Closed
Bug 1183105
Opened 9 years ago
Closed 8 years ago
PNG: crash [@ Lock]
Categories
(Core :: Graphics: ImageLib, defect)
Tracking
()
RESOLVED
WORKSFORME
Tracking | Status | |
---|---|---|
firefox42 | --- | affected |
People
(Reporter: posidron, Unassigned)
Details
(Keywords: crash, testcase, Whiteboard: [gfx-noted])
Crash Data
Attachments
(2 files)
The following testcase crashes on mozilla-inbound-linux64-asan revision dc9d58b43abf (build with (buildFlags not available), run with ): See attachment. Backtrace: ==2037==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7fb97804d602 sp 0x7fb959d56e20 bp 0x7fb959d56ee0 T25) ASAN:SIGSEGV ==2037==AddressSanitizer: while reporting a bug found another one.Ignoring. ASAN:SIGSEGV ==2037==AddressSanitizer: while reporting a bug found another one.Ignoring. ASAN:SIGSEGV ==2037==AddressSanitizer: while reporting a bug found another one.Ignoring. #0 0x7fb97804d601 in Lock /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/image/../dist/include/mozilla/Mutex.h:69 #1 0x7fb97804d601 in Lock /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/image/../dist/include/mozilla/Monitor.h:35 #2 0x7fb97804d601 in MonitorAutoLock /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/image/../dist/include/mozilla/Monitor.h:78 #3 0x7fb97804d601 in mozilla::image::imgFrame::Finish(mozilla::image::Opacity, mozilla::image::DisposalMethod, int, mozilla::image::BlendMethod) /builds/slave/m-in-l64-asan-0000000000000000/build/src/image/imgFrame.cpp:643 #4 0x7fb978012978 in mozilla::image::Decoder::PostFrameStop(mozilla::image::Opacity, mozilla::image::DisposalMethod, int, mozilla::image::BlendMethod) /builds/slave/m-in-l64-asan-0000000000000000/build/src/image/Decoder.cpp:488 #5 0x7fb97807bfed in EndImageFrame /builds/slave/m-in-l64-asan-0000000000000000/build/src/image/decoders/nsPNGDecoder.cpp:222 #6 0x7fb97807bfed in mozilla::image::nsPNGDecoder::end_callback(png_struct_def*, png_info_def*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/image/decoders/nsPNGDecoder.cpp:878 #7 0x7fb97da56077 in MOZ_PNG_push_have_end /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libpng/pngpread.c:1277 #8 0x7fb97da56077 in MOZ_PNG_push_read_chunk /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libpng/pngpread.c:344 #9 0x7fb97da547b3 in MOZ_PNG_proc_some_data /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libpng/pngpread.c:128 #10 0x7fb97da547b3 in MOZ_PNG_process_data /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libpng/pngpread.c:47 #11 0x7fb97807c527 in mozilla::image::nsPNGDecoder::WriteInternal(char const*, unsigned int) /builds/slave/m-in-l64-asan-0000000000000000/build/src/image/decoders/nsPNGDecoder.cpp:388 #12 0x7fb97801278f in mozilla::image::Decoder::Write(char const*, unsigned int) /builds/slave/m-in-l64-asan-0000000000000000/build/src/image/Decoder.cpp:178 #13 0x7fb97800fdde in mozilla::image::Decoder::Decode() /builds/slave/m-in-l64-asan-0000000000000000/build/src/image/Decoder.cpp:123 #14 0x7fb97800f49a in mozilla::image::DecodePool::Decode(mozilla::image::Decoder*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/image/DecodePool.cpp:452 #15 0x7fb9780318cc in mozilla::image::DecodePoolWorker::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/image/DecodePool.cpp:281 #16 0x7fb9761580e7 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:867 #17 0x7fb9761c679a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277 #18 0x7fb976a2a16f in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/glue/MessagePump.cpp:326 #19 0x7fb9769b690c in RunInternal /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234 #20 0x7fb9769b690c in RunHandler /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227 #21 0x7fb9769b690c in MessageLoop::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201 #22 0x7fb976154571 in nsThread::ThreadFunc(void*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:360 #23 0x7fb982ee3135 in _pt_root /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:212 #24 0x7fb983521181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/image/../dist/include/mozilla/Mutex.h:69 Lock Thread T25 (ImgDecoder #7) created by T0 (Web Content) here: #0 0x461815 in pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:175 #1 0x7fb982edfabd in _PR_CreateThread /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:453 #2 0x7fb982edf63a in PR_CreateThread /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:544 #3 0x7fb976155b3d in nsThread::Init() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:470 #4 0x7fb97615ba3e in nsThreadManager::NewThread(unsigned int, unsigned int, nsIThread**) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadManager.cpp:249 #5 0x7fb9761c5a18 in NS_NewThread(nsIThread**, nsIRunnable*, unsigned int) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:68 #6 0x7fb97800df91 in mozilla::image::DecodePool::DecodePool() /builds/slave/m-in-l64-asan-0000000000000000/build/src/image/DecodePool.cpp:354 #7 0x7fb97800d79b in mozilla::image::DecodePool::Singleton() /builds/slave/m-in-l64-asan-0000000000000000/build/src/image/DecodePool.cpp:314 #8 0x7fb97805e228 in mozilla::image::InitModule() /builds/slave/m-in-l64-asan-0000000000000000/build/src/image/build/nsImageModule.cpp:95 #9 0x7fb97612f7ad in Load /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/components/nsComponentManager.cpp:886 #10 0x7fb97612f7ad in nsFactoryEntry::GetFactory() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/components/nsComponentManager.cpp:1927 #11 0x7fb976130a01 in nsComponentManagerImpl::CreateInstanceByContractID(char const*, nsISupports*, nsID const&, void**) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/components/nsComponentManager.cpp:1220 #12 0x7fb97612807a in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/components/nsComponentManager.cpp:1579 #13 0x7fb9761b5aa1 in CallGetService /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/glue/nsComponentManagerUtils.cpp:67 #14 0x7fb9761b5aa1 in nsGetServiceByContractID::operator()(nsID const&, void**) const /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/glue/nsComponentManagerUtils.cpp:280 #15 0x7fb9761aad66 in nsCOMPtr_base::assign_from_gs_contractid(nsGetServiceByContractID, nsID const&) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/glue/nsCOMPtr.cpp:103 #16 0x7fb977ea9bf8 in nsCOMPtr /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/gfx/thebes/../../dist/include/nsCOMPtr.h:514 #17 0x7fb977ea9bf8 in gfxPlatform::Init() /builds/slave/m-in-l64-asan-0000000000000000/build/src/gfx/thebes/gfxPlatform.cpp:560 #18 0x7fb977ea7cf4 in gfxPlatform::GetPlatform() /builds/slave/m-in-l64-asan-0000000000000000/build/src/gfx/thebes/gfxPlatform.cpp:407 #19 0x7fb977db07d5 in mozilla::layers::CompositorChild::Create(IPC::Channel*, int) /builds/slave/m-in-l64-asan-0000000000000000/build/src/gfx/layers/ipc/CompositorChild.cpp:143 #20 0x7fb97713f93b in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/ipc/ipdl/./PContentChild.cpp:7219 #21 0x7fb976a22652 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/glue/MessageChannel.cpp:1376 #22 0x7fb976a200d2 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message const&) /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/glue/MessageChannel.cpp:1291 #23 0x7fb976a13a22 in mozilla::ipc::MessageChannel::OnMaybeDequeueOne() /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/glue/MessageChannel.cpp:1262 #24 0x7fb9769b7d84 in RunTask /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:364 #25 0x7fb9769b7d84 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:372 #26 0x7fb9769b8e37 in MessageLoop::DoWork() /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:459 #27 0x7fb976a29ef5 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/glue/MessagePump.cpp:284 #28 0x7fb9769b690c in RunInternal /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234 #29 0x7fb9769b690c in RunHandler /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227 #30 0x7fb9769b690c in MessageLoop::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201 #31 0x7fb97b691227 in nsBaseAppShell::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/widget/nsBaseAppShell.cpp:165 #32 0x7fb97d4f4ca2 in XRE_RunAppShell /builds/slave/m-in-l64-asan-0000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:778 #33 0x7fb9769b690c in RunInternal /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234 #34 0x7fb9769b690c in RunHandler /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227 #35 0x7fb9769b690c in MessageLoop::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201 #36 0x7fb97d4f4399 in XRE_InitChildProcess /builds/slave/m-in-l64-asan-0000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:614 #37 0x48d632 in content_process_main(int, char**) /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:236 #38 0x7fb973bd7ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
Reporter | ||
Comment 1•9 years ago
|
||
Reporter | ||
Updated•9 years ago
|
Summary: Crash [@ Lock] → PNG: crash [@ Lock]
Comment 2•9 years ago
|
||
Looks like mCurrentFrame in the decoder is null.
Comment 3•9 years ago
|
||
I'm puzzled about how the decoder has gotten past the bad chunk name [E0][81][80][FC] that follows the length word, and how it got past the bad CRC for that chunk. We should not be reaching png_push_have_end(). "od -c data_1_output_Output.txt" reports 0000000 211 P N G \r \n 032 \n \0 \0 \0 \r 340 201 200 374 0000020 200 200 200 201 246 + F 370 200 200 201 262 360 200 201 201 0000040 301 236 376 200 200 200 200 201 231 300 240 370 200 200 200 271 0000060 % 370 200 200 201 243 360 200 201 273 360 200 201 275 376 200 ... 0016020 370 200 200 201 267 M 374 200 200 200 200 270 300 246 \0 \0 0016040 003 \0 \0 003 350 \b 006 \0 \0 \0 - 027 264 K \0 0016060 \0 \0 004 s B I T \b \b \b \b | \b d 210 \0 which is 211 P N G \r \n 032 \n # PNG signature \0 \0 \0 \r # length 13 340 201 200 374 # invalid chunk name [E0][81][80][FC] 200 200 200 201 246 + F 370 # chunk data (garbage, 200 200 201 262 360 # 13 bytes) 200 201 201 301 # CRC (invalid) for first chunk 236 376 200 200 # length of next chunk, less than 377 777 777 777 # but greater than the available data. 200 200 201 231 # invalid chunk name then about 16k of garbage followed by IHDR chunk data and the remainder of a valid PNG The file does end with an IEND chunk but it's a mystery to me how the decoder found it. The decoder should have issued a png_error when it found the invalid chunk name, and again when it found the bad CRC. Has png_error() been disabled somehow in the ASAN build?
Reporter | ||
Comment 4•9 years ago
|
||
(In reply to Glenn Randers-Pehrson from comment #3) > Has png_error() been disabled somehow in the ASAN build? No, no that I know of.
Comment 5•9 years ago
|
||
Here is an uncorrupted copy of the input PNG file, found on the web. It's not clear from the "testcase" files how to recreate the bug.
Updated•9 years ago
|
Attachment #8633823 -
Attachment description: stasi20-schablone.png (uncorrupted copy)H → stasi20-schablone.png (uncorrupted copy)
Comment 6•9 years ago
|
||
FWIW Mihai attempted to reproduce this and could not. Perhaps this only happens on ASAN?
Comment 7•9 years ago
|
||
I tried with an ASAN-x86-64 build that I downloaded from mozilla.org in January 2015. It behaves properly: it displays the uncorrupted image as expected, and it shows the message "image <name> could not be displayed because it contains errors", as expected, when I attempted to display the file contained in data_1_output_Output.txt (after renaming to file.png).
Whiteboard: [gfx-noted]
Mass resolving WFM: signature(s) hasn't(/haven't) reported in past 28 days.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•