Closed Bug 944094 Opened 11 years ago Closed 10 years ago

segfault in {nsJPEGDecoder,nsPNGDecoder}::InitInternal

Categories

(Core :: Graphics: ImageLib, defect)

Product:
Core
Component:
Graphics: ImageLib
Version:
28 Branch
Platform:
ARM
Android
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla29
Tracking Flags:
Tracking Status
firefox26 --- unaffected
firefox27 + fixed
firefox28 + fixed
firefox29 --- fixed
fennec 27+ ---

People

(Reporter: rnewman, Assigned: nbp)

References

(
URL
)

Details

(Keywords: crash, regression, Whiteboard: [native-crash][fixed by 957475])

Crash Data

Reproducible by visiting bild.de with current Fennec Nightly.


Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 29226]
jpeg_std_error (err=0x7ea14a94) at /Users/rnewman/moz/hg/fx-team/media/libjpeg/jerror.c:233
233	  err->error_exit = error_exit;

#0  jpeg_std_error (err=0x7ea14a94) at /Users/rnewman/moz/hg/fx-team/media/libjpeg/jerror.c:233
#1  0x7183d158 in mozilla::image::nsJPEGDecoder::InitInternal (this=0x7ea14800)
    at /Users/rnewman/moz/hg/fx-team/image/decoders/nsJPEGDecoder.cpp:145
#2  0x71834fee in mozilla::image::Decoder::Init (this=0x7ea14800)
    at /Users/rnewman/moz/hg/fx-team/image/src/Decoder.cpp:57
#3  0x718325ea in mozilla::image::RasterImage::InitDecoder (this=this@entry=0x7cf4b040,
    aDoSizeDecode=aDoSizeDecode@entry=true) at /Users/rnewman/moz/hg/fx-team/image/src/RasterImage.cpp:2038
#4  0x718329f4 in Init (aFlags=<optimized out>, aMimeType=<optimized out>, this=0x7cf4b040)
    at /Users/rnewman/moz/hg/fx-team/image/src/RasterImage.cpp:514
#5  mozilla::image::RasterImage::Init (this=0x7cf4b040, aMimeType=<optimized out>, aFlags=<optimized out>)
    at /Users/rnewman/moz/hg/fx-team/image/src/RasterImage.cpp:481
#6  0x718368dc in mozilla::image::ImageFactory::CreateRasterImage (aRequest=aRequest@entry=0x7cabf834,
    aStatusTracker=aStatusTracker@entry=0x7ce516f0, aMimeType=..., aURI=aURI@entry=0x7cad7b00, aImageFlags=3,
    aInnerWindowId=9) at /Users/rnewman/moz/hg/fx-team/image/src/ImageFactory.cpp:187
#7  0x718369f8 in mozilla::image::ImageFactory::CreateImage (aRequest=0x7cabf834, aStatusTracker=0x7ce516f0,
    aMimeType=..., aURI=0x7cad7b00, aIsMultiPart=false, aInnerWindowId=9)
    at /Users/rnewman/moz/hg/fx-team/image/src/ImageFactory.cpp:104
#8  0x7182ca40 in imgRequest::OnDataAvailable (this=0x7d0f93a0, aRequest=0x7cabf834, ctxt=0x0, inStr=
    0x7ba8a6a0, sourceOffset=0, count=11617) at /Users/rnewman/moz/hg/fx-team/image/src/imgRequest.cpp:815
#9  0x71826fa0 in ProxyListener::OnDataAvailable (this=<optimized out>, aRequest=<optimized out>,
    ctxt=<optimized out>, inStr=<optimized out>, sourceOffset=0, count=11617)
    at /Users/rnewman/moz/hg/fx-team/image/src/imgLoader.cpp:2113
#10 0x71593e40 in nsStreamListenerTee::OnDataAvailable (this=<optimized out>, request=0x7cabf834, context=0x0,
    input=0x0, offset=0, count=11617)
    at /Users/rnewman/moz/hg/fx-team/netwerk/base/src/nsStreamListenerTee.cpp:93
#11 0x715ed096 in mozilla::net::nsHttpChannel::OnDataAvailable (this=0x7cabf800, request=<optimized out>,
    ctxt=<optimized out>, input=0x739d8070, offset=0, count=11617)
    at /Users/rnewman/moz/hg/fx-team/netwerk/protocol/http/nsHttpChannel.cpp:5313
#12 0x7158f43a in nsInputStreamPump::OnStateTransfer (this=this@entry=0x7ce56460)
    at /Users/rnewman/moz/hg/fx-team/netwerk/base/src/nsInputStreamPump.cpp:593
Just got the same stack but for nsPNGDecoder, so this is apparently nothing to do with the image.

$1 = {<mozilla::image::ImageResource> = {<mozilla::image::Image> = {<imgIContainer> = {<nsISupports> = {
          _vptr.nsISupports = 0x728b1070 <vtable for mozilla::image::RasterImage+8>}, <No data fields>},
      static INIT_FLAG_NONE = 0, static INIT_FLAG_DISCARDABLE = 1, static INIT_FLAG_DECODE_ON_DRAW = 2,
      static INIT_FLAG_MULTIPART = 4}, mStatusTracker = {mRawPtr = 0x7dee17e0}, mURI = {mRawPtr = 0x7c20a900},
    mInnerWindowId = 0, mAnimationConsumers = 0, mAnimationMode = 0, mInitialized = false, mAnimating = false,
    mError = false}, <nsIProperties> = {<nsISupports> = {
      _vptr.nsISupports = 0x728b1164 <vtable for mozilla::image::RasterImage+252>}, <No data fields>}, <mozilla::SupportsWeakPtr<mozilla::image::RasterImage>> =
    {<mozilla::SupportsWeakPtrBase<mozilla::image::RasterImage, mozilla::detail::WeakReference<mozilla::image::RasterImage> >> = {weakRef = {ptr = 0x0}}, <No data fields>}, mRefCnt = {static isThreadSafe = true, mValue =
    {<mozilla::detail::AtomicBaseIncDec<unsigned int, (mozilla::MemoryOrdering)2>> =
    {<mozilla::detail::AtomicBase<unsigned int, (mozilla::MemoryOrdering)2>> = {mValue =
    1}, <No data fields>}, <No data fields>}}, _mOwningThread = {mThread = 0x7b308480}, mSize =
    {<mozilla::gfx::BaseSize<int, nsIntSize>> = {width = 0, height = 0}, <No data fields>}, mOrientation = {
    rotation = mozilla::image::D0, flip = mozilla::image::Unflipped}, mFrameDecodeFlags = 0, mFrameBlender = {
    mFrames = {mRawPtr = 0x7c77e1b0}, mSize = {<mozilla::gfx::BaseSize<int, nsIntSize>> = {width = 0, height =
    0}, <No data fields>}, mAnim = 0x0}, mMultipartDecodedFrame = 0x0, mProperties = {<nsCOMPtr_base> = {
      mRawPtr = 0x0}, <No data fields>}, mAnim = 0x0, mLockCount = 0, mDiscardTrackerNode =
    {<mozilla::LinkedListElement<mozilla::image::DiscardTracker::Node>> = {next = 0x7c7d4f80, prev =
    0x7c7d4f80, isSentinel = false}, img = 0x7c7d4f20, timestamp = {mValue = 0}}, mSourceDataMimeType =
    {<nsACString_internal> = {mData = 0x7de819a8 "image/png", mLength = 9, mFlags = 5}, <No data fields>},
  mDecodeCount = 0, mRequestedResolution = {<mozilla::gfx::BaseSize<int, nsIntSize>> = {width = 0, height =
    0}, <No data fields>}, mImageContainer = {mRawPtr = 0x0}, mDecodingMutex = {<mozilla::OffTheBooksMutex> =
    {<mozilla::BlockingResourceBase> = {static kResourceTypeName =
    0x72803a6c <mozilla::BlockingResourceBase::kResourceTypeName>}, mLock = 0x7e3c6b50}, <No data fields>},
  mSourceData = {<nsTArray_Impl<char, nsTArrayFallibleAllocator>> =
    {<nsTArray_base<nsTArrayFallibleAllocator, nsTArray_CopyWithMemutils>> = {mHdr =
    0x72a823d0 <nsTArrayHeader::sEmptyHdr>}, <nsTArray_TypedBase<char, nsTArray_Impl<char, nsTArrayFallibleAllocator> >> = {<nsTArray_SafeElementAtHelper<char, nsTArray_Impl<char, nsTArrayFallibleAllocator> >> =
    {<No data fields>}, <No data fields>}, <No data fields>}, <No data fields>}, mDecoder = {mRawPtr = 0x0},
  mDecodeRequest = {mRawPtr = 0x0}, mBytesDecoded = 0, mInDecoder = false, mHasSize = false, mDecodeOnDraw =
    true, mMultipart = false, mDiscardable = true, mHasSourceData = false, mDecoded = false, mHasBeenDecoded =
    false, mAnimationFinished = false, mFinishing = false, mInUpdateImageContainer = false, mWantFullDecode =
    false, mPendingError = false, mDrawStartTime = {mValue = 0}, mScaleResult = {scale =
    {<mozilla::gfx::BaseSize<double, gfxSize>> = {width = 0, height = 0}, <No data fields>}, frame = {mRawPtr =
    0x0}, status = mozilla::image::RasterImage::SCALE_INVALID}, mScaleRequest = 0x0, mStatusTrackerInit = {
    mRawPtr = 0x7de11b20}}
Summary: segfault in nsJPEGDecoder::InitInternal → segfault in {nsJPEGDecoder,nsPNGDecoder}::InitInternal
tracking-fennec: --- → ?
status-firefox26: --- → unaffected
status-firefox27: --- → affected
status-firefox28: --- → affected
tracking-firefox27: --- → ?
tracking-firefox28: --- → ?
https://crash-stats.mozilla.com/report/index/745b2983-caf7-4a6b-b453-ca1d92131127 In crash stats this shows up as bug 930735. Dupe?
Crash Signature: [@ js::CloneFunctionObject(JSContext*, JS::Handle<JSFunction*>, JS::Handle<JSObject*>, js::gc::AllocKind, js::NewObjectKind)]
Keywords: crash, regression, regressionwindow-wanted
Whiteboard: [native-crash]
Certainly could be. I don't know enough about the interaction between Gecko and gdb to determine whether these are spurious stacks.
Tracking for now, we may reverse the decision if there's difficulty fixing and the crash drops off on higher channels.
tracking-firefox27: ?+
tracking-firefox28: ?+
tracking-fennec: ? → 27+
Milan, can we get an assignee?
Flags: needinfo?(milan)
I'll leave needinfo on me until we get a regression range before assigning.
Richard, do you still see this on nightly, and what phone were you using?  Does the image comment 1 crash still?
Flags: needinfo?(milan) → needinfo?(rnewman)
Bild.de still reliably crashes Nightly. HTC One, Kitkat. 

Today's test crash:

https://crash-stats.mozilla.com/report/index/bp-a37ae802-5046-4091-9061-cdb562131219
Flags: needinfo?(rnewman)
Kitkat.  Ouch.  The crash above is mapped to bug 938026, seemingly without the image decoding in the stack (GC?).  :snorp, you have a Kitkat phone handy, right?  Can you try to reproduce and see if the stack shows image decoding?
Flags: needinfo?(snorp)
I get a crash in nsJPEGDecoder here:

#0  jpeg_std_error (err=0x7a2a0a94) at /Users/snorp/source/gecko-dev/media/libjpeg/jerror.c:233
#1  0x728d5af8 in mozilla::image::nsJPEGDecoder::InitInternal (this=0x7a2a0800) at /Users/snorp/source/gecko-dev/image/decoders/nsJPEGDecoder.cpp:145
#2  0x728c8e5c in mozilla::image::Decoder::Init (this=0x7a2a0800) at /Users/snorp/source/gecko-dev/image/src/Decoder.cpp:56
#3  0x728c4e98 in mozilla::image::RasterImage::InitDecoder (this=0x79e51ab0, aDoSizeDecode=<optimized out>) at /Users/snorp/source/gecko-dev/image/src/RasterImage.cpp:2031
#4  0x728c5586 in Init (aFlags=<optimized out>, aMimeType=0x7a42f0a8 "image/jpeg", this=0x79e51ab0) at /Users/snorp/source/gecko-dev/image/src/RasterImage.cpp:516
#5  mozilla::image::RasterImage::Init (this=0x79e51ab0, aMimeType=0x7a42f0a8 "image/jpeg", aFlags=<optimized out>) at /Users/snorp/source/gecko-dev/image/src/RasterImage.cpp:483
#6  0x728cdf18 in mozilla::image::ImageFactory::CreateRasterImage (aRequest=0x7c6ebc34, aStatusTracker=0x7b888e70, aMimeType=..., aURI=0x7c2bbf00, aImageFlags=3, aInnerWindowId=10) at /Users/snorp/source/gecko-dev/image/src/ImageFactory.cpp:187
#7  0x728ce128 in mozilla::image::ImageFactory::CreateImage (aRequest=0x7c6ebc34, aStatusTracker=0x7b888e70, aMimeType=..., aURI=0x7c2bbf00, aIsMultiPart=false, aInnerWindowId=10) at /Users/snorp/source/gecko-dev/image/src/ImageFactory.cpp:104
#8  0x728bc500 in imgRequest::OnDataAvailable (this=0x7c26ace0, aRequest=0x7c6ebc34, ctxt=0x0, inStr=0x7c234880, sourceOffset=0, count=74466) at /Users/snorp/source/gecko-dev/image/src/imgRequest.cpp:815
#9  0x728b4c32 in OnDataAvailable (count=0, sourceOffset=8236506094686652544, inStr=0x7c234880, ctxt=0x0, aRequest=0x7c6ebc34, this=<optimized out>) at /Users/snorp/source/gecko-dev/image/src/imgLoader.cpp:2113
#10 ProxyListener::OnDataAvailable (this=<optimized out>, aRequest=0x7c6ebc34, ctxt=0x0, inStr=0x7c234880, sourceOffset=0, count=74466) at /Users/snorp/source/gecko-dev/image/src/imgLoader.cpp:2106
#11 0x724df2a6 in mozilla::net::nsHttpChannel::OnDataAvailable (this=0x7c6ebc00, request=<optimized out>, ctxt=<optimized out>, input=0x7c234880, offset=0, count=74466) at /Users/snorp/source/gecko-dev/netwerk/protocol/http/nsHttpChannel.cpp:5303
#12 0x72445bd6 in nsInputStreamPump::OnStateTransfer (this=0x7ce38190) at /Users/snorp/source/gecko-dev/netwerk/base/src/nsInputStreamPump.cpp:593
#13 0x7244ab20 in nsInputStreamPump::OnInputStreamReady (this=0x7ce38190, stream=<optimized out>) at /Users/snorp/source/gecko-dev/netwerk/base/src/nsInputStreamPump.cpp:434
#14 0x723e8386 in nsInputStreamReadyEvent::Run (this=0x7a217ee0) at /Users/snorp/source/gecko-dev/xpcom/io/nsStreamUtils.cpp:85
#15 0x723f481e in nsThreadPool::Run (this=0x775871c0) at /Users/snorp/source/gecko-dev/xpcom/threads/nsThreadPool.cpp:208
#16 0x723f4542 in ProcessNextEvent (result=0x778f9cf7, mayWait=false, this=0x7750d080) at /Users/snorp/source/gecko-dev/xpcom/threads/nsThread.cpp:634
#17 nsThread::ProcessNextEvent (this=0x7750d080, mayWait=<optimized out>, result=0x778f9cf7) at /Users/snorp/source/gecko-dev/xpcom/threads/nsThread.cpp:567
#18 0x723aea22 in NS_ProcessNextEvent (thread=0x7750d080, mayWait=<optimized out>) at /Users/snorp/source/gecko-dev/xpcom/glue/nsThreadUtils.cpp:263
#19 0x725aafe8 in mozilla::ipc::MessagePumpForNonMainThreads::Run (this=0x7759d1f0, aDelegate=0x7a2d4860) at /Users/snorp/source/gecko-dev/ipc/glue/MessagePump.cpp:301
#20 0x72590d82 in MessageLoop::RunInternal (this=0x7a2d4860) at /Users/snorp/source/gecko-dev/ipc/chromium/src/base/message_loop.cc:226
#21 0x72590dc2 in RunHandler (this=0x7a2d4860) at /Users/snorp/source/gecko-dev/ipc/chromium/src/base/message_loop.cc:219
#22 MessageLoop::Run (this=0x7a2d4860) at /Users/snorp/source/gecko-dev/ipc/chromium/src/base/message_loop.cc:193
#23 0x723f40d6 in nsThread::ThreadFunc (arg=0x7750d080) at /Users/snorp/source/gecko-dev/xpcom/threads/nsThread.cpp:258
#24 0x6e316608 in _pt_root (arg=0x7750d780) at /Users/snorp/source/gecko-dev/nsprpub/pr/src/pthreads/ptthread.c:205
#25 0x400e122c in __thread_entry () from /Users/snorp/source/jimdb/lib/015d21d4fe181a0e/system/lib/libc.so
#26 0x400e13c4 in pthread_create () from /Users/snorp/source/jimdb/lib/015d21d4fe181a0e/system/lib/libc.so
#27 0x00000000 in ?? ()
Flags: needinfo?(snorp)
And on the next run I get a crash in nsPNGDecoder...
Stack changes every time, I'd say we have some corruption going on here.
Blocks: 938026
Blocks: 930735
(In reply to James Willcox (:snorp) (jwillcox@mozilla.com) from comment #13)
> Stack changes every time, I'd say we have some corruption going on here.

Decoder crash with changing signatures reminds me of bug 943803 - could there be some connection?
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #14)
> (In reply to James Willcox (:snorp) (jwillcox@mozilla.com) from comment #13)
> > Stack changes every time, I'd say we have some corruption going on here.
> 
> Decoder crash with changing signatures reminds me of bug 943803 - could
> there be some connection?

I don't have access to that one
Assignee: nobody → snorp
James, you should have access to bug 943803, and I asked Seth in that one if he sees a connection.
Blocks: 957475
Flags: needinfo?(kvijayan)
Patch for bug 957475 (disabling setarg & arguments compilation for now) just landed in inbound today.  Does this still reproduce?
Flags: needinfo?(kvijayan)
I'll test tomorrow when that patch is in the next nightly.
Flags: needinfo?(tnikkel)
I see tn has this under control :)
Assignee: snorp → tnikkel
Doesn't crash anymore for me.
Assignee: tnikkel → nobody
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(tnikkel)
Resolution: --- → FIXED
(In reply to Timothy Nikkel (:tn) from comment #21)
> Doesn't crash anymore for me.

In this case, it should be fixed for future 28 and 27 builds a well, given this just landed in aurora and beta.
status-firefox27: affectedfixed
status-firefox28: affectedfixed
Whiteboard: [native-crash] → [native-crash][fixed by 957475]
Assignee: nobody → nicolas.b.pierron
status-firefox29: --- → fixed
Target Milestone: --- → mozilla29
You need to log in before you can comment on or make changes to this bug.