Source of a malloc error when releasing a CGImage on iPhone OS 3.0?

Question

I've identified a bug while developing against the iPhone OS 3.0 SDK. Basically, if I create a CGImage from a bitmap image context, I get the following error when I release it:

malloc: *** error for object 0x1045000: pointer being freed was not allocated
*** set a breakpoint in malloc_error_break to debug

Here's the relevant code:

CGSize size = CGSizeMake(100, 100);
CGColorSpaceRef cs = CGColorSpaceCreateDeviceRGB();
size_t bitsPerComponent = 8;
size_t bytesPerPixel = 4;
size_t bytesPerRow = size.width * bytesPerPixel;
void *bitmapData = calloc(size.height, bytesPerRow);
CGContextRef ctxt = CGBitmapContextCreate(bitmapData, size.width, size.height, bitsPerComponent, bytesPerRow, cs, kCGImageAlphaPremultipliedLast);
// we could draw something here, but why complicate things?
CGImageRef image = CGBitmapContextCreateImage(ctxt);
CGContextRelease(ctxt);
free(bitmapData);
CGColorSpaceRelease(cs);
CGImageRelease(image); // This triggers the error message.

The above example is self-contained and it's pretty clear no retain/release rules are being violated. I've tested this code on the iPhone Simulator under 3.0, 3.1, and 3.1.2. The problem only occurs under 3.0; it seems to have been fixed in 3.1 and later. I have not confirmed the bug on the device.

Answer 1

The problem pointer seems to be the image's data provider. If I insert this line before releasing the image:

CFRetain(CGImageGetDataProvider(image));

then all is well on 3.0. But, if the app is running on a later OS, the Data Provider will be leaked. So you must check the OS version or simply ignore it (malloc logs an error message but it doesn't throw an exception or interrupt the app in any way). I've been using the following macro:

#if TARGET_IPHONE_SIMULATOR
// 3.0 CFVersion 478.470000
// 3.1 CFVersion 478.520000
#define BugFixRetainImageDataProvider(img) \
    if (kCFCoreFoundationVersionNumber == 478.47) { \
        CGDataProviderRef dp = CGImageGetDataProvider(img); \
        if (dp) CFRetain(dp); \
    }
#else
#define BugFixRetainImageDataProvider(img)
#endif

Since I can't reproduce it on the device (I don't have any devices running 3.0) I apply this fix on the simulator only.

Answer 2

I have been struggling with this very problem the whole day now until I found this post from you. Did you find out if this was just a problem with the simulator or did it happen on real devices as well?

Anyway, I have now implemented your workaround to test for 3.0 in particular.

NSString *currSysVer = [[UIDevice currentDevice] systemVersion];
if(currSysVer && [currSysVer compare:@"3.0" options:NSNumericSearch] == NSOrderedSame)
{
  CFRetain(CGImageGetDataProvider(bitmapImageRef));
}

Please tell me if you found a better solution.

Answer 3

I've found that UIWebView also suffers from this error.

This problem can be replicated by loading an HTML page that has specific background image gradient in a UIWebView:

section#sectionid .someclass a {
    display: block;
    text-align: center;
    border: 1px solid #000;
    line-height: 35px;
    height: 35px;
    padding: 5px;
    background-image: -webkit-gradient(linear, left top, left bottom, color-stop(0, #fdfdfd), color-stop(1, #dadada));
}

In our case, a button (<a>) within a <fieldset> within a <section>. This CSS causes a malloc error under Simulator operation with SDK 3.0

Running on a Device with iPhoneOS 3.0 will not encounter the malloc error. Also any other SDK on the Simulator will not encounter the error.