1183105 - PNG: crash [@ Lock]

Status: RESOLVED WORKSFORME

(Core :: Graphics: ImageLib, defect)

Description

[Christoph Diehl [:posidron]]

The following testcase crashes on mozilla-inbound-linux64-asan revision dc9d58b43abf (build with (buildFlags not available), run with ):

See attachment.


Backtrace:

==2037==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7fb97804d602 sp 0x7fb959d56e20 bp 0x7fb959d56ee0 T25)
ASAN:SIGSEGV
==2037==AddressSanitizer: while reporting a bug found another one.Ignoring.
ASAN:SIGSEGV
==2037==AddressSanitizer: while reporting a bug found another one.Ignoring.
ASAN:SIGSEGV
==2037==AddressSanitizer: while reporting a bug found another one.Ignoring.
    #0 0x7fb97804d601 in Lock /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/image/../dist/include/mozilla/Mutex.h:69
    #1 0x7fb97804d601 in Lock /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/image/../dist/include/mozilla/Monitor.h:35
    #2 0x7fb97804d601 in MonitorAutoLock /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/image/../dist/include/mozilla/Monitor.h:78
    #3 0x7fb97804d601 in mozilla::image::imgFrame::Finish(mozilla::image::Opacity, mozilla::image::DisposalMethod, int, mozilla::image::BlendMethod) /builds/slave/m-in-l64-asan-0000000000000000/build/src/image/imgFrame.cpp:643
    #4 0x7fb978012978 in mozilla::image::Decoder::PostFrameStop(mozilla::image::Opacity, mozilla::image::DisposalMethod, int, mozilla::image::BlendMethod) /builds/slave/m-in-l64-asan-0000000000000000/build/src/image/Decoder.cpp:488
    #5 0x7fb97807bfed in EndImageFrame /builds/slave/m-in-l64-asan-0000000000000000/build/src/image/decoders/nsPNGDecoder.cpp:222
    #6 0x7fb97807bfed in mozilla::image::nsPNGDecoder::end_callback(png_struct_def*, png_info_def*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/image/decoders/nsPNGDecoder.cpp:878
    #7 0x7fb97da56077 in MOZ_PNG_push_have_end /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libpng/pngpread.c:1277
    #8 0x7fb97da56077 in MOZ_PNG_push_read_chunk /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libpng/pngpread.c:344
    #9 0x7fb97da547b3 in MOZ_PNG_proc_some_data /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libpng/pngpread.c:128
    #10 0x7fb97da547b3 in MOZ_PNG_process_data /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libpng/pngpread.c:47
    #11 0x7fb97807c527 in mozilla::image::nsPNGDecoder::WriteInternal(char const*, unsigned int) /builds/slave/m-in-l64-asan-0000000000000000/build/src/image/decoders/nsPNGDecoder.cpp:388
    #12 0x7fb97801278f in mozilla::image::Decoder::Write(char const*, unsigned int) /builds/slave/m-in-l64-asan-0000000000000000/build/src/image/Decoder.cpp:178
    #13 0x7fb97800fdde in mozilla::image::Decoder::Decode() /builds/slave/m-in-l64-asan-0000000000000000/build/src/image/Decoder.cpp:123
    #14 0x7fb97800f49a in mozilla::image::DecodePool::Decode(mozilla::image::Decoder*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/image/DecodePool.cpp:452
    #15 0x7fb9780318cc in mozilla::image::DecodePoolWorker::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/image/DecodePool.cpp:281
    #16 0x7fb9761580e7 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:867
    #17 0x7fb9761c679a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277
    #18 0x7fb976a2a16f in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/glue/MessagePump.cpp:326
    #19 0x7fb9769b690c in RunInternal /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #20 0x7fb9769b690c in RunHandler /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
    #21 0x7fb9769b690c in MessageLoop::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
    #22 0x7fb976154571 in nsThread::ThreadFunc(void*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:360
    #23 0x7fb982ee3135 in _pt_root /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:212
    #24 0x7fb983521181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/image/../dist/include/mozilla/Mutex.h:69 Lock
Thread T25 (ImgDecoder #7) created by T0 (Web Content) here:
    #0 0x461815 in pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:175
    #1 0x7fb982edfabd in _PR_CreateThread /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:453
    #2 0x7fb982edf63a in PR_CreateThread /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:544
    #3 0x7fb976155b3d in nsThread::Init() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:470
    #4 0x7fb97615ba3e in nsThreadManager::NewThread(unsigned int, unsigned int, nsIThread**) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadManager.cpp:249
    #5 0x7fb9761c5a18 in NS_NewThread(nsIThread**, nsIRunnable*, unsigned int) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:68
    #6 0x7fb97800df91 in mozilla::image::DecodePool::DecodePool() /builds/slave/m-in-l64-asan-0000000000000000/build/src/image/DecodePool.cpp:354
    #7 0x7fb97800d79b in mozilla::image::DecodePool::Singleton() /builds/slave/m-in-l64-asan-0000000000000000/build/src/image/DecodePool.cpp:314
    #8 0x7fb97805e228 in mozilla::image::InitModule() /builds/slave/m-in-l64-asan-0000000000000000/build/src/image/build/nsImageModule.cpp:95
    #9 0x7fb97612f7ad in Load /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/components/nsComponentManager.cpp:886
    #10 0x7fb97612f7ad in nsFactoryEntry::GetFactory() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/components/nsComponentManager.cpp:1927
    #11 0x7fb976130a01 in nsComponentManagerImpl::CreateInstanceByContractID(char const*, nsISupports*, nsID const&, void**) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/components/nsComponentManager.cpp:1220
    #12 0x7fb97612807a in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/components/nsComponentManager.cpp:1579
    #13 0x7fb9761b5aa1 in CallGetService /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/glue/nsComponentManagerUtils.cpp:67
    #14 0x7fb9761b5aa1 in nsGetServiceByContractID::operator()(nsID const&, void**) const /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/glue/nsComponentManagerUtils.cpp:280
    #15 0x7fb9761aad66 in nsCOMPtr_base::assign_from_gs_contractid(nsGetServiceByContractID, nsID const&) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/glue/nsCOMPtr.cpp:103
    #16 0x7fb977ea9bf8 in nsCOMPtr /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/gfx/thebes/../../dist/include/nsCOMPtr.h:514
    #17 0x7fb977ea9bf8 in gfxPlatform::Init() /builds/slave/m-in-l64-asan-0000000000000000/build/src/gfx/thebes/gfxPlatform.cpp:560
    #18 0x7fb977ea7cf4 in gfxPlatform::GetPlatform() /builds/slave/m-in-l64-asan-0000000000000000/build/src/gfx/thebes/gfxPlatform.cpp:407
    #19 0x7fb977db07d5 in mozilla::layers::CompositorChild::Create(IPC::Channel*, int) /builds/slave/m-in-l64-asan-0000000000000000/build/src/gfx/layers/ipc/CompositorChild.cpp:143
    #20 0x7fb97713f93b in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/ipc/ipdl/./PContentChild.cpp:7219
    #21 0x7fb976a22652 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/glue/MessageChannel.cpp:1376
    #22 0x7fb976a200d2 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message const&) /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/glue/MessageChannel.cpp:1291
    #23 0x7fb976a13a22 in mozilla::ipc::MessageChannel::OnMaybeDequeueOne() /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/glue/MessageChannel.cpp:1262
    #24 0x7fb9769b7d84 in RunTask /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:364
    #25 0x7fb9769b7d84 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:372
    #26 0x7fb9769b8e37 in MessageLoop::DoWork() /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:459
    #27 0x7fb976a29ef5 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/glue/MessagePump.cpp:284
    #28 0x7fb9769b690c in RunInternal /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #29 0x7fb9769b690c in RunHandler /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
    #30 0x7fb9769b690c in MessageLoop::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
    #31 0x7fb97b691227 in nsBaseAppShell::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/widget/nsBaseAppShell.cpp:165
    #32 0x7fb97d4f4ca2 in XRE_RunAppShell /builds/slave/m-in-l64-asan-0000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:778
    #33 0x7fb9769b690c in RunInternal /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #34 0x7fb9769b690c in RunHandler /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
    #35 0x7fb9769b690c in MessageLoop::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
    #36 0x7fb97d4f4399 in XRE_InitChildProcess /builds/slave/m-in-l64-asan-0000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:614
    #37 0x48d632 in content_process_main(int, char**) /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:236
    #38 0x7fb973bd7ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)

Comment 1

[Christoph Diehl [:posidron]]

Attachment: Testcase

Comment 2

[Josh Matthews [:jdm]]

Looks like mCurrentFrame in the decoder is null.

Comment 3

[Glenn Randers-Pehrson]

I'm puzzled about how the decoder has gotten past the bad chunk name [E0][81][80][FC] that follows the length word, and how it got past the bad CRC for that chunk. We should not be reaching png_push_have_end().

"od -c data_1_output_Output.txt" reports
0000000 211   P   N   G  \r  \n 032  \n  \0  \0  \0  \r 340 201 200 374
0000020 200 200 200 201 246   +   F 370 200 200 201 262 360 200 201 201
0000040 301 236 376 200 200 200 200 201 231 300 240 370 200 200 200 271
0000060   % 370 200 200 201 243 360 200 201 273 360 200 201 275 376 200
...
0016020 370 200 200 201 267   M 374 200 200 200 200 270 300 246  \0  \0
0016040 003      \0  \0 003 350  \b 006  \0  \0  \0   - 027 264   K  \0
0016060  \0  \0 004   s   B   I   T  \b  \b  \b  \b   |  \b   d 210  \0

which is
211   P   N   G  \r  \n 032  \n    # PNG signature
 \0  \0  \0  \r                    # length 13
340 201 200 374                    # invalid chunk name [E0][81][80][FC]
200 200 200 201 246   +   F 370    # chunk data (garbage,
200 200 201 262 360                #            13 bytes)
200 201 201 301                    # CRC (invalid) for first chunk
236 376 200 200                    # length of next chunk, less than 377 777 777 777
                                   # but greater than the available data.
200 200 201 231                    # invalid chunk name
then about 16k of garbage followed by IHDR chunk data and the remainder of a valid PNG

The file does end with an IEND chunk but it's a mystery to me how the
decoder found it.  The decoder should have issued a png_error when it found the
invalid chunk name, and again when it found the bad CRC.  Has png_error() been
disabled somehow in the ASAN build?

Comment 4

[Christoph Diehl [:posidron]]

(In reply to Glenn Randers-Pehrson from comment #3)
> Has png_error() been disabled somehow in the ASAN build?

No, no that I know of.

Comment 5

[Glenn Randers-Pehrson]

Attachment: stasi20-schablone.png (uncorrupted copy)

Here is an uncorrupted copy of the input PNG file, found on the web.  It's not clear from the "testcase" files how to recreate the bug.

Comment 6

[Seth Fowler [:seth] [:s2h]]

FWIW Mihai attempted to reproduce this and could not. Perhaps this only happens on ASAN?

Comment 7

[Glenn Randers-Pehrson]

I tried with an ASAN-x86-64 build that I downloaded from mozilla.org in January 2015.  It behaves properly: it displays the uncorrupted image as expected, and it shows the message "image <name> could not be displayed because it contains errors", as expected, when I attempted to display the file contained in data_1_output_Output.txt (after renaming to file.png).

Comment 8

[Edwin Flores [inactive from 2016-12-01] [:eflores] [:edwin]]

Mass resolving WFM: signature(s) hasn't(/haven't) reported in past 28 days.