[Webkit-unassigned] [Bug 256642] New: Crash in BitmapImage::frameCount

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu May 11 06:17:43 PDT 2023 

https://bugs.webkit.org/show_bug.cgi?id=256642

            Bug ID: 256642
           Summary: Crash in BitmapImage::frameCount
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mcatanzaro at redhat.com
                CC: bugs-noreply at webkitgtk.org

Created attachment 466316

  --> https://bugs.webkit.org/attachment.cgi?id=466316&action=review

Full backtrace

I hit this crash twice yesterday. Notice this=0x0 in frame 5, so the bug is that BitmapImage::m_source is null, which is illegal because that is a Ref and not a RefPtr so it should always be valid.

#0  WTF::OptionSet<WebCore::ImageSource::MetadataType>::isEmpty() const (this=<optimized out>)
    at WTF/Headers/wtf/OptionSet.h:159
#1  WTF::OptionSet<WebCore::ImageSource::MetadataType>::operator bool() (this=<optimized out>)
    at WTF/Headers/wtf/OptionSet.h:164
#2  WTF::OptionSet<WebCore::ImageSource::MetadataType>::containsAny(WTF::OptionSet<WebCore::ImageSource::MetadataType>) const (this=0x22c, optionSet=...) at WTF/Headers/wtf/OptionSet.h:173
#3  WTF::OptionSet<WebCore::ImageSource::MetadataType>::contains(WebCore::ImageSource::MetadataType) const
    (this=0x22c, option=WebCore::ImageSource::MetadataType::FrameCount) at WTF/Headers/wtf/OptionSet.h:168
#4  WebCore::ImageSource::metadataCacheIfNeeded<unsigned long>(unsigned long&, unsigned long const&, WebCore::ImageSource::MetadataType, unsigned long (WebCore::ImageDecoder::*)() const)
    (this=0x0, cachedValue=<error reading variable: Cannot access memory at address 0x1c8>, metadataType=WebCore::ImageSource::MetadataType::FrameCount, functor=&virtual table offset 56, defaultValue=<optimized out>)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/platform/graphics/ImageSource.cpp:495
#5  WebCore::ImageSource::frameCount() (this=0x0)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/platform/graphics/ImageSource.cpp:531
#6  0x00007ff4653c1760 in WebCore::BitmapImage::frameCount() const (this=0x7ff44a9ab780)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/platform/graphics/BitmapImage.h:85
#7  WebCore::BitmapImage::destroyDecodedData(bool) (this=0x7ff44a9ab780, destroyAll=<optimized out>)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/platform/graphics/BitmapImage.cpp:87
#8  0x00007ff4651f1922 in WTF::Function<void (WebCore::CachedResource&)>::operator()(WebCore::CachedResource&) const
    (this=0x7ffd5ecd1508, in=...) at WTF/Headers/wtf/Function.h:82
#9  WebCore::MemoryCache::forEachResource(WTF::Function<void (WebCore::CachedResource&)> const&)
    (this=<optimized out>, function=...)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/loader/cache/MemoryCache.cpp:226
#10 0x00007ff4651f1c10 in WebCore::MemoryCache::destroyDecodedDataForAllImages() (this=<optimized out>)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/loader/cache/MemoryCache.cpp:242
#11 0x00007ff465386fe8 in WebCore::ThreadTimers::sharedTimerFiredInternal() (this=0x7ff44a0ec2a0)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/platform/ThreadTimers.cpp:127
#12 0x00007ff46249a443 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::operator()(void*) const
    (userData=0x7ff4670823b0 <WebCore::MainThreadSharedTimer::singleton()::instance+16>, this=<optimized out>)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:177
#13 WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::__invoke(void*)
    (userData=0x7ff4670823b0 <WebCore::MainThreadSharedTimer::singleton()::instance+16>)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:169
#14 0x00007ff462499781 in WTF::RunLoop::$_0::operator()(_GSource*, int (*)(void*), void*) const
    (source=0x5594d757dd20, callback=0x7ff46249a3b0 <WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::__invoke(void*)>, userData=0x7ff4670823b0 <WebCore::MainThreadSharedTimer::singleton()::instance+16>, this=<optimized out>)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:53
#15 WTF::RunLoop::$_0::__invoke(_GSource*, int (*)(void*), void*)
    (source=0x5594d757dd20, callback=0x7ff46249a3b0 <WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::__invoke(void*)>, userData=0x7ff4670823b0 <WebCore::MainThreadSharedTimer::singleton()::instance+16>)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:45
#16 0x00007ff45ef8bd24 in g_main_dispatch (context=context at entry=0x5594d7254720) at ../glib/gmain.c:3474
#17 0x00007ff45ef8de27 in g_main_context_dispatch_unlocked (context=0x5594d7254720) at ../glib/gmain.c:4287
#18 g_main_context_iterate_unlocked
    (context=0x5594d7254720, block=block at entry=1, dispatch=dispatch at entry=1, self=<optimized out>)
    at ../glib/gmain.c:4352
#19 0x00007ff45ef8e74f in g_main_loop_run (loop=0x5594d72773d0) at ../glib/gmain.c:4554
#20 0x00007ff462499d66 in WTF::RunLoop::run() ()
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:108
#21 0x00007ff463c49a87 in WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess, true>::run(int, char**)
     (this=0x7ffd5ecd1790, argc=3, argv=0x7ffd5ecd1928)
--Type <RET> for more, q to quit, c to continue without paging--c
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebKit/Shared/AuxiliaryProcessMain.h:72
#22 WebKit::AuxiliaryProcessMain<WebKit::WebProcessMainGtk>(int, char**) (argc=3, argv=0x7ffd5ecd1928) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebKit/Shared/AuxiliaryProcessMain.h:98
#23 0x00007ff462a2954a in __libc_start_call_main (main=main at entry=0x5594d61e0150 <main>, argc=argc at entry=3, argv=argv at entry=0x7ffd5ecd1928) at ../sysdeps/nptl/libc_start_call_main.h:58
#24 0x00007ff462a2960b in __libc_start_main_impl (main=0x5594d61e0150 <main>, argc=3, argv=0x7ffd5ecd1928, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=<optimized out>) at ../csu/libc-start.c:389
#25 0x00005594d61e0085 in _start ()

Line numbers correspond to 2.41.3.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230511/c145e994/attachment-0001.htm>

More information about the webkit-unassigned mailing list