Bug 74053 - [Chromium] Chrome: Crash Report - Stack Signature: `anonymous namespace'::do_free_with_callbac...
Summary: [Chromium] Chrome: Crash Report - Stack Signature: `anonymous namespace'::do_...
Status: RESOLVED WONTFIX
Alias: None
Product: WebKit
Classification: Unclassified
Component: Images (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Windows 7
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-12-07 20:47 PST by Hironori Bono
Modified: 2013-04-12 07:33 PDT (History)
7 users (show)

See Also:


Attachments
Speculative fix 1 (1.51 KB, patch)
2011-12-08 01:18 PST, Hironori Bono
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Hironori Bono 2011-12-07 20:47:13 PST
(copied from http://crbug.com/99936>)

Reported by project member dharani@google.com, Oct 11, 2011
http://crash/reportdetail?reportid=011703797f83a705

Product, Version	 Chrome ,  16.0.904.0
Stack Signature	 `anonymous namespace'::do_free_with_callback(void *,void (*)(void *))-396A05B
New Stack Signature	 `anonymous namespace'::do_free_with_callback(void *,void (*)(void *)) 
5eca60fc_d8890956_0ff67efc_82ad85b9_9701dbd3
Report Time (UTC)	 2011/10/11 18:45:09, Tue
Uptime	 724538 ms
OS Name, Version	 Windows NT ,  6.1.7600
CPU Architecture, Info	 x86 ,  GenuineIntel family 6 model 23 stepping 10
channel	 canary
num-extensions	 0
num-switches	 6
plat	 Win32
ptype	 renderer
switch-1	 --lang=pt-BR
switch-2	 --enable-print-preview



Thread 0 *CRASHED* ( EXCEPTION_ACCESS_VIOLATION_READ @ 0x00e30c00 )

0x641c68fa	 [chrome.dll	 - tcmalloc.cc:1205	`anonymous namespace'::do_free_with_callback(void *,void (*)(void *))
0x65050181	 [chrome.dll	 - jmemmgr.c:1008	free_pool
0x6504f84d	 [chrome.dll	 - jcomapi.c:41	chromium_jpeg_abort
0x6504cb88	 [chrome.dll	 - jdapimin.c:393	chromium_jpeg_finish_decompress
0x64f7720b	 [chrome.dll	 - jpegimagedecoder.cpp:356	WebCore::JPEGImageReader::decode(WebCore::SharedBuffer const &,bool)
0x64f77586	 [chrome.dll	 - jpegimagedecoder.cpp:544	WebCore::JPEGImageDecoder::decode(bool)
0x64f77323	 [chrome.dll	 - jpegimagedecoder.cpp:455	WebCore::JPEGImageDecoder::frameBufferAtIndex(unsigned int)
0x64f42f0d	 [chrome.dll	 - imagesource.cpp:138	WebCore::ImageSource::createFrameAtIndex(unsigned int)
0x64f4c414	 [chrome.dll	 - bitmapimage.cpp:127	WebCore::BitmapImage::cacheFrame(unsigned int)
0x64f4c65e	 [chrome.dll	 - bitmapimage.cpp:248	WebCore::BitmapImage::frameAtIndex(unsigned int)
0x64f4c1b3	 [chrome.dll	 - bitmapimage.h:156	WebCore::BitmapImage::nativeImageForCurrentFrame()
0x64f6964f	 [chrome.dll	 - imageskia.cpp:415	WebCore::BitmapImage::draw(WebCore::GraphicsContext *,WebCore::FloatRect const &,WebCore::FloatRect const &,WebCore::ColorSpace,WebCore::CompositeOperator)
0x64f377c0	 [chrome.dll	 - graphicscontext.cpp:487	WebCore::GraphicsContext::drawImage(WebCore::Image *,WebCore::ColorSpace,WebCore::FloatRect const &,WebCore::FloatRect const &,WebCore::CompositeOperator,bool)
0x64f3762b	 [chrome.dll	 - graphicscontext.cpp:457	WebCore::GraphicsContext::drawImage(WebCore::Image *,WebCore::ColorSpace,WebCore::IntRect const &,WebCore::IntRect const &,WebCore::CompositeOperator,bool)
0x64f375ed	 [chrome.dll	 - graphicscontext.cpp:447	WebCore::GraphicsContext::drawImage(WebCore::Image *,WebCore::ColorSpace,WebCore::IntRect const &,WebCore::CompositeOperator,bool)
0x64dd0d2c	 [chrome.dll	 - renderimage.cpp:403	WebCore::RenderImage::paintIntoRect(WebCore::GraphicsContext *,WebCore::IntRect const &)
0x64dd0798	 [chrome.dll	 - renderimage.cpp:331	WebCore::RenderImage::paintReplaced(WebCore::PaintInfo &,WebCore::IntPoint const &)
0x64de3b22	 [chrome.dll	 - renderreplaced.cpp:152	WebCore::RenderReplaced::paint(WebCore::PaintInfo &,WebCore::IntPoint const &)
0x64dd0b46	 [chrome.dll	 - renderimage.cpp:337	WebCore::RenderImage::paint(WebCore::PaintInfo &,WebCore::IntPoint const &)
0x64dd3194	 [chrome.dll	 - inlinebox.cpp:231	WebCore::InlineBox::paint(WebCore::PaintInfo &,WebCore::IntPoint const &,int,int)
0x64dd58d6	 [chrome.dll	 - inlineflowbox.cpp:1061	WebCore::InlineFlowBox::paint(WebCore::PaintInfo &,WebCore::IntPoint const &,int,int)
0x64dd73b3	 [chrome.dll	 - rootinlinebox.cpp:197	WebCore::RootInlineBox::paint(WebCore::PaintInfo &,WebCore::IntPoint const &,int,int)
0x64db7691	 [chrome.dll	 - renderlineboxlist.cpp:262	WebCore::RenderLineBoxList::paint(WebCore::RenderBoxModelObject *,WebCore::PaintInfo &,WebCore::IntPoint const &)
0x64dac2fb	 [chrome.dll	 - renderblock.cpp:2460	WebCore::RenderBlock::paintContents(WebCore::PaintInfo &,WebCore::IntPoint const &)
0x64dac736	 [chrome.dll	 - renderblock.cpp:2575	WebCore::RenderBlock::paintObject(WebCore::PaintInfo &,WebCore::IntPoint const &)
0x64dabe7a	 [chrome.dll	 - renderblock.cpp:2347	WebCore::RenderBlock::paint(WebCore::PaintInfo &,WebCore::IntPoint const &)
0x64d7465d	 [chrome.dll	 - renderlayer.cpp:2795	WebCore::RenderLayer::paintLayer(WebCore::RenderLayer *,WebCore::GraphicsContext *,WebCore::IntRect const &,unsigned int,WebCore::RenderObject *,WebCore::RenderRegion *,WTF::HashMap<WebCore::OverlapTestRequestClient *,WebCore::IntRect,WTF::PtrHash<WebCore::OverlapTestRequestClient *>,WTF::HashTraits<WebCore::OverlapTestRequestClient *>,WTF::HashTraits<WebCore::IntRect> > *,unsigned int)
0x64d748ac	 [chrome.dll	 - renderlayer.cpp:2854	WebCore::RenderLayer::paintList(WTF::Vector<WebCore::RenderLayer *,0> *,WebCore::RenderLayer *,WebCore::GraphicsContext *,WebCore::IntRect const &,unsigned int,WebCore::RenderObject *,WebCore::RenderRegion *,WTF::HashMap<WebCore::OverlapTestRequestClient *,WebCore::IntRect,WTF::PtrHash<WebCore::OverlapTestRequestClient *>,WTF::HashTraits<WebCore::OverlapTestRequestClient *>,WTF::HashTraits<WebCore::IntRect> > *,unsigned int)
0x64d7475c	 [chrome.dll	 - renderlayer.cpp:2816	WebCore::RenderLayer::paintLayer(WebCore::RenderLayer *,WebCore::GraphicsContext *,WebCore::IntRect const &,unsigned int,WebCore::RenderObject *,WebCore::RenderRegion *,WTF::HashMap<WebCore::OverlapTestRequestClient *,WebCore::IntRect,WTF::PtrHash<WebCore::OverlapTestRequestClient *>,WTF::HashTraits<WebCore::OverlapTestRequestClient *>,WTF::HashTraits<WebCore::IntRect> > *,unsigned int)
0x64d748ac	 [chrome.dll	 - renderlayer.cpp:2854	WebCore::RenderLayer::paintList(WTF::Vector<WebCore::RenderLayer *,0> *,WebCore::RenderLayer *,WebCore::GraphicsContext *,WebCore::IntRect const &,unsigned int,WebCore::RenderObject *,WebCore::RenderRegion *,WTF::HashMap<WebCore::OverlapTestRequestClient *,WebCore::IntRect,WTF::PtrHash<WebCore::OverlapTestRequestClient *>,WTF::HashTraits<WebCore::OverlapTestRequestClient *>,WTF::HashTraits<WebCore::IntRect> > *,unsigned int)
...... (10 stack frames dropped.)
0x6474e4c0	 [chrome.dll	 - render_widget.cc:675	RenderWidget::InvalidationCallback()
0x647502c6	 [chrome.dll	 - task.h:349	RunnableMethod<RenderWidget,void ( RenderWidget::*)(void),Tuple0>::Run()
0x642ec5e6	 [chrome.dll	 - task.cc:71	base::subtle::TaskClosureAdapter::Run()
0x642e5545	 [chrome.dll	 - message_loop.cc:481	MessageLoop::RunTask(MessageLoop::PendingTask const &)
0x642e55b1	 [chrome.dll	 - message_loop.cc:497	MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const &)
0x642e5937	 [chrome.dll	 - message_loop.cc:687	MessageLoop::DoWork()
0x642fe0fc	 [chrome.dll	 - message_pump_default.cc:50	base::MessagePumpDefault::Run(base::MessagePump::Delegate *)
0x642e546e	 [chrome.dll	 - message_loop.cc:444	MessageLoop::RunInternal()
0x642e53f3	 [chrome.dll	 - message_loop.cc:417	MessageLoop::RunHandler()
0x642e5385	 [chrome.dll	 - message_loop.cc:341	MessageLoop::Run()
0x64731521	 [chrome.dll	 - renderer_main.cc:228	RendererMain(MainFunctionParams const &)
0x64306d0c	 [chrome.dll	 - content_main.cc:252	`anonymous namespace'::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,MainFunctionParams const &,content::ContentMainDelegate *)
0x643070a2	 [chrome.dll	 - content_main.cc:442	content::ContentMain(HINSTANCE__ *,sandbox::SandboxInterfaceInfo *,content::ContentMainDelegate *)
0x641c2955	 [chrome.dll	 - chrome_main.cc:28	ChromeMain
0x00d21dea	 [chrome.exe	 - client_util.cc:346	MainDllLoader::Launch(HINSTANCE__ *,sandbox::SandboxInterfaceInfo *)
0x00d210c8	 [chrome.exe	 - chrome_exe_main_win.cc:36	wWinMain
0x00d7a1c7	 [chrome.exe	 - crt0.c:263	__tmainCRTStartup
0x76ee1113	 [kernel32.dll	 + 0x00051113]	BaseThreadInitThunk
0x7763b428	 [ntdll.dll	 + 0x0005b428]	__RtlUserThreadStart
0x7763b3fb	 [ntdll.dll	 + 0x0005b3fb]	_RtlUserThreadStart

Even though I cannot reproduce this crash on my PC, it seems Chrome crashes in freeing memory not allocated by tcmalloc. Since WebKit r96970 <http://trac.webkit.org/changeset/96970> attached an empty color profile when USE_ICCJPEG is not defined, it causes this crash?

Regards,

Hironori Bono
Comment 1 Hironori Bono 2011-12-08 01:18:10 PST
Created attachment 118346 [details]
Speculative fix 1

Greetings,

Even though I cannot reproduce this issue, I have created a change that emulates the behavior before r96970. (This is the only change in the blame list.)

Regards,

Hironori Bono
Comment 2 Cary Clark 2011-12-08 04:55:33 PST
LGTM
Comment 3 Eric Seidel (no email) 2011-12-13 15:56:28 PST
Can we also catch this crash with some sort of ASSERT?
Comment 4 noel gordon 2012-01-02 06:37:48 PST
Fixed by http://trac.webkit.org/changeset/103648 ?
Comment 5 Hironori Bono 2012-01-05 02:20:46 PST
Greetings,

Thanks for your comments.
In brief, minidumps for this issue do not provide much information about possible reasons of this crash. Libjpeg uses its own memory manager to encapsulate malloc() and this crash happens when libjpeg deletes memory allocated by its memory manager. I have uploaded my change just because WebKit r96970 is the most recent change before this issue started. I would like to see this crash still occurs in next dev builds. (Fortunately, WebKit r103648 seems to cover my change.)

Regards,

Hironori Bono
E-mail: hbono@google.com
Comment 6 Tony Chang 2012-03-01 13:18:27 PST
Do you still want this patch reviewed or is it obsolete now?
Comment 7 Hironori Bono 2012-03-01 18:18:59 PST
Greetings Tony,

Thanks for your interest.
Unfortunately, we still see this crash on our crash server. Even though I have cancelled this review request, I investigate recent crashes and will upload a fix when I figure out possible solutions.

Regards,

Hironori Bono

(In reply to comment #6)
> Do you still want this patch reviewed or is it obsolete now?