(copied from http://crbug.com/99936>) Reported by project member dharani@google.com, Oct 11, 2011 http://crash/reportdetail?reportid=011703797f83a705 Product, Version Chrome , 16.0.904.0 Stack Signature `anonymous namespace'::do_free_with_callback(void *,void (*)(void *))-396A05B New Stack Signature `anonymous namespace'::do_free_with_callback(void *,void (*)(void *)) 5eca60fc_d8890956_0ff67efc_82ad85b9_9701dbd3 Report Time (UTC) 2011/10/11 18:45:09, Tue Uptime 724538 ms OS Name, Version Windows NT , 6.1.7600 CPU Architecture, Info x86 , GenuineIntel family 6 model 23 stepping 10 channel canary num-extensions 0 num-switches 6 plat Win32 ptype renderer switch-1 --lang=pt-BR switch-2 --enable-print-preview Thread 0 *CRASHED* ( EXCEPTION_ACCESS_VIOLATION_READ @ 0x00e30c00 ) 0x641c68fa [chrome.dll - tcmalloc.cc:1205 `anonymous namespace'::do_free_with_callback(void *,void (*)(void *)) 0x65050181 [chrome.dll - jmemmgr.c:1008 free_pool 0x6504f84d [chrome.dll - jcomapi.c:41 chromium_jpeg_abort 0x6504cb88 [chrome.dll - jdapimin.c:393 chromium_jpeg_finish_decompress 0x64f7720b [chrome.dll - jpegimagedecoder.cpp:356 WebCore::JPEGImageReader::decode(WebCore::SharedBuffer const &,bool) 0x64f77586 [chrome.dll - jpegimagedecoder.cpp:544 WebCore::JPEGImageDecoder::decode(bool) 0x64f77323 [chrome.dll - jpegimagedecoder.cpp:455 WebCore::JPEGImageDecoder::frameBufferAtIndex(unsigned int) 0x64f42f0d [chrome.dll - imagesource.cpp:138 WebCore::ImageSource::createFrameAtIndex(unsigned int) 0x64f4c414 [chrome.dll - bitmapimage.cpp:127 WebCore::BitmapImage::cacheFrame(unsigned int) 0x64f4c65e [chrome.dll - bitmapimage.cpp:248 WebCore::BitmapImage::frameAtIndex(unsigned int) 0x64f4c1b3 [chrome.dll - bitmapimage.h:156 WebCore::BitmapImage::nativeImageForCurrentFrame() 0x64f6964f [chrome.dll - imageskia.cpp:415 WebCore::BitmapImage::draw(WebCore::GraphicsContext *,WebCore::FloatRect const &,WebCore::FloatRect const &,WebCore::ColorSpace,WebCore::CompositeOperator) 0x64f377c0 [chrome.dll - graphicscontext.cpp:487 WebCore::GraphicsContext::drawImage(WebCore::Image *,WebCore::ColorSpace,WebCore::FloatRect const &,WebCore::FloatRect const &,WebCore::CompositeOperator,bool) 0x64f3762b [chrome.dll - graphicscontext.cpp:457 WebCore::GraphicsContext::drawImage(WebCore::Image *,WebCore::ColorSpace,WebCore::IntRect const &,WebCore::IntRect const &,WebCore::CompositeOperator,bool) 0x64f375ed [chrome.dll - graphicscontext.cpp:447 WebCore::GraphicsContext::drawImage(WebCore::Image *,WebCore::ColorSpace,WebCore::IntRect const &,WebCore::CompositeOperator,bool) 0x64dd0d2c [chrome.dll - renderimage.cpp:403 WebCore::RenderImage::paintIntoRect(WebCore::GraphicsContext *,WebCore::IntRect const &) 0x64dd0798 [chrome.dll - renderimage.cpp:331 WebCore::RenderImage::paintReplaced(WebCore::PaintInfo &,WebCore::IntPoint const &) 0x64de3b22 [chrome.dll - renderreplaced.cpp:152 WebCore::RenderReplaced::paint(WebCore::PaintInfo &,WebCore::IntPoint const &) 0x64dd0b46 [chrome.dll - renderimage.cpp:337 WebCore::RenderImage::paint(WebCore::PaintInfo &,WebCore::IntPoint const &) 0x64dd3194 [chrome.dll - inlinebox.cpp:231 WebCore::InlineBox::paint(WebCore::PaintInfo &,WebCore::IntPoint const &,int,int) 0x64dd58d6 [chrome.dll - inlineflowbox.cpp:1061 WebCore::InlineFlowBox::paint(WebCore::PaintInfo &,WebCore::IntPoint const &,int,int) 0x64dd73b3 [chrome.dll - rootinlinebox.cpp:197 WebCore::RootInlineBox::paint(WebCore::PaintInfo &,WebCore::IntPoint const &,int,int) 0x64db7691 [chrome.dll - renderlineboxlist.cpp:262 WebCore::RenderLineBoxList::paint(WebCore::RenderBoxModelObject *,WebCore::PaintInfo &,WebCore::IntPoint const &) 0x64dac2fb [chrome.dll - renderblock.cpp:2460 WebCore::RenderBlock::paintContents(WebCore::PaintInfo &,WebCore::IntPoint const &) 0x64dac736 [chrome.dll - renderblock.cpp:2575 WebCore::RenderBlock::paintObject(WebCore::PaintInfo &,WebCore::IntPoint const &) 0x64dabe7a [chrome.dll - renderblock.cpp:2347 WebCore::RenderBlock::paint(WebCore::PaintInfo &,WebCore::IntPoint const &) 0x64d7465d [chrome.dll - renderlayer.cpp:2795 WebCore::RenderLayer::paintLayer(WebCore::RenderLayer *,WebCore::GraphicsContext *,WebCore::IntRect const &,unsigned int,WebCore::RenderObject *,WebCore::RenderRegion *,WTF::HashMap<WebCore::OverlapTestRequestClient *,WebCore::IntRect,WTF::PtrHash<WebCore::OverlapTestRequestClient *>,WTF::HashTraits<WebCore::OverlapTestRequestClient *>,WTF::HashTraits<WebCore::IntRect> > *,unsigned int) 0x64d748ac [chrome.dll - renderlayer.cpp:2854 WebCore::RenderLayer::paintList(WTF::Vector<WebCore::RenderLayer *,0> *,WebCore::RenderLayer *,WebCore::GraphicsContext *,WebCore::IntRect const &,unsigned int,WebCore::RenderObject *,WebCore::RenderRegion *,WTF::HashMap<WebCore::OverlapTestRequestClient *,WebCore::IntRect,WTF::PtrHash<WebCore::OverlapTestRequestClient *>,WTF::HashTraits<WebCore::OverlapTestRequestClient *>,WTF::HashTraits<WebCore::IntRect> > *,unsigned int) 0x64d7475c [chrome.dll - renderlayer.cpp:2816 WebCore::RenderLayer::paintLayer(WebCore::RenderLayer *,WebCore::GraphicsContext *,WebCore::IntRect const &,unsigned int,WebCore::RenderObject *,WebCore::RenderRegion *,WTF::HashMap<WebCore::OverlapTestRequestClient *,WebCore::IntRect,WTF::PtrHash<WebCore::OverlapTestRequestClient *>,WTF::HashTraits<WebCore::OverlapTestRequestClient *>,WTF::HashTraits<WebCore::IntRect> > *,unsigned int) 0x64d748ac [chrome.dll - renderlayer.cpp:2854 WebCore::RenderLayer::paintList(WTF::Vector<WebCore::RenderLayer *,0> *,WebCore::RenderLayer *,WebCore::GraphicsContext *,WebCore::IntRect const &,unsigned int,WebCore::RenderObject *,WebCore::RenderRegion *,WTF::HashMap<WebCore::OverlapTestRequestClient *,WebCore::IntRect,WTF::PtrHash<WebCore::OverlapTestRequestClient *>,WTF::HashTraits<WebCore::OverlapTestRequestClient *>,WTF::HashTraits<WebCore::IntRect> > *,unsigned int) ...... (10 stack frames dropped.) 0x6474e4c0 [chrome.dll - render_widget.cc:675 RenderWidget::InvalidationCallback() 0x647502c6 [chrome.dll - task.h:349 RunnableMethod<RenderWidget,void ( RenderWidget::*)(void),Tuple0>::Run() 0x642ec5e6 [chrome.dll - task.cc:71 base::subtle::TaskClosureAdapter::Run() 0x642e5545 [chrome.dll - message_loop.cc:481 MessageLoop::RunTask(MessageLoop::PendingTask const &) 0x642e55b1 [chrome.dll - message_loop.cc:497 MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const &) 0x642e5937 [chrome.dll - message_loop.cc:687 MessageLoop::DoWork() 0x642fe0fc [chrome.dll - message_pump_default.cc:50 base::MessagePumpDefault::Run(base::MessagePump::Delegate *) 0x642e546e [chrome.dll - message_loop.cc:444 MessageLoop::RunInternal() 0x642e53f3 [chrome.dll - message_loop.cc:417 MessageLoop::RunHandler() 0x642e5385 [chrome.dll - message_loop.cc:341 MessageLoop::Run() 0x64731521 [chrome.dll - renderer_main.cc:228 RendererMain(MainFunctionParams const &) 0x64306d0c [chrome.dll - content_main.cc:252 `anonymous namespace'::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,MainFunctionParams const &,content::ContentMainDelegate *) 0x643070a2 [chrome.dll - content_main.cc:442 content::ContentMain(HINSTANCE__ *,sandbox::SandboxInterfaceInfo *,content::ContentMainDelegate *) 0x641c2955 [chrome.dll - chrome_main.cc:28 ChromeMain 0x00d21dea [chrome.exe - client_util.cc:346 MainDllLoader::Launch(HINSTANCE__ *,sandbox::SandboxInterfaceInfo *) 0x00d210c8 [chrome.exe - chrome_exe_main_win.cc:36 wWinMain 0x00d7a1c7 [chrome.exe - crt0.c:263 __tmainCRTStartup 0x76ee1113 [kernel32.dll + 0x00051113] BaseThreadInitThunk 0x7763b428 [ntdll.dll + 0x0005b428] __RtlUserThreadStart 0x7763b3fb [ntdll.dll + 0x0005b3fb] _RtlUserThreadStart Even though I cannot reproduce this crash on my PC, it seems Chrome crashes in freeing memory not allocated by tcmalloc. Since WebKit r96970 <http://trac.webkit.org/changeset/96970> attached an empty color profile when USE_ICCJPEG is not defined, it causes this crash? Regards, Hironori Bono
Attachments
Speculative fix 1 (1.51 KB, patch)
2011-12-08 01:18 PST, Hironori Bono 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Hironori Bono
Comment 1 2011-12-08 01:18:10 PST
Created attachment 118346 [details] Speculative fix 1 Greetings, Even though I cannot reproduce this issue, I have created a change that emulates the behavior before r96970. (This is the only change in the blame list.) Regards, Hironori Bono
Cary Clark
Comment 2 2011-12-08 04:55:33 PST
LGTM
Eric Seidel (no email)
Comment 3 2011-12-13 15:56:28 PST
Can we also catch this crash with some sort of ASSERT?
noel gordon
Comment 4 2012-01-02 06:37:48 PST
Fixed by http://trac.webkit.org/changeset/103648 ?
Hironori Bono
Comment 5 2012-01-05 02:20:46 PST
Greetings, Thanks for your comments. In brief, minidumps for this issue do not provide much information about possible reasons of this crash. Libjpeg uses its own memory manager to encapsulate malloc() and this crash happens when libjpeg deletes memory allocated by its memory manager. I have uploaded my change just because WebKit r96970 is the most recent change before this issue started. I would like to see this crash still occurs in next dev builds. (Fortunately, WebKit r103648 seems to cover my change.) Regards, Hironori Bono E-mail: hbono@google.com
Tony Chang
Comment 6 2012-03-01 13:18:27 PST
Do you still want this patch reviewed or is it obsolete now?
Hironori Bono
Comment 7 2012-03-01 18:18:59 PST
Greetings Tony, Thanks for your interest. Unfortunately, we still see this crash on our crash server. Even though I have cancelled this review request, I investigate recent crashes and will upload a fix when I figure out possible solutions. Regards, Hironori Bono (In reply to comment #6) > Do you still want this patch reviewed or is it obsolete now?
Note You need to log in before you can comment on or make changes to this bug.