Open Radar

 
Core Image crashes when accessing addresses outside of its own allocated space on 10.8.2 (12C60)


Certain calls like these ones:
-[CIContext drawImage:inRect:fromRect:]
-[CIContext drawImage:inRect:fromRect:]
-[CIContext render:…]
-[CIContext createCGImage…]
…

systematically access addresses outside of their own Core Image allocated space. This in turns creates random crashes (either rare or frequent, depending on configurations) with our customers. In our tests, this potentially affects all applications using Core Image on 10.8.2. The same code behaves correctly on 10.7.5. We haven't found any workaround for this problem, which makes it critical.

We have found that it is extremely difficult to reproduce the bug in shipping apps, but using lib Guard Malloc makes it systematically crash near the actual problem.

Steps to reproduce:
- Unzip the ImageApp sample code
- Build and run ImageApp sample project on a 10.8.2 Mac
- Activate Guard Malloc in the scheme settings
- Run the sample project
- Open an image, notice it shows up correctly in the window (Core Graphics rendering is doing OK)
- Click the Core Image checkbox, which in turn initiate a Core Image rendering
- Guard Malloc immediately crashes the app when rendering with the following backtrace:

#0	0x00007fff8a94526d in CGLGetPixelFormat ()
#1	0x00007fff8ea84398 in -[CIOpenGLContextImpl createAccelContext] ()
#2	0x00007fff8ea84750 in -[CIOpenGLContextImpl updateContext] ()
#3	0x00007fff8ea86285 in -[CIOpenGLContextImpl _lockfeContext] ()
#4	0x00007fff8ea69ecc in -[CIContextImpl setObject:forKey:] ()
#5	0x00007fff8ea8423c in -[CIOpenGLContextImpl setObject:forKey:] ()
#6	0x00007fff8f4f03e3 in cgxcoreimage_instance_render ()
#7	0x00007fff89f09b94 in CGSCoreImageInstanceRender ()
#8	0x00007fff870839cc in ripc_AcquireCoreImage ()
#9	0x00007fff87073a00 in ripc_DrawShading ()
#10	0x00007fff89e8f553 in CGContextDrawShading ()
#11	0x00007fff8ea63c57 in -[CICGContextImpl render:] ()
#12	0x00007fff8ea6918a in -[CIContext drawImage:inRect:fromRect:] ()
#13	0x0000000100007b4c in -[ImageView drawCIImage] at /Volumes/Safe/Users/raf/Downloads/ImageApp/ImageView.m:151
#14	0x0000000100007cd4 in -[ImageView drawRect:] at /Volumes/Safe/Users/raf/Downloads/ImageApp/ImageView.m:162



The same sample code runs fine under Guard Malloc on 10.7.5


Additional information:

We have noticed that backtrace problem (crash) in one of our apps, just after a -[CIContext render:toBitmap:rowBytes:…], which is also detected with the Guard Malloc library, within the scope of Core Image:

#0	0x0000000101b67cb9 in tinyunw_async_list_remove_image_by_header at .../PLCrashReporterGit/Source/tinyunwind/libtinyunwind_image.c:241
#1	0x00007fff5fc01bd9 in dyld::removeImage(ImageLoader*) ()
#2	0x00007fff5fc0b5dd in NSUnLinkModule ()
#3	0x00007fff8cf156ff in NSUnLinkModule ()
#4	0x0000000202036919 in ___lldb_unnamed_function6$$libcldcpuengine.dylib ()
#5	0x00000002020368ee in glrCompDeleteProgram ()
#6	0x00007fff89b4448b in ___lldb_unnamed_function976$$OpenCL ()
#7	0x00007fff89b3d3f0 in ___lldb_unnamed_function455$$OpenCL ()
#8	0x00007fff89b3d38d in ___lldb_unnamed_function453$$OpenCL ()
#9	0x00007fff89b2bbdc in clReleaseProgram ()
#10	0x00007fff8ea9f5be in FEOpenCLProgram::setProgram(_cl_program*) ()
#11	0x00007fff8ea9f6aa in FEOpenCLProgram::~FEOpenCLProgram() ()
#12	0x00007fff8ea9f620 in FEOpenCLProgram::~FEOpenCLProgram() ()
#13	0x00007fff8d99afef in -[NSConcretePointerArray dealloc] ()
#14	0x00007fff8ea9ca7e in FEOpenCLContextFinalize(FEOpenCLContext*) ()
#15	0x00007fff8ea9cc02 in -[FEOpenCLContext dealloc] ()
#16	0x00007fff8ea65e9c in -[CICLContextImpl invalidate] ()
#17	0x00007fff8ea65fec in -[CICLContextImpl setOwner:] ()
#18	0x00007fff8ea684c6 in -[CIContext invalidate] ()
#19	0x00007fff8ea6843b in -[CIContext dealloc] ()
#20	0x00007fff8e05c230 in (anonymous namespace)::AutoreleasePoolPage::pop(void*) ()
#21	0x00007fff85e9c342 in _CFAutoreleasePoolPop ()
#22	0x00007fff8d9894fa in -[NSAutoreleasePool drain] ()
#23	0x000000010059ce12 in -[CIImage(EXBase) ex_bakedDataWithBitmapInfo:format:bitsPerComponent:bitsPerPixel:bakingColorSpace:processingContext:destinationData:] at /Volumes/Safe/Users/raf/WorkArea/Creacode/EXBase/Sources/CIImage+EXBase.m:506


Update on 2012-10-16
The additional information above can be ignored, as it appears to be linked to an interaction with PLCrashReporter, which is a third party framework. The first part of the bug report remains valid though.