[Webkit-unassigned] [Bug 66892] New: SIGFPE (divide by zero) in Accelerate.framework during Canvas.getImageData

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Aug 24 14:35:47 PDT 2011 

https://bugs.webkit.org/show_bug.cgi?id=66892

           Summary: SIGFPE (divide by zero) in Accelerate.framework during
                    Canvas.getImageData
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Macintosh
        OS/Version: Mac OS X 10.7
            Status: NEW
          Severity: Major
          Priority: P2
         Component: Canvas
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: kbr at google.com
                CC: simon.fraser at apple.com, cmarrin at apple.com,
                    mdelaney at apple.com, gman at google.com


Created an attachment (id=105069)
 --> (https://bugs.webkit.org/attachment.cgi?id=105069&action=review)
Crashing test case

On Mac OS X 10.7 there is a new crash in Accelerate.framework that can be triggered by a Canvas.getImageData call. The crash occurs in Safari 5.1 (7534.48.3), the current WebKit nightly, and Chromium on Mac OS X. All share Source/WebCore/platform/graphics/cg/ImageBufferDataCG.cpp and its use of Accelerate.

The reproduction case is attached. It came from the Muon Baryon demo at http://www.bitsnbites.eu/?p=98 .

The unpacked JavaScript source for this demo at http://muonbaryon.bitsnbites.eu/demo-unpacked.js is first run through the Closure compiler at http://closure-compiler.appspot.com/home . Then the CrunchMe tool at http://crunchme.bitsnbites.eu/ is run over it. CrunchMe encodes the source code as a PNG which is turned back into a string by drawing it into a Canvas and then calling Canvas.getImageData(). It seems that the PNG CrunchMe produces somehow generates out-of-range pixels (alpha = 0 and r, g, or b > 0) that cause a divide by zero during the alpha unmultiplication step which is accelerated by vImageUnpremultiplyData_RGBA8888.

The crash report contains the following:

=====

Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Exception Type:  EXC_ARITHMETIC (SIGFPE)
Exception Codes: EXC_I386_DIV (divide by zero)

Application Specific Information:
objc[1790]: garbage collection is OFF

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.vImage                  0x00007fff9600deac vImageUnpremultiplyData_RGBA8888 + 508
1   com.apple.WebCore                 0x00007fff8e047b7f WebCore::ImageBufferData::getData(WebCore::IntRect const&, WebCore::IntSize const&, bool, bool) const + 915
2   com.apple.WebCore                 0x00007fff8e0477d1 WebCore::ImageBuffer::getUnmultipliedImageData(WebCore::IntRect const&) const + 79
3   com.apple.WebCore                 0x00007fff8e047610 WebCore::CanvasRenderingContext2D::getImageData(float, float, float, float, int&) const + 434
4   com.apple.WebCore                 0x00007fff8e04740d WebCore::jsCanvasRenderingContext2DPrototypeFunctionGetImageData(JSC::ExecState*) + 877
5   ???                               0x000028f17be001e8 0 + 45017630507496
6   com.apple.JavaScriptCore          0x00007fff8a75f4dd JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1053
7   com.apple.JavaScriptCore          0x00007fff8a75f0ad JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 45
8   com.apple.WebCore                 0x00007fff8decdf2f WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) + 941
9   com.apple.WebCore                 0x00007fff8decdb04 WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul>&) + 494
10  com.apple.WebCore                 0x00007fff8ddec893 WebCore::EventTarget::fireEventListeners(WebCore::Event*) + 85
11  com.apple.WebCore                 0x00007fff8ddec980 WebCore::Node::handleLocalEvents(WebCore::Event*) + 180
12  com.apple.WebCore                 0x00007fff8ddec004 WebCore::EventDispatcher::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) + 832
13  com.apple.WebCore                 0x00007fff8ddebc88 WebCore::EventDispatchMediator::dispatchEvent(WebCore::EventDispatcher*) const + 40
14  com.apple.WebCore                 0x00007fff8ddebb89 WebCore::EventDispatcher::dispatchEvent(WebCore::Node*, WebCore::EventDispatchMediator const&) + 41
15  com.apple.WebCore                 0x00007fff8ddebaf7 WebCore::Node::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) + 55
16  com.apple.WebCore                 0x00007fff8df65b90 WebCore::HTMLImageLoader::dispatchLoadEvent() + 250
...
=====

I'd appreciate it if someone at Apple could route this report to the appropriate team. I haven't had much luck getting bugs fixed through the bug reporter at developer.apple.com.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list