Bug 248823

Summary: [GTK] UI process crash in webkitWebViewBaseEnterAcceleratedCompositingMode
Product: WebKit Reporter: Michael Catanzaro <mcatanzaro>
Component: WebKitGTKAssignee: Nobody <webkit-unassigned>
Status: NEW    
Severity: Normal CC: bugs-noreply, mcatanzaro
Priority: P2    
Version: WebKit Nightly Build   
Hardware: PC   
OS: Linux   
Attachments:
Description Flags
Full backtrace none

Michael Catanzaro
Reported 2022-12-06 08:57:10 PST
Here's a seemingly-random UI process crash inside webkitWebViewBaseEnterAcceleratedCompositingMode, with WebKitGTK 2.39.2. I'll attach a full backtrace. webkitWebViewBase->priv->acceleratedBackingStore has been optimized out, but I assume that's somehow invalid. Core was generated by `epiphany https://arstechnica.com/?p=1902045'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x00007f9cce80ea36 in webkitWebViewBaseEnterAcceleratedCompositingMode (webkitWebViewBase=<optimized out>, layerTreeContext=...) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/UIProcess/API/gtk/WebKitWebViewBase.cpp:2617 2617 webkitWebViewBase->priv->acceleratedBackingStore->update(layerTreeContext); [Current thread is 1 (Thread 0x7f9cc7c64c00 (LWP 2))] (gdb) bt #0 0x00007f9cce80ea36 in webkitWebViewBaseEnterAcceleratedCompositingMode(_WebKitWebViewBase*, WebKit::LayerTreeContext const&) (webkitWebViewBase=<optimized out>, layerTreeContext=...) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/UIProcess/API/gtk/WebKitWebViewBase.cpp:2617 #1 0x00007f9cce3b8db6 in _ZZN3IPC18callMemberFunctionIN6WebKit16DrawingAreaProxyES2_FvmRKNS1_16LayerTreeContextEESt5tupleIJmS3_EEEEvPT_MT0_T1_OT2_ENKUlDpOT_E_clIJmS3_EEEDaSI_ (__closure=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/HandleMessage.h:132 #2 _ZSt13__invoke_implIvZN3IPC18callMemberFunctionIN6WebKit16DrawingAreaProxyES3_FvmRKNS2_16LayerTreeContextEESt5tupleIJmS4_EEEEvPT_MT0_T1_OT2_EUlDpOT_E_JmS4_EESA_St14__invoke_otherOSC_DpOT1_ (__f=<optimized out>) at /usr/include/c++/12.1.0/bits/invoke.h:61 #3 _ZSt8__invokeIZN3IPC18callMemberFunctionIN6WebKit16DrawingAreaProxyES3_FvmRKNS2_16LayerTreeContextEESt5tupleIJmS4_EEEEvPT_MT0_T1_OT2_EUlDpOT_E_JmS4_EENSt15__invoke_resultISA_JDpT0_EE4typeEOSA_DpOSM_ (__fn=<optimized out>) at /usr/include/c++/12.1.0/bits/invoke.h:96 #4 _ZSt12__apply_implIZN3IPC18callMemberFunctionIN6WebKit16DrawingAreaProxyES3_FvmRKNS2_16LayerTreeContextEESt5tupleIJmS4_EEEEvPT_MT0_T1_OT2_EUlDpOT_E_S9_JLm0ELm1EEEDcOSA_OSC_St16integer_sequenceImJXspT1_EEE (__t=..., __f=<optimized out>) at /usr/include/c++/12.1.0/tuple:1852 #5 _ZSt5applyIZN3IPC18callMemberFunctionIN6WebKit16DrawingAreaProxyES3_FvmRKNS2_16LayerTreeContextEESt5tupleIJmS4_EEEEvPT_MT0_T1_OT2_EUlDpOT_E_S9_EDcOSA_OSC_ (__t=..., __f=<optimized out>) at /usr/include/c++/12.1.0/tuple:1863 #6 IPC::callMemberFunction<WebKit::DrawingAreaProxy, WebKit::DrawingAreaProxy, void (unsigned long, WebKit::LayerTreeContext const&), std::tuple<unsigned long, WebKit::LayerTreeContext> >(WebKit::DrawingAreaProxy*, void (WebKit::DrawingAreaProxy::*)(unsigned long, WebKit::LayerTreeContext const&), std::tuple<unsigned long, WebKit::LayerTreeContext>&&) (tuple=..., function=<optimized out>, object=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/HandleMessage.h:131 #7 IPC::handleMessage<Messages::DrawingAreaProxy::EnterAcceleratedCompositingMode, WebKit::DrawingAreaProxy, WebKit::DrawingAreaProxy, void (unsigned long, WebKit::LayerTreeContext const&)>(IPC::Connection&, IPC::Decoder&, WebKit::DrawingAreaProxy*, void (WebKit::DrawingAreaProxy::*)(unsigned long, WebKit::LayerTreeContext const&)) (connection=<optimized out>, function=<optimized out>, object=0x7f9c4e41cf00, decoder=...) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/HandleMessage.h:213 #8 WebKit::DrawingAreaProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (this=0x7f9c4e41cf00, connection=<optimized out>, decoder=...) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/_builddir/DerivedSources/WebKit/DrawingAreaProxyMessageReceiver.cpp:48 #9 0x00007f9cce624b89 in IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) (this=this@entry=0x7f9c4e61c1c8, connection=..., decoder=...) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/MessageReceiverMap.cpp:129 #10 0x00007f9cce698750 in WebKit::AuxiliaryProcessProxy::dispatchMessage(IPC::Connection&, IPC::Decoder&) (this=this@entry=0x7f9c4e61c130, connection=..., decoder=...) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/UIProcess/AuxiliaryProcessProxy.cpp:274 #11 0x00007f9cce6debdf in WebKit::WebProcessProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (this=0x7f9c4e61c130, connection=..., decoder=...) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/UIProcess/WebProcessProxy.cpp:883 #12 0x00007f9cce61d01a in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) (this=0x7f9a4de084e0, message=std::unique_ptr<IPC::Decoder> = {...}) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/Connection.cpp:1242 #13 0x00007f9cce61ecc9 in IPC::Connection::dispatchIncomingMessages() (this=0x7f9a4de084e0) at /usr/include/c++/12.1.0/bits/unique_ptr.h:189 #14 0x00007f9ccd691c55 in WTF::Function<void ()>::operator()() const (this=<synthetic pointer>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/Function.h:79 #15 WTF::RunLoop::performWork() (this=0x7f9cc50100e0) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/RunLoop.cpp:147 #16 0x00007f9ccd6f330d in operator() (userData=<optimized out>, __closure=0x0) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:80 #17 _FUN(gpointer) () at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:82 #18 0x00007f9ccd6f3d8d in operator() (__closure=0x0, userData=0x7f9cc50100e0, callback=0x7f9ccd6f3300 <_FUN(gpointer)>, source=0x56553dfe72b0) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:53 #19 _FUN(GSource*, GSourceFunc, gpointer) () at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:56 #20 0x00007f9cd33ffa21 in g_main_dispatch (context=<optimized out>) at ../glib/gmain.c:3444 #21 g_main_context_dispatch (context=<optimized out>) at ../glib/gmain.c:4162 #22 0x00007f9cd33fff78 in g_main_context_iterate (context=context@entry=0x56553dfb27b0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:4238 #23 0x00007f9cd3400013 in g_main_context_iteration (context=context@entry=0x56553dfb27b0, may_block=may_block@entry=1) at ../glib/gmain.c:4303 #24 0x00007f9cd32a92bd in g_application_run (application=0x56553dfe1100 [EphyShell], argc=<optimized out>, argv=<optimized out>) at ../gio/gapplication.c:2571 #25 0x000056553d2c104b in main ()
Attachments
Full backtrace (8.84 KB, text/plain)
2022-12-06 08:57 PST, Michael Catanzaro 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Michael Catanzaro
Comment 1 2022-12-06 08:57:55 PST
Created attachment 463909 [details] Full backtrace
Michael Catanzaro
Comment 2 2022-12-14 08:34:32 PST
Hit this again today. Tried printing some more stuff: (gdb) print webkitWebViewBase $1 = <optimized out> (gdb) print webkitWebViewBase->priv value has been optimized out (gdb) print webkitWebViewBase->priv->acceleratedBackingStore value has been optimized out (gdb) print layerTreeContext $2 = (const WebKit::LayerTreeContext &) @0x7ffd2659c130: {contextID = 1261} It's frustrating that I can't see what's going on with webkitWebViewBase. I wonder if it has already been disposed.
Michael Catanzaro
Comment 3 2022-12-14 15:14:21 PST
I guess this could happen if WebKitWebViewBase is disposed but not yet finalized when the IPC message arrives? I doubt that's really happening here, but... who knows, maybe? Could try clearing priv->pageClient in webkitWebViewBaseDispose.
Note You need to log in before you can comment on or make changes to this bug.