Bug 248823

Summary: [GTK] UI process crash in webkitWebViewBaseEnterAcceleratedCompositingMode
Product: WebKit Reporter: Michael Catanzaro <mcatanzaro>
Component: WebKitGTKAssignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: bugs-noreply, mcatanzaro
Priority: P2    
Version: WebKit Nightly Build   
Hardware: PC   
OS: Linux   
Attachments:
Description Flags
Full backtrace none

Description Michael Catanzaro 2022-12-06 08:57:10 PST 
Here's a seemingly-random UI process crash inside webkitWebViewBaseEnterAcceleratedCompositingMode, with WebKitGTK 2.39.2. I'll attach a full backtrace. webkitWebViewBase->priv->acceleratedBackingStore has been optimized out, but I assume that's somehow invalid.

Core was generated by `epiphany https://arstechnica.com/?p=1902045'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f9cce80ea36 in webkitWebViewBaseEnterAcceleratedCompositingMode (webkitWebViewBase=<optimized out>, layerTreeContext=...) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/UIProcess/API/gtk/WebKitWebViewBase.cpp:2617
2617	    webkitWebViewBase->priv->acceleratedBackingStore->update(layerTreeContext);
[Current thread is 1 (Thread 0x7f9cc7c64c00 (LWP 2))]
(gdb) bt
#0  0x00007f9cce80ea36 in webkitWebViewBaseEnterAcceleratedCompositingMode(_WebKitWebViewBase*, WebKit::LayerTreeContext const&) (webkitWebViewBase=<optimized out>, layerTreeContext=...)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/UIProcess/API/gtk/WebKitWebViewBase.cpp:2617
#1  0x00007f9cce3b8db6 in _ZZN3IPC18callMemberFunctionIN6WebKit16DrawingAreaProxyES2_FvmRKNS1_16LayerTreeContextEESt5tupleIJmS3_EEEEvPT_MT0_T1_OT2_ENKUlDpOT_E_clIJmS3_EEEDaSI_ (__closure=<optimized out>)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/HandleMessage.h:132
#2  _ZSt13__invoke_implIvZN3IPC18callMemberFunctionIN6WebKit16DrawingAreaProxyES3_FvmRKNS2_16LayerTreeContextEESt5tupleIJmS4_EEEEvPT_MT0_T1_OT2_EUlDpOT_E_JmS4_EESA_St14__invoke_otherOSC_DpOT1_ (__f=<optimized out>)
    at /usr/include/c++/12.1.0/bits/invoke.h:61
#3  _ZSt8__invokeIZN3IPC18callMemberFunctionIN6WebKit16DrawingAreaProxyES3_FvmRKNS2_16LayerTreeContextEESt5tupleIJmS4_EEEEvPT_MT0_T1_OT2_EUlDpOT_E_JmS4_EENSt15__invoke_resultISA_JDpT0_EE4typeEOSA_DpOSM_ (__fn=<optimized out>)
    at /usr/include/c++/12.1.0/bits/invoke.h:96
#4  _ZSt12__apply_implIZN3IPC18callMemberFunctionIN6WebKit16DrawingAreaProxyES3_FvmRKNS2_16LayerTreeContextEESt5tupleIJmS4_EEEEvPT_MT0_T1_OT2_EUlDpOT_E_S9_JLm0ELm1EEEDcOSA_OSC_St16integer_sequenceImJXspT1_EEE
    (__t=..., __f=<optimized out>) at /usr/include/c++/12.1.0/tuple:1852
#5  _ZSt5applyIZN3IPC18callMemberFunctionIN6WebKit16DrawingAreaProxyES3_FvmRKNS2_16LayerTreeContextEESt5tupleIJmS4_EEEEvPT_MT0_T1_OT2_EUlDpOT_E_S9_EDcOSA_OSC_ (__t=..., __f=<optimized out>) at /usr/include/c++/12.1.0/tuple:1863
#6  IPC::callMemberFunction<WebKit::DrawingAreaProxy, WebKit::DrawingAreaProxy, void (unsigned long, WebKit::LayerTreeContext const&), std::tuple<unsigned long, WebKit::LayerTreeContext> >(WebKit::DrawingAreaProxy*, void (WebKit::DrawingAreaProxy::*)(unsigned long, WebKit::LayerTreeContext const&), std::tuple<unsigned long, WebKit::LayerTreeContext>&&) (tuple=..., function=<optimized out>, object=<optimized out>)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/HandleMessage.h:131
#7  IPC::handleMessage<Messages::DrawingAreaProxy::EnterAcceleratedCompositingMode, WebKit::DrawingAreaProxy, WebKit::DrawingAreaProxy, void (unsigned long, WebKit::LayerTreeContext const&)>(IPC::Connection&, IPC::Decoder&, WebKit::DrawingAreaProxy*, void (WebKit::DrawingAreaProxy::*)(unsigned long, WebKit::LayerTreeContext const&))
    (connection=<optimized out>, function=<optimized out>, object=0x7f9c4e41cf00, decoder=...)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/HandleMessage.h:213
#8  WebKit::DrawingAreaProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&)
    (this=0x7f9c4e41cf00, connection=<optimized out>, decoder=...)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/_builddir/DerivedSources/WebKit/DrawingAreaProxyMessageReceiver.cpp:48
#9  0x00007f9cce624b89 in IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&)
    (this=this@entry=0x7f9c4e61c1c8, connection=..., decoder=...)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/MessageReceiverMap.cpp:129
#10 0x00007f9cce698750 in WebKit::AuxiliaryProcessProxy::dispatchMessage(IPC::Connection&, IPC::Decoder&)
    (this=this@entry=0x7f9c4e61c130, connection=..., decoder=...)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/UIProcess/AuxiliaryProcessProxy.cpp:274
#11 0x00007f9cce6debdf in WebKit::WebProcessProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&)
    (this=0x7f9c4e61c130, connection=..., decoder=...)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/UIProcess/WebProcessProxy.cpp:883
#12 0x00007f9cce61d01a in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) (this=0x7f9a4de084e0, message=std::unique_ptr<IPC::Decoder> = {...})
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/Connection.cpp:1242
#13 0x00007f9cce61ecc9 in IPC::Connection::dispatchIncomingMessages() (this=0x7f9a4de084e0)
    at /usr/include/c++/12.1.0/bits/unique_ptr.h:189
#14 0x00007f9ccd691c55 in WTF::Function<void ()>::operator()() const (this=<synthetic pointer>)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/Function.h:79
#15 WTF::RunLoop::performWork() (this=0x7f9cc50100e0)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/RunLoop.cpp:147
#16 0x00007f9ccd6f330d in operator() (userData=<optimized out>, __closure=0x0)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:80
#17 _FUN(gpointer) () at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:82
#18 0x00007f9ccd6f3d8d in operator()
    (__closure=0x0, userData=0x7f9cc50100e0, callback=0x7f9ccd6f3300 <_FUN(gpointer)>, source=0x56553dfe72b0)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:53
#19 _FUN(GSource*, GSourceFunc, gpointer) () at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:56
#20 0x00007f9cd33ffa21 in g_main_dispatch (context=<optimized out>) at ../glib/gmain.c:3444
#21 g_main_context_dispatch (context=<optimized out>) at ../glib/gmain.c:4162
#22 0x00007f9cd33fff78 in g_main_context_iterate (context=context@entry=0x56553dfb27b0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:4238
#23 0x00007f9cd3400013 in g_main_context_iteration (context=context@entry=0x56553dfb27b0, may_block=may_block@entry=1) at ../glib/gmain.c:4303
#24 0x00007f9cd32a92bd in g_application_run (application=0x56553dfe1100 [EphyShell], argc=<optimized out>, argv=<optimized out>) at ../gio/gapplication.c:2571
#25 0x000056553d2c104b in main ()
Comment 1 Michael Catanzaro 2022-12-06 08:57:55 PST 
Created attachment 463909 [details]
Full backtrace
Comment 2 Michael Catanzaro 2022-12-14 08:34:32 PST 
Hit this again today. Tried printing some more stuff:

(gdb) print webkitWebViewBase
$1 = <optimized out>
(gdb) print webkitWebViewBase->priv
value has been optimized out
(gdb) print webkitWebViewBase->priv->acceleratedBackingStore
value has been optimized out
(gdb) print layerTreeContext
$2 = (const WebKit::LayerTreeContext &) @0x7ffd2659c130: {contextID = 1261}

It's frustrating that I can't see what's going on with webkitWebViewBase. I wonder if it has already been disposed.
Comment 3 Michael Catanzaro 2022-12-14 15:14:21 PST 
I guess this could happen if WebKitWebViewBase is disposed but not yet finalized when the IPC message arrives? I doubt that's really happening here, but... who knows, maybe? Could try clearing priv->pageClient in webkitWebViewBaseDispose.