944094 - segfault in {nsJPEGDecoder,nsPNGDecoder}::InitInternal

Status: RESOLVED FIXED

(Core :: Graphics: ImageLib, defect)

Description

[Richard Newman [:rnewman]]

Reproducible by visiting bild.de with current Fennec Nightly.


Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 29226]
jpeg_std_error (err=0x7ea14a94) at /Users/rnewman/moz/hg/fx-team/media/libjpeg/jerror.c:233
233	  err->error_exit = error_exit;

#0  jpeg_std_error (err=0x7ea14a94) at /Users/rnewman/moz/hg/fx-team/media/libjpeg/jerror.c:233
#1  0x7183d158 in mozilla::image::nsJPEGDecoder::InitInternal (this=0x7ea14800)
    at /Users/rnewman/moz/hg/fx-team/image/decoders/nsJPEGDecoder.cpp:145
#2  0x71834fee in mozilla::image::Decoder::Init (this=0x7ea14800)
    at /Users/rnewman/moz/hg/fx-team/image/src/Decoder.cpp:57
#3  0x718325ea in mozilla::image::RasterImage::InitDecoder (this=this@entry=0x7cf4b040,
    aDoSizeDecode=aDoSizeDecode@entry=true) at /Users/rnewman/moz/hg/fx-team/image/src/RasterImage.cpp:2038
#4  0x718329f4 in Init (aFlags=<optimized out>, aMimeType=<optimized out>, this=0x7cf4b040)
    at /Users/rnewman/moz/hg/fx-team/image/src/RasterImage.cpp:514
#5  mozilla::image::RasterImage::Init (this=0x7cf4b040, aMimeType=<optimized out>, aFlags=<optimized out>)
    at /Users/rnewman/moz/hg/fx-team/image/src/RasterImage.cpp:481
#6  0x718368dc in mozilla::image::ImageFactory::CreateRasterImage (aRequest=aRequest@entry=0x7cabf834,
    aStatusTracker=aStatusTracker@entry=0x7ce516f0, aMimeType=..., aURI=aURI@entry=0x7cad7b00, aImageFlags=3,
    aInnerWindowId=9) at /Users/rnewman/moz/hg/fx-team/image/src/ImageFactory.cpp:187
#7  0x718369f8 in mozilla::image::ImageFactory::CreateImage (aRequest=0x7cabf834, aStatusTracker=0x7ce516f0,
    aMimeType=..., aURI=0x7cad7b00, aIsMultiPart=false, aInnerWindowId=9)
    at /Users/rnewman/moz/hg/fx-team/image/src/ImageFactory.cpp:104
#8  0x7182ca40 in imgRequest::OnDataAvailable (this=0x7d0f93a0, aRequest=0x7cabf834, ctxt=0x0, inStr=
    0x7ba8a6a0, sourceOffset=0, count=11617) at /Users/rnewman/moz/hg/fx-team/image/src/imgRequest.cpp:815
#9  0x71826fa0 in ProxyListener::OnDataAvailable (this=<optimized out>, aRequest=<optimized out>,
    ctxt=<optimized out>, inStr=<optimized out>, sourceOffset=0, count=11617)
    at /Users/rnewman/moz/hg/fx-team/image/src/imgLoader.cpp:2113
#10 0x71593e40 in nsStreamListenerTee::OnDataAvailable (this=<optimized out>, request=0x7cabf834, context=0x0,
    input=0x0, offset=0, count=11617)
    at /Users/rnewman/moz/hg/fx-team/netwerk/base/src/nsStreamListenerTee.cpp:93
#11 0x715ed096 in mozilla::net::nsHttpChannel::OnDataAvailable (this=0x7cabf800, request=<optimized out>,
    ctxt=<optimized out>, input=0x739d8070, offset=0, count=11617)
    at /Users/rnewman/moz/hg/fx-team/netwerk/protocol/http/nsHttpChannel.cpp:5313
#12 0x7158f43a in nsInputStreamPump::OnStateTransfer (this=this@entry=0x7ce56460)
    at /Users/rnewman/moz/hg/fx-team/netwerk/base/src/nsInputStreamPump.cpp:593

Comment 1

[Richard Newman [:rnewman]]

GDB tells me the image is

http://bilder.bild.de/fotos-skaliert/a-bendtner_35694961-1385580901-33577276/2,w=658,c=0.bild.jpg

Comment 2

[Richard Newman [:rnewman]]

Just got the same stack but for nsPNGDecoder, so this is apparently nothing to do with the image.

$1 = {<mozilla::image::ImageResource> = {<mozilla::image::Image> = {<imgIContainer> = {<nsISupports> = {
          _vptr.nsISupports = 0x728b1070 <vtable for mozilla::image::RasterImage+8>}, <No data fields>},
      static INIT_FLAG_NONE = 0, static INIT_FLAG_DISCARDABLE = 1, static INIT_FLAG_DECODE_ON_DRAW = 2,
      static INIT_FLAG_MULTIPART = 4}, mStatusTracker = {mRawPtr = 0x7dee17e0}, mURI = {mRawPtr = 0x7c20a900},
    mInnerWindowId = 0, mAnimationConsumers = 0, mAnimationMode = 0, mInitialized = false, mAnimating = false,
    mError = false}, <nsIProperties> = {<nsISupports> = {
      _vptr.nsISupports = 0x728b1164 <vtable for mozilla::image::RasterImage+252>}, <No data fields>}, <mozilla::SupportsWeakPtr<mozilla::image::RasterImage>> =
    {<mozilla::SupportsWeakPtrBase<mozilla::image::RasterImage, mozilla::detail::WeakReference<mozilla::image::RasterImage> >> = {weakRef = {ptr = 0x0}}, <No data fields>}, mRefCnt = {static isThreadSafe = true, mValue =
    {<mozilla::detail::AtomicBaseIncDec<unsigned int, (mozilla::MemoryOrdering)2>> =
    {<mozilla::detail::AtomicBase<unsigned int, (mozilla::MemoryOrdering)2>> = {mValue =
    1}, <No data fields>}, <No data fields>}}, _mOwningThread = {mThread = 0x7b308480}, mSize =
    {<mozilla::gfx::BaseSize<int, nsIntSize>> = {width = 0, height = 0}, <No data fields>}, mOrientation = {
    rotation = mozilla::image::D0, flip = mozilla::image::Unflipped}, mFrameDecodeFlags = 0, mFrameBlender = {
    mFrames = {mRawPtr = 0x7c77e1b0}, mSize = {<mozilla::gfx::BaseSize<int, nsIntSize>> = {width = 0, height =
    0}, <No data fields>}, mAnim = 0x0}, mMultipartDecodedFrame = 0x0, mProperties = {<nsCOMPtr_base> = {
      mRawPtr = 0x0}, <No data fields>}, mAnim = 0x0, mLockCount = 0, mDiscardTrackerNode =
    {<mozilla::LinkedListElement<mozilla::image::DiscardTracker::Node>> = {next = 0x7c7d4f80, prev =
    0x7c7d4f80, isSentinel = false}, img = 0x7c7d4f20, timestamp = {mValue = 0}}, mSourceDataMimeType =
    {<nsACString_internal> = {mData = 0x7de819a8 "image/png", mLength = 9, mFlags = 5}, <No data fields>},
  mDecodeCount = 0, mRequestedResolution = {<mozilla::gfx::BaseSize<int, nsIntSize>> = {width = 0, height =
    0}, <No data fields>}, mImageContainer = {mRawPtr = 0x0}, mDecodingMutex = {<mozilla::OffTheBooksMutex> =
    {<mozilla::BlockingResourceBase> = {static kResourceTypeName =
    0x72803a6c <mozilla::BlockingResourceBase::kResourceTypeName>}, mLock = 0x7e3c6b50}, <No data fields>},
  mSourceData = {<nsTArray_Impl<char, nsTArrayFallibleAllocator>> =
    {<nsTArray_base<nsTArrayFallibleAllocator, nsTArray_CopyWithMemutils>> = {mHdr =
    0x72a823d0 <nsTArrayHeader::sEmptyHdr>}, <nsTArray_TypedBase<char, nsTArray_Impl<char, nsTArrayFallibleAllocator> >> = {<nsTArray_SafeElementAtHelper<char, nsTArray_Impl<char, nsTArrayFallibleAllocator> >> =
    {<No data fields>}, <No data fields>}, <No data fields>}, <No data fields>}, mDecoder = {mRawPtr = 0x0},
  mDecodeRequest = {mRawPtr = 0x0}, mBytesDecoded = 0, mInDecoder = false, mHasSize = false, mDecodeOnDraw =
    true, mMultipart = false, mDiscardable = true, mHasSourceData = false, mDecoded = false, mHasBeenDecoded =
    false, mAnimationFinished = false, mFinishing = false, mInUpdateImageContainer = false, mWantFullDecode =
    false, mPendingError = false, mDrawStartTime = {mValue = 0}, mScaleResult = {scale =
    {<mozilla::gfx::BaseSize<double, gfxSize>> = {width = 0, height = 0}, <No data fields>}, frame = {mRawPtr =
    0x0}, status = mozilla::image::RasterImage::SCALE_INVALID}, mScaleRequest = 0x0, mStatusTrackerInit = {
    mRawPtr = 0x7de11b20}}

Comment 3

[Kevin Brosnan [Ex-Mozilla]]

https://crash-stats.mozilla.com/report/index/745b2983-caf7-4a6b-b453-ca1d92131127 In crash stats this shows up as bug 930735. Dupe?

Comment 4

[Richard Newman [:rnewman]]

Certainly could be. I don't know enough about the interaction between Gecko and gdb to determine whether these are spurious stacks.

Comment 5

[Alex Keybl [:akeybl]]

Tracking for now, we may reverse the decision if there's difficulty fixing and the crash drops off on higher channels.

Comment 6

[Brad Lassey [:blassey] (use needinfo?)]

Milan, can we get an assignee?

Comment 7

[Milan Sreckovic [:milan] (needinfo for best results)]

I'll leave needinfo on me until we get a regression range before assigning.

Comment 8

[Milan Sreckovic [:milan] (needinfo for best results)]

Richard, do you still see this on nightly, and what phone were you using?  Does the image comment 1 crash still?

Comment 9

[Richard Newman [:rnewman]]

Bild.de still reliably crashes Nightly. HTC One, Kitkat. 

Today's test crash:

https://crash-stats.mozilla.com/report/index/bp-a37ae802-5046-4091-9061-cdb562131219

Comment 10

[Milan Sreckovic [:milan] (needinfo for best results)]

Kitkat.  Ouch.  The crash above is mapped to bug 938026, seemingly without the image decoding in the stack (GC?).  :snorp, you have a Kitkat phone handy, right?  Can you try to reproduce and see if the stack shows image decoding?

Comment 11

[James Willcox (:snorp) (jwillcox@mozilla.com) (he/him)]

I get a crash in nsJPEGDecoder here:

#0  jpeg_std_error (err=0x7a2a0a94) at /Users/snorp/source/gecko-dev/media/libjpeg/jerror.c:233
#1  0x728d5af8 in mozilla::image::nsJPEGDecoder::InitInternal (this=0x7a2a0800) at /Users/snorp/source/gecko-dev/image/decoders/nsJPEGDecoder.cpp:145
#2  0x728c8e5c in mozilla::image::Decoder::Init (this=0x7a2a0800) at /Users/snorp/source/gecko-dev/image/src/Decoder.cpp:56
#3  0x728c4e98 in mozilla::image::RasterImage::InitDecoder (this=0x79e51ab0, aDoSizeDecode=<optimized out>) at /Users/snorp/source/gecko-dev/image/src/RasterImage.cpp:2031
#4  0x728c5586 in Init (aFlags=<optimized out>, aMimeType=0x7a42f0a8 "image/jpeg", this=0x79e51ab0) at /Users/snorp/source/gecko-dev/image/src/RasterImage.cpp:516
#5  mozilla::image::RasterImage::Init (this=0x79e51ab0, aMimeType=0x7a42f0a8 "image/jpeg", aFlags=<optimized out>) at /Users/snorp/source/gecko-dev/image/src/RasterImage.cpp:483
#6  0x728cdf18 in mozilla::image::ImageFactory::CreateRasterImage (aRequest=0x7c6ebc34, aStatusTracker=0x7b888e70, aMimeType=..., aURI=0x7c2bbf00, aImageFlags=3, aInnerWindowId=10) at /Users/snorp/source/gecko-dev/image/src/ImageFactory.cpp:187
#7  0x728ce128 in mozilla::image::ImageFactory::CreateImage (aRequest=0x7c6ebc34, aStatusTracker=0x7b888e70, aMimeType=..., aURI=0x7c2bbf00, aIsMultiPart=false, aInnerWindowId=10) at /Users/snorp/source/gecko-dev/image/src/ImageFactory.cpp:104
#8  0x728bc500 in imgRequest::OnDataAvailable (this=0x7c26ace0, aRequest=0x7c6ebc34, ctxt=0x0, inStr=0x7c234880, sourceOffset=0, count=74466) at /Users/snorp/source/gecko-dev/image/src/imgRequest.cpp:815
#9  0x728b4c32 in OnDataAvailable (count=0, sourceOffset=8236506094686652544, inStr=0x7c234880, ctxt=0x0, aRequest=0x7c6ebc34, this=<optimized out>) at /Users/snorp/source/gecko-dev/image/src/imgLoader.cpp:2113
#10 ProxyListener::OnDataAvailable (this=<optimized out>, aRequest=0x7c6ebc34, ctxt=0x0, inStr=0x7c234880, sourceOffset=0, count=74466) at /Users/snorp/source/gecko-dev/image/src/imgLoader.cpp:2106
#11 0x724df2a6 in mozilla::net::nsHttpChannel::OnDataAvailable (this=0x7c6ebc00, request=<optimized out>, ctxt=<optimized out>, input=0x7c234880, offset=0, count=74466) at /Users/snorp/source/gecko-dev/netwerk/protocol/http/nsHttpChannel.cpp:5303
#12 0x72445bd6 in nsInputStreamPump::OnStateTransfer (this=0x7ce38190) at /Users/snorp/source/gecko-dev/netwerk/base/src/nsInputStreamPump.cpp:593
#13 0x7244ab20 in nsInputStreamPump::OnInputStreamReady (this=0x7ce38190, stream=<optimized out>) at /Users/snorp/source/gecko-dev/netwerk/base/src/nsInputStreamPump.cpp:434
#14 0x723e8386 in nsInputStreamReadyEvent::Run (this=0x7a217ee0) at /Users/snorp/source/gecko-dev/xpcom/io/nsStreamUtils.cpp:85
#15 0x723f481e in nsThreadPool::Run (this=0x775871c0) at /Users/snorp/source/gecko-dev/xpcom/threads/nsThreadPool.cpp:208
#16 0x723f4542 in ProcessNextEvent (result=0x778f9cf7, mayWait=false, this=0x7750d080) at /Users/snorp/source/gecko-dev/xpcom/threads/nsThread.cpp:634
#17 nsThread::ProcessNextEvent (this=0x7750d080, mayWait=<optimized out>, result=0x778f9cf7) at /Users/snorp/source/gecko-dev/xpcom/threads/nsThread.cpp:567
#18 0x723aea22 in NS_ProcessNextEvent (thread=0x7750d080, mayWait=<optimized out>) at /Users/snorp/source/gecko-dev/xpcom/glue/nsThreadUtils.cpp:263
#19 0x725aafe8 in mozilla::ipc::MessagePumpForNonMainThreads::Run (this=0x7759d1f0, aDelegate=0x7a2d4860) at /Users/snorp/source/gecko-dev/ipc/glue/MessagePump.cpp:301
#20 0x72590d82 in MessageLoop::RunInternal (this=0x7a2d4860) at /Users/snorp/source/gecko-dev/ipc/chromium/src/base/message_loop.cc:226
#21 0x72590dc2 in RunHandler (this=0x7a2d4860) at /Users/snorp/source/gecko-dev/ipc/chromium/src/base/message_loop.cc:219
#22 MessageLoop::Run (this=0x7a2d4860) at /Users/snorp/source/gecko-dev/ipc/chromium/src/base/message_loop.cc:193
#23 0x723f40d6 in nsThread::ThreadFunc (arg=0x7750d080) at /Users/snorp/source/gecko-dev/xpcom/threads/nsThread.cpp:258
#24 0x6e316608 in _pt_root (arg=0x7750d780) at /Users/snorp/source/gecko-dev/nsprpub/pr/src/pthreads/ptthread.c:205
#25 0x400e122c in __thread_entry () from /Users/snorp/source/jimdb/lib/015d21d4fe181a0e/system/lib/libc.so
#26 0x400e13c4 in pthread_create () from /Users/snorp/source/jimdb/lib/015d21d4fe181a0e/system/lib/libc.so
#27 0x00000000 in ?? ()

Comment 12

[James Willcox (:snorp) (jwillcox@mozilla.com) (he/him)]

And on the next run I get a crash in nsPNGDecoder...

Comment 13

[James Willcox (:snorp) (jwillcox@mozilla.com) (he/him)]

Stack changes every time, I'd say we have some corruption going on here.

Comment 14

[Robert Kaiser]

(In reply to James Willcox (:snorp) (jwillcox@mozilla.com) from comment #13)
> Stack changes every time, I'd say we have some corruption going on here.

Decoder crash with changing signatures reminds me of bug 943803 - could there be some connection?

Comment 15

[James Willcox (:snorp) (jwillcox@mozilla.com) (he/him)]

(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #14)
> (In reply to James Willcox (:snorp) (jwillcox@mozilla.com) from comment #13)
> > Stack changes every time, I'd say we have some corruption going on here.
> 
> Decoder crash with changing signatures reminds me of bug 943803 - could
> there be some connection?

I don't have access to that one

Comment 16

[Milan Sreckovic [:milan] (needinfo for best results)]

James, you should have access to bug 943803, and I asked Seth in that one if he sees a connection.

Comment 17

[Timothy Nikkel (:tnikkel)]

Bisected this down, it is caused by http://hg.mozilla.org/mozilla-central/rev/2963a336e7ec bug 921120.

Comment 18

[Kannan Vijayan [:djvj]]

Patch for bug 957475 (disabling setarg & arguments compilation for now) just landed in inbound today.  Does this still reproduce?

Comment 19

[Timothy Nikkel (:tnikkel)]

I'll test tomorrow when that patch is in the next nightly.

Comment 20

[James Willcox (:snorp) (jwillcox@mozilla.com) (he/him)]

I see tn has this under control :)

Comment 21

[Timothy Nikkel (:tnikkel)]

Doesn't crash anymore for me.

Comment 22

[Robert Kaiser]

(In reply to Timothy Nikkel (:tn) from comment #21)
> Doesn't crash anymore for me.

In this case, it should be fixed for future 28 and 27 builds a well, given this just landed in aurora and beta.