#7740 closed bug (fixed)
High resolution JPEG images crash ShowImage due to failure to clone area from app_server
Reported by: | leavengood | Owned by: | axeld |
---|---|---|---|
Priority: | normal | Milestone: | R1/beta2 |
Component: | Servers/app_server | Version: | R1/alpha3 |
Keywords: | Cc: | ||
Blocked By: | Blocking: | ||
Platform: | All |
Description (last modified by )
I have spent hours trying to debug this but I think it is outside my skillset at this point.
Opening the attached photo (a picture of my yard if you are wondering) which is more than 8000 pixels wide will always crash ShowImage from hrev42239 (and before, I've seen this for a while on big images.)
Edit: WARNING: this image also causes very bad behavior in WebPositive, maybe due to the same bug!!! I would try downloading it with wget!
After much printf debugging I narrowed it down to BBitmap::_InitObject failing to clone an area from app_server. BBitmapStream::WriteAt just doesn't check the bitmap InitCheck like it should (that is another bug which I can fix) and then tries to access the bitmap Bits() which are null, causing a segfault. My backtrace is also attached, but the line numbers are probably wrong due to my added printfs. But this should be reproducable with the attached image.
I used the area command in KDL to look at the area_id being returned from the app_server, and it seems valid and is owned by the app_server. The result from clone_area is B_BAD_VALUE, so I assume it is failing at the lookup_area call on line 1961 of vm.cpp. Maybe for some reason the source address space returned from the MultiAddressSpaceLocker is wrong?
If I fix BBitmapStream::WriteAt to actually check the InitCheck of the bitmap it creates, the segfault is fixed, but the image still won't load of course. It seems to be a deeper problem in either the app_server or kernel.
I've also included my debug output, and the result of the KDL command area for the area from the debug output (as well as the teams output to see it is indeed owned by app_server, team_id 70 = 0x46.)
Attachments (6)
Change History (24)
by , 14 years ago
Attachment: | big_yard_image.jpg added |
---|
comment:1 by , 14 years ago
Description: | modified (diff) |
---|
comment:2 by , 14 years ago
I've started investigating this but ran out of time. What I could gather was that the B_BAD_VALUE actually comes from browser:haiku/trunk/src/system/kernel/vm/VMUserAddressSpace.cpp#L675 which is rather curious, as it indicates the addressSpec to be B_EXACT_ADDRESS which isn't what the BBitmap function supplies. As mentioned I ran out of time then. I'll continue investigating tonight/tomorrow. I wanted to share the finding in case someone else wants to take a look sooner than that.
comment:3 by , 14 years ago
Fixed the BitmapStream part in hrev42297. I'll look into the other problem as well, but I don't have much time, so feel free to continue to investigate it yourself.
comment:4 by , 14 years ago
Looking at http://dev.haiku-os.org/browser/haiku/trunk/src/kits/app/ServerMemoryAllocator.cpp#L79 already reveals the problem: a 128 MB area is successfully reserved to contain the area. However, the area is larger than this, so the cloning (at the exact reserved address) is likely to fail.
comment:5 by , 14 years ago
Status: | new → in-progress |
---|
comment:6 by , 14 years ago
Thanks Axel.
That indeed sounds like the problem. Wow, an image this big requires more than 128 MB! I wouldn't have thought which is why I glanced over that code.
comment:7 by , 14 years ago
Actually doing the math the image should only take around 46 MB but as you said I guess it is the area that is bigger than 128 MB.
comment:8 by , 14 years ago
Resolution: | → fixed |
---|---|
Status: | in-progress → closed |
Fixed in hrev42298 (just came back and noticed that Trac refused to add the comment, as Ryan got in between -- really annoying feature).
Not sure what you have calculated there, but 8000*5000*4 (4 byte per pixel) is more than 128 MB :-)
comment:9 by , 14 years ago
Yeah that Trac "feature" bit me a few times on this bug too.
Oops, my silly math was for 1 byte per pixel :-D
Thanks for fixing this!
comment:10 by , 7 years ago
Tested on hrev51875 x86_64. This bug is still valid. Loading same picture in ShowImage gives "Can't load image. Either file or an image translator does not exist". Webpositive shows the image initially while loading, then shows a grey image of it after completion. Tested a few other smaller high res JPEGs which worked. Retesting the test picture, ShowImage will eventually display the test picture but as a small picture not filling the display window (see screenshot). I had to zoom in to enlarge it and displaying the picture work properly afterwards. I can also display it in WebPositive. NOTE: Getting it to work with the test images is not consistent. If you close the image in Webpositive/ShowImage, ShowImage will start displaying the same "Can't load Image..." error eventually.
NOTE: Observing resource/memory usage spikes. Possible that intensive resource apps like WebPositive or another system resource was starving other system resources (i.e. app_server, system memory, etc) in background causing this intermittent problem.
You can close this ticket at your discretion. If a user keeps other apps/system resources usage low, there are no major issues. Using high res JPEGs is not the issue.
follow-up: 12 comment:11 by , 7 years ago
Resolution: | fixed |
---|---|
Status: | closed → reopened |
by , 7 years ago
Attachment: | screenshot1.jpeg added |
---|
Test JPEG oddly not filling ShowImage display window
comment:12 by , 7 years ago
Replying to cocobean:
Test JPEG oddly not filling ShowImage display window
I think the jpeg is corrupted, I have the same problem on macOs
by , 7 years ago
Attachment: | ImageOnAMac.png added |
---|
comment:13 by , 7 years ago
We can do View->Full screen in ShowImage. Also, I retested other JPEG images up to 50.3 Megapixels with ShowImage - no major issues on hrev51877 x86_64.
Although, what is still happening is that if we view 'medium->large' files extensively using USB devices - we can/will hit a kernel paging issue (known issue). So, don't think it is specific to ShowImage itself.
comment:14 by , 6 years ago
Resolution: | → fixed |
---|---|
Status: | reopened → closed |
That is not an app server crash, and if it is actually an issue, deserves a separate ticket.
comment:15 by , 5 years ago
Milestone: | R1 → R1/beta2 |
---|
Assign tickets with status=closed and resolution=fixed within the R1/beta2 development window to the R1/beta2 Milestone
comment:16 by , 19 hours ago
I am working on a heic thumbnail viewer for myself, and obviously mixing with old fashioned jpeg/png images, and I regularly hit this issue when generating thumbnails from folders with > 100 images. It always crashes with the following stack trace, at random intermittent intervals:
Frame IP Function Name
----------------------------------------------- 0x7ff7a4410dd0 0x1c0679e1ab6 memcpy + 0x26
Disassembly:
memcpy: 0x000001c0679e1a90: 55 push %rbp 0x000001c0679e1a91: 4889d1 mov %rdx, %rcx 0x000001c0679e1a94: 4889e5 mov %rsp, %rbp 0x000001c0679e1a97: 4156 push %hrev14 0x000001c0679e1a99: 4155 push %hrev13 0x000001c0679e1a9b: 4989fd mov %rdi, %hrev13 0x000001c0679e1a9e: 4154 push %hrev12 0x000001c0679e1aa0: 4989f4 mov %rsi, %hrev12 0x000001c0679e1aa3: 4883ec18 sub $0x18, %rsp 0x000001c0679e1aa7: 4883fa10 cmp $0x10, %rdx 0x000001c0679e1aab: 7623 jbe 0x1c0679e1ad0 0x000001c0679e1aad: 4881faff070000 cmp $0x7ff, %rdx 0x000001c0679e1ab4: 765a jbe 0x1c0679e1b10 0x000001c0679e1ab6: f3a4 rep movsb <--
Frame memory:
[0x7ff7a4410d90] .MV.S....?V.S... f0 4d 56 b6 53 10 00 00 c0 3f 56 b6 53 10 00 00 [0x7ff7a4410da0] .:.#&.....A..... e0 3a 83 23 26 01 00 00 b0 16 41 a4 f7 7f 00 00 [0x7ff7a4410db0] ........ .B.S... 00 00 00 00 00 00 00 00 20 f0 42 b5 53 10 00 00 [0x7ff7a4410dc0] @.A......8.P.... 40 0e 41 a4 f7 7f 00 00 a3 38 07 50 08 01 00 00
0x7ff7a4410e50 0x1085007389e BBitmapStream::WriteAt(long, void const*, unsigned long) + 0x7e
0x7ff7a4410e80 0x10ac09cf34e BPositionIO::Write(void const*, unsigned long) + 0x2e
0x7ff7a4411310 0x1d7523c1b20 JPEGTranslator::Decompress(BPositionIO*, BPositionIO*, BMessage*, jmp_buf_tag const[1]*) + 0x4d0
0x7ff7a44113b0 0x1d7523c1db3 JPEGTranslator::DerivedTranslate(BPositionIO*, translator_info const*, BMessage*, unsigned int, BPositionIO*, int) + 0x83
0x7ff7a4411410 0x1d7523c31fc BaseTranslator::BitsTranslate(BPositionIO*, translator_info const*, BMessage*, unsigned int, BPositionIO*) + 0x9c
0x7ff7a4411690 0x10850079b87 BTranslatorRoster::Translate(BPositionIO*, translator_info const*, BMessage*, BPositionIO*, unsigned int, unsigned int, char const*) + 0xc7
0x7ff7a4411770 0x1085007469f BTranslationUtils::GetBitmap(BPositionIO*, BTranslatorRoster*) + 0x4f
0x7ff7a4411940 0x10850074977 BTranslationUtils::GetBitmapFile(char const*, BTranslatorRoster*) + 0xd7
0x7ff7a4411960 0x10850074a5d BTranslationUtils::GetBitmap(char const*, BTranslatorRoster*) + 0xd
It's always on memcpy in BBitmapStream::WriteAt, always on different images so no repeateble way to reproduce.
comment:17 by , 19 hours ago
I forgot to mention that this is hrev58436, from 19 Dec 2024, so relatively recent (and any rev in the last couple of years)
comment:18 by , 19 hours ago
Please attach the full debug report.
Does running with the guarded heap make any difference?
A high resolution image guaranteed to crash ShowImage