Closed Bug 1322112 Opened 6 years ago Closed 6 years ago

Crash in mozilla::image::nsIconDecoder::ReadRowOfPixels

Categories

(Core :: Graphics: ImageLib, defect)

50 Branch
Other
NetBSD
defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla53
Tracking Status
firefox-esr52 --- fixed
firefox53 --- fixed

People

(Reporter: martin, Assigned: martin, Mentored)

References

Details

Attachments

(1 file)

When starting firefox 50.0.2 on sparc64 I get an immediate crash like this:

Thread 2 received signal SIGBUS, Bus error.
[Switching to LWP 23]
mozilla::image::nsIconDecoder::ReadRowOfPixels (this=0xffffffffd288ac00, 
    aData=aData@entry=0xffffffffcf65d002 "", aLength=aLength@entry=80)
    at /usr/pkgobj/www/firefox/work/firefox-50.0.2/image/decoders/nsIconDecoder.cpp:105
105       });
(gdb) bt
#0  mozilla::image::nsIconDecoder::ReadRowOfPixels (this=0xffffffffd288ac00, 
    aData=aData@entry=0xffffffffcf65d002 "", aLength=aLength@entry=80)
    at /usr/pkgobj/www/firefox/work/firefox-50.0.2/image/decoders/nsIconDecoder.cpp:105
#1  0xffffffffe31ffa4c in mozilla::image::nsIconDecoder::<lambda(mozilla::image::nsIconDecoder::State, char const*, size_t)>::operator()(mozilla::image::nsIconDecoder::State, const char *, size_t) const (__closure=0xffffffffd01ff5c8, 
    aState=<optimized out>, aData=0xffffffffcf65d002 "", aLength=80)
    at /usr/pkgobj/www/firefox/work/firefox-50.0.2/image/decoders/nsIconDecoder.cpp:41
#2  0xffffffffe3205d30 in mozilla::image::StreamingLexer<mozilla::image::nsIconDecoder::State, 16ul>::BufferedRead<mozilla::image::nsIconDecoder::DoDecode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*)::<lambda(mozilla::image::nsIconDecoder::State, char const*, size_t)> > (aFunc=..., 
    aIterator=..., this=0xffffffffd288ad50)
    at /usr/pkgobj/www/firefox/work/firefox-50.0.2/image/StreamingLexer.h:615
#3  mozilla::image::StreamingLexer<mozilla::image::nsIconDecoder::State, 16ul>::Lex<mozilla::image::nsIconDecoder::DoDecode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*)::<lambda(mozilla::image::nsIconDecoder::State, char const*, size_t)> >(mozilla::image::SourceBufferIterator &, mozilla::image::IResumable *, mozilla::image::nsIconDecoder::<lambda(mozilla::image::nsIconDecoder::State, char const*, size_t)>) (this=this@entry=0xffffffffd288ad50, 
    aIterator=..., aOnResume=aOnResume@entry=0xffffffffd2847b00, aFunc=...)

Note the aData pointer is not 4-byte aligned, but the code does:

    uint32_t pixel = *reinterpret_cast<const uint32_t*>(aData);
    aData += 4;
    aLength -= 4;


I don't fully understand how aData is initialized in the closure below this call and whether this is a situation that is allowed to happen (in which case the obvious fix is memcpy() instead of *reinterpret_cast<>()) or should never happen, in which case the bug is hiding somewhere else.
memcpy looks like the correct to do here; can you test that patch?
Flags: needinfo?(martin)
Use memcpy() instead of dereferencing a casted pointer where the cast would increase alignement requirements on some architectures
Flags: needinfo?(martin)
I have been running with that patch for two days and FF 50.0.2 is happy on my sparc64 desktop machine.
Comment on attachment 8817015 [details] [diff] [review]
patch-image_decoders_nsIconDecoder.cpp

Yeah, this is the right fix.

This icon format (that is internal to gecko) uses one byte each for the width and height at the start of the data. This is probably silly because it limits icons to 256x256 and means that every following row is not 4 byte aligned (if the start of the data is 4 byte aligned).

Andrew mentioned a possible endian-ness issue, which I looked into. The platform specific code that gets the icon image data from the OS handles this and puts it into the expected order. Ex https://dxr.mozilla.org/mozilla-central/rev/8103c612b79c2587ea4ca1b0a9f9f82db4b185b8/image/decoders/icon/gtk/nsIconChannel.cpp#72
Attachment #8817015 - Flags: review+
Assignee: nobody → martin
Pushed by tnikkel@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/5fd9bb569ce9
Use memcpy() instead of dereferencing a casted pointer where the cast would increase alignement requirements on some architectures in nsIconDecoder.  r=tnikkel
https://hg.mozilla.org/mozilla-central/rev/5fd9bb569ce9
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
Duplicate of this bug: 1324416
Comment on attachment 8817015 [details] [diff] [review]
patch-image_decoders_nsIconDecoder.cpp

[Approval Request Comment]
ESR consideration: Improve stability on architectures with strict alignment requirement
User impact if declined: Startup crash on sparc64
Fix Landed on Version: 53.0
Risk to taking this patch (and alternatives if risky): None
String or UUID changes made by this patch: None
Attachment #8817015 - Flags: approval-mozilla-esr52?
Comment on attachment 8817015 [details] [diff] [review]
patch-image_decoders_nsIconDecoder.cpp

alignment fix, for esr52.1.0
Attachment #8817015 - Flags: approval-mozilla-esr52? → approval-mozilla-esr52+
You need to log in before you can comment on or make changes to this bug.