Crash in mozilla::image::nsIconDecoder::ReadRowOfPixels

RESOLVED FIXED in Firefox -esr52



a year ago
10 months ago


(Reporter: Martin Husemann, Assigned: Martin Husemann, Mentored)


50 Branch

Firefox Tracking Flags

(firefox-esr52 fixed, firefox53 fixed)



(1 attachment)



a year ago
When starting firefox 50.0.2 on sparc64 I get an immediate crash like this:

Thread 2 received signal SIGBUS, Bus error.
[Switching to LWP 23]
mozilla::image::nsIconDecoder::ReadRowOfPixels (this=0xffffffffd288ac00, 
    aData=aData@entry=0xffffffffcf65d002 "", aLength=aLength@entry=80)
    at /usr/pkgobj/www/firefox/work/firefox-50.0.2/image/decoders/nsIconDecoder.cpp:105
105       });
(gdb) bt
#0  mozilla::image::nsIconDecoder::ReadRowOfPixels (this=0xffffffffd288ac00, 
    aData=aData@entry=0xffffffffcf65d002 "", aLength=aLength@entry=80)
    at /usr/pkgobj/www/firefox/work/firefox-50.0.2/image/decoders/nsIconDecoder.cpp:105
#1  0xffffffffe31ffa4c in mozilla::image::nsIconDecoder::<lambda(mozilla::image::nsIconDecoder::State, char const*, size_t)>::operator()(mozilla::image::nsIconDecoder::State, const char *, size_t) const (__closure=0xffffffffd01ff5c8, 
    aState=<optimized out>, aData=0xffffffffcf65d002 "", aLength=80)
    at /usr/pkgobj/www/firefox/work/firefox-50.0.2/image/decoders/nsIconDecoder.cpp:41
#2  0xffffffffe3205d30 in mozilla::image::StreamingLexer<mozilla::image::nsIconDecoder::State, 16ul>::BufferedRead<mozilla::image::nsIconDecoder::DoDecode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*)::<lambda(mozilla::image::nsIconDecoder::State, char const*, size_t)> > (aFunc=..., 
    aIterator=..., this=0xffffffffd288ad50)
    at /usr/pkgobj/www/firefox/work/firefox-50.0.2/image/StreamingLexer.h:615
#3  mozilla::image::StreamingLexer<mozilla::image::nsIconDecoder::State, 16ul>::Lex<mozilla::image::nsIconDecoder::DoDecode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*)::<lambda(mozilla::image::nsIconDecoder::State, char const*, size_t)> >(mozilla::image::SourceBufferIterator &, mozilla::image::IResumable *, mozilla::image::nsIconDecoder::<lambda(mozilla::image::nsIconDecoder::State, char const*, size_t)>) (this=this@entry=0xffffffffd288ad50, 
    aIterator=..., aOnResume=aOnResume@entry=0xffffffffd2847b00, aFunc=...)

Note the aData pointer is not 4-byte aligned, but the code does:

    uint32_t pixel = *reinterpret_cast<const uint32_t*>(aData);
    aData += 4;
    aLength -= 4;

I don't fully understand how aData is initialized in the closure below this call and whether this is a situation that is allowed to happen (in which case the obvious fix is memcpy() instead of *reinterpret_cast<>()) or should never happen, in which case the bug is hiding somewhere else.
memcpy looks like the correct to do here; can you test that patch?
Flags: needinfo?(martin)

Comment 2

a year ago
Created attachment 8817015 [details] [diff] [review]

Use memcpy() instead of dereferencing a casted pointer where the cast would increase alignement requirements on some architectures
Flags: needinfo?(martin)

Comment 3

a year ago
I have been running with that patch for two days and FF 50.0.2 is happy on my sparc64 desktop machine.
Comment on attachment 8817015 [details] [diff] [review]

Yeah, this is the right fix.

This icon format (that is internal to gecko) uses one byte each for the width and height at the start of the data. This is probably silly because it limits icons to 256x256 and means that every following row is not 4 byte aligned (if the start of the data is 4 byte aligned).

Andrew mentioned a possible endian-ness issue, which I looked into. The platform specific code that gets the icon image data from the OS handles this and puts it into the expected order. Ex
Attachment #8817015 - Flags: review+
Assignee: nobody → martin

Comment 6

a year ago
Pushed by
Use memcpy() instead of dereferencing a casted pointer where the cast would increase alignement requirements on some architectures in nsIconDecoder.  r=tnikkel

Comment 7

a year ago
Last Resolved: a year ago
status-firefox53: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla53


a year ago
Duplicate of this bug: 1324416

Comment 9

11 months ago
Comment on attachment 8817015 [details] [diff] [review]

[Approval Request Comment]
ESR consideration: Improve stability on architectures with strict alignment requirement
User impact if declined: Startup crash on sparc64
Fix Landed on Version: 53.0
Risk to taking this patch (and alternatives if risky): None
String or UUID changes made by this patch: None
Attachment #8817015 - Flags: approval-mozilla-esr52?
Comment on attachment 8817015 [details] [diff] [review]

alignment fix, for esr52.1.0
Attachment #8817015 - Flags: approval-mozilla-esr52? → approval-mozilla-esr52+

Comment 11

11 months ago
status-firefox-esr52: --- → fixed
You need to log in before you can comment on or make changes to this bug.