Closed Bug 367740 Opened 18 years ago Closed 18 years ago

Crash [@ ARGB32_image_mark]

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Platform:
PowerPC
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jruderman, Assigned: MatsPalmgren_bugz)

References

Details

(Keywords: crash, Whiteboard: [sg:critical?] post 1.8-branch; Apple bug #5087549)

Crash Data

Attachments

(3 files)

better stack trace
11.43 KB, text/plain
Details
Stack for the allocation failure
8.86 KB, text/plain
Details
Patch rev. 1
5.69 KB, patch
pavlov
: review+
pavlov
: superreview+
Details | Diff | Splinter Review 
Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_INVALID_ADDRESS (0x0001) at 0x5f42d0a4

Thread 0 Crashed:
0   com.apple.CoreGraphics   	0x903e6670 ARGB32_image_mark + 1816
1   com.apple.CoreGraphics   	0x903d7094 ARGB32_image + 3532
2   libRIP.A.dylib           	0x94757fe8 ripl_Mark + 40
3   libRIP.A.dylib           	0x94753d14 ripl_BltImage + 908
4   libRIP.A.dylib           	0x94753788 ripc_RenderImage + 256
5   libRIP.A.dylib           	0x9475218c ripc_DrawImage + 3532
6   com.apple.CoreGraphics   	0x903d2a74 CGContextDelegateDrawImage + 76
7   com.apple.CoreGraphics   	0x903d29cc CGContextDrawImage + 340
8   org.mozilla.firefox      	0x007b875c jinit_compress_master + 5796
9   com.apple.CoreGraphics   	0x90415894 CGContextDrawPattern + 220
10  com.apple.CoreGraphics   	0x90415570 pattern_replicate_pattern + 576
11  com.apple.CoreGraphics   	0x9041500c pattern_tile_pattern + 2552
12  com.apple.CoreGraphics   	0x90414604 CGPatternFilterDelegateTilePattern + 44
13  libRIP.A.dylib           	0x94757b64 ripc_GetPattern + 2464
14  libRIP.A.dylib           	0x947556c0 ripc_GetColor + 228
15  libRIP.A.dylib           	0x94754c1c ripc_Render + 204
16  libRIP.A.dylib           	0x9475d474 ripc_DrawPath + 488
17  com.apple.CoreGraphics   	0x90452e2c CGContextDrawPath + 176
18  org.mozilla.firefox      	0x007b93ec jinit_compress_master + 9012
19  org.mozilla.firefox      	0x003cb804 _cairo_surface_fill + 144
20  org.mozilla.firefox      	0x0075de20 _cairo_gstate_fill + 104
21  org.mozilla.firefox      	0x0055685c _moz_cairo_fill_preserve + 44
22  org.mozilla.firefox      	0x000ebe74 nsThebesImage::Draw(nsIRenderingContext&, nsIDrawingSurface*, int, int, int, int, int, int, int, int) + 1216
23  org.mozilla.firefox      	0x000f2ddc nsThebesRenderingContext::DrawImage(imgIContainer*, nsRect const&, nsRect const&) + 1932
24  org.mozilla.firefox      	0x0055f83c nsImageFrame::PaintImage(nsIRenderingContext&, nsPoint, nsRect const&, imgIContainer*) + 536
25  org.mozilla.firefox      	0x0055f610 nsDisplayImage::Paint(nsDisplayListBuilder*, nsIRenderingContext*, nsRect const&) + 76
26  org.mozilla.firefox      	0x0048130c nsDisplayList::Paint(nsDisplayListBuilder*, nsIRenderingContext*, nsRect const&) const + 72
27  org.mozilla.firefox      	0x00482f10 nsDisplayClip::Paint(nsDisplayListBuilder*, nsIRenderingContext*, nsRect const&) + 136
28  org.mozilla.firefox      	0x0048130c nsDisplayList::Paint(nsDisplayListBuilder*, nsIRenderingContext*, nsRect const&) const + 72
29  org.mozilla.firefox      	0x00482f10 nsDisplayClip::Paint(nsDisplayListBuilder*, nsIRenderingContext*, nsRect const&) + 136
30  org.mozilla.firefox      	0x0048130c nsDisplayList::Paint(nsDisplayListBuilder*, nsIRenderingContext*, nsRect const&) const + 72
31  org.mozilla.firefox      	0x00453870 nsLayoutUtils::PaintFrame(nsIRenderingContext*, nsIFrame*, nsRegion const&, unsigned) + 416
32  org.mozilla.firefox      	0x0017a54c PresShell::Paint(nsIView*, nsIRenderingContext*, nsRegion const&) + 232
33  org.mozilla.firefox      	0x0020726c nsViewManager::RenderViews(nsView*, nsIRenderingContext&, nsRegion const&, nsIDrawingSurface*) + 248
34  org.mozilla.firefox      	0x00206da8 nsViewManager::Refresh(nsView*, nsIRenderingContext*, nsIRegion*, unsigned) + 1160
35  org.mozilla.firefox      	0x00208918 nsViewManager::DispatchEvent(nsGUIEvent*, nsEventStatus*) + 1424
36  org.mozilla.firefox      	0x00442ba8 ViewWrapper::GetInterface(nsID const&, void**) + 468
37  org.mozilla.firefox      	0x002cc5a8 nsChildView::DispatchEvent(nsGUIEvent*, nsEventStatus&) + 224
38  org.mozilla.firefox      	0x002cc620 nsChildView::DispatchWindowEvent(nsGUIEvent&) + 32
39  org.mozilla.firefox      	0x002ce7b8 nsChildView::GetThebesSurface() + 4860
40  com.apple.AppKit         	0x93751858 -[NSView _drawRect:clip:] + 2128
41  com.apple.AppKit         	0x93750e18 -[NSView _recursiveDisplayAllDirtyWithLockFocus:visRect:] + 404
42  com.apple.AppKit         	0x937503e0 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 196
43  com.apple.AppKit         	0x937509a8 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 1676
44  com.apple.AppKit         	0x937509a8 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 1676
45  com.apple.AppKit         	0x937509a8 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 1676
46  com.apple.AppKit         	0x937509a8 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 1676
47  com.apple.AppKit         	0x937509a8 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 1676
48  com.apple.AppKit         	0x937509a8 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 1676
49  com.apple.AppKit         	0x937509a8 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 1676
50  com.apple.AppKit         	0x93771044 -[NSThemeFrame _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 192
51  com.apple.AppKit         	0x9374a054 -[NSView _displayRectIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:] + 384
52  com.apple.AppKit         	0x9373f348 -[NSView displayIfNeeded] + 248
53  com.apple.AppKit         	0x9373f1b8 -[NSWindow displayIfNeeded] + 180
54  com.apple.AppKit         	0x9373f064 _handleWindowNeedsDisplay + 200
55  com.apple.CoreFoundation 	0x907dc73c __CFRunLoopDoObservers + 352
56  com.apple.CoreFoundation 	0x907dc9dc __CFRunLoopRun + 420
57  com.apple.CoreFoundation 	0x907dc47c CFRunLoopRunSpecific + 268
58  com.apple.HIToolbox      	0x93208740 RunCurrentEventLoopInMode + 264
59  com.apple.HIToolbox      	0x93207d4c ReceiveNextEventCommon + 244
60  com.apple.HIToolbox      	0x93207c40 BlockUntilNextEventMatchingListInMode + 96
61  com.apple.AppKit         	0x9370bae4 _DPSNextEvent + 384
62  com.apple.AppKit         	0x9370b7a8 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 116
63  org.mozilla.firefox      	0x002c72b4 nsAppShell::ProcessNextNativeEvent(int) + 188
64  org.mozilla.firefox      	0x005e01b0 nsBaseAppShell::DoProcessNextNativeEvent(int) + 48
65  org.mozilla.firefox      	0x005e0380 nsBaseAppShell::OnProcessNextEvent(nsIThreadInternal*, int, unsigned) + 100
66  libxpcom_core.dylib      	0x2c0441cc nsThread::ProcessNextEvent(int, int*) + 156
67  libxpcom_core.dylib      	0x2c00a1c0 NS_ProcessNextEvent_P(nsIThread*, int) + 76
68  org.mozilla.firefox      	0x005e0218 nsBaseAppShell::Run() + 80
69  org.mozilla.firefox      	0x002c7688 non-virtual thunk [nv:-4] to nsAppShell::AfterProcessNextEvent(nsIThreadInternal*, unsigned) + 416
70  com.apple.Foundation     	0x9296bbf8 __NSFireDelayedPerform + 304
71  com.apple.CoreFoundation 	0x907f0550 __CFRunLoopDoTimer + 184
72  com.apple.CoreFoundation 	0x907dcec8 __CFRunLoopRun + 1680
73  com.apple.CoreFoundation 	0x907dc47c CFRunLoopRunSpecific + 268
74  com.apple.HIToolbox      	0x93208740 RunCurrentEventLoopInMode + 264
75  com.apple.HIToolbox      	0x93207dd4 ReceiveNextEventCommon + 380
76  com.apple.HIToolbox      	0x93207c40 BlockUntilNextEventMatchingListInMode + 96
77  com.apple.AppKit         	0x9370bae4 _DPSNextEvent + 384
78  com.apple.AppKit         	0x9370b7a8 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 116
79  org.mozilla.firefox      	0x002c72b4 nsAppShell::ProcessNextNativeEvent(int) + 188
80  org.mozilla.firefox      	0x005e01b0 nsBaseAppShell::DoProcessNextNativeEvent(int) + 48
81  org.mozilla.firefox      	0x005e0380 nsBaseAppShell::OnProcessNextEvent(nsIThreadInternal*, int, unsigned) + 100
82  libxpcom_core.dylib      	0x2c0441cc nsThread::ProcessNextEvent(int, int*) + 156
83  libxpcom_core.dylib      	0x2c00a0c0 NS_ProcessPendingEvents_P(nsIThread*, unsigned) + 84
84  org.mozilla.firefox      	0x005e0134 nsBaseAppShell::NativeEventCallback() + 80
85  org.mozilla.firefox      	0x002c7060 nsAppShell::ProcessGeckoEvents() + 192
86  org.mozilla.firefox      	0x002c7638 non-virtual thunk [nv:-4] to nsAppShell::AfterProcessNextEvent(nsIThreadInternal*, unsigned) + 336
87  com.apple.Foundation     	0x92959918 __NSFireMachPort + 276
88  com.apple.CoreFoundation 	0x907ea820 __CFMachPortPerform + 176
89  com.apple.CoreFoundation 	0x907ea734 __CFRunLoopDoSource1 + 152
90  com.apple.CoreFoundation 	0x907dce4c __CFRunLoopRun + 1556
91  com.apple.CoreFoundation 	0x907dc47c CFRunLoopRunSpecific + 268
92  com.apple.HIToolbox      	0x93208740 RunCurrentEventLoopInMode + 264
93  com.apple.HIToolbox      	0x93207d4c ReceiveNextEventCommon + 244
94  com.apple.HIToolbox      	0x93207c40 BlockUntilNextEventMatchingListInMode + 96
95  com.apple.AppKit         	0x9370bae4 _DPSNextEvent + 384
96  com.apple.AppKit         	0x9370b7a8 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 116
97  com.apple.AppKit         	0x93707cec -[NSApplication run] + 472
98  org.mozilla.firefox      	0x002c73c4 nsAppShell::Run() + 104
99  org.mozilla.firefox      	0x0033b8ac nsAppStartup::Run() + 88
100 org.mozilla.firefox      	0x00012b6c XRE_main + 4724
101 org.mozilla.firefox      	0x0000dbd4 start + 456
102 dyld                     	0x8fe01048 _dyld_start + 60
Before the crash see things in console output like

firefox-bin(10000,0xa000ed88) malloc: *** vm_allocate(size=1840893952) failed (error code=3)
firefox-bin(10000,0xa000ed88) malloc: *** error: can't allocate region
firefox-bin(10000,0xa000ed88) malloc: *** set a breakpoint in szone_error to debug

The CSS in the testcase seems to make the document have a very large height.  I suspect that's part of what triggers the bugginess.
Flags: blocking1.9?
Whiteboard: [sg:critical?]
Attached file better stack trace 
This is from a debug build of Firefox.  Why doesn't gdb show arguments or filename information for the cairo functions?
aDHeight=71582792 sounds suspicious.
Critical security bugs must have owners. If you can't work on this bug please help us find another active owner for it.
Assignee: nobody → pavlov
Assignee: pavlov → vladimir
Patch coming up...
Assignee: vladimir → mats.palmgren
Attached patch Patch rev. 1Splinter Review 
Impose the limits on final image size in two more places. (ref. bug 343192)
Attachment #252581 - Flags: superreview?(pavlov)
Attachment #252581 - Flags: review?(pavlov)
Attachment #252581 - Flags: superreview?(pavlov)
Attachment #252581 - Flags: superreview+
Attachment #252581 - Flags: review?(pavlov)
Attachment #252581 - Flags: review+
Checked in to trunk at 2007-01-26 10:12 PST.

-> FIXED
Status: NEW → RESOLVED
Closed: 18 years ago
Flags: blocking1.9?
Resolution: --- → FIXED
Depends on: 368427
Was this a trunk-only crash? I'm guessing so because of Thebes involvement, but I don't have a mac handy to test. If it's trunk-only please unhide the bug (and add a whiteboard comment "1.9-only" or "post 1.8")
I can't reproduce the crash with the attached testcase in
Firefox 1.5.0.9 or 2.0.0.1 on MacOSX 10.4.8.

I think this bug really is in Quartz though. It shouldn't crash even
if it is given unreasonable arguments, so this bug affects many
applications (not just Mozilla) on Mac. For 1.8.* we also have
bug 328258. If you search http://talkback-public.mozilla.org/
for ARGB32_image_mark you'll find this signature:
ARGB32_image_mark_RGB32()
ARGB32_image()
...
CGContextDrawImage()
libawt.jnilib.1.0.0 + 0x99e8 (0x810799e8)
(e.g. TB27092878 TB26675857)
which I think is a variation of this bug from within Java AWT.

We also have this signature:
ARGB32_image_mark_RGB32()
ARGB32_image()
...
CGContextDrawImage()
nsImageMac::Draw()
(eg. TB28885504 TB28885524)
which *could* be a variation of this bug (or it might just be bug 328258)

Looking at gfx/src/mac/nsImageMac.cpp
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/gfx/src/mac/nsImageMac.cpp&rev=1.82&root=/cvsroot#315
it appears that we have no checks on the arguments like we now
have in Thebes. Maybe we should add the same check there?

We should contact Apple and make them aware of this problem though.
I think we should keep this bug hidden in the interest of protecting
other developers until Apple has fixed the core problem.
(Josh said in bug 328258 comment 24 that he had contacted Apple...)
Verifying that the crash doesn't occur on the 1.8 branch (Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.4pre) Gecko/20070322 BonEcho/2.0.0.4pre).
Whiteboard: [sg:critical?] → [sg:critical?] post 1.8-branch
Flags: wanted1.8.1.x-
Whiteboard: [sg:critical?] post 1.8-branch → [sg:critical?] post 1.8-branch; Apple bug #5087549
Group: security
Crash Signature: [@ ARGB32_image_mark]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: