Bug 254262
| Summary: | RPI3 (32bits) ARMv7 NEON crashes on WebCore::TextureMapperLayer::paintWith3DRenderingContext() | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Pablo Saavedra <psaavedra> |
| Component: | New Bugs | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED INVALID | ||
| Severity: | Normal | CC: | fujii.hironori |
| Priority: | P2 | ||
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| See Also: | https://bugs.webkit.org/show_bug.cgi?id=244526 | ||
Pablo Saavedra
.. using the VC4 mesa driver:
```
#0 0x6a096c22 in _mesa_update_renderbuffer_surface (ctx=ctx@entry=0x6bfc8020, rb=rb@entry=0x2476190) at ../mesa-22.0.3/src/mesa/main/renderbuffer.c:581
#1 0x6a087ed0 in render_texture (ctx=ctx@entry=0x6bfc8020, att=att@entry=0x24f3a04, fb=0x24f3858) at ../mesa-22.0.3/src/mesa/main/fbobject.c:451
#2 0x6a089320 in _mesa_update_texture_renderbuffer (ctx=ctx@entry=0x6bfc8020, fb=fb@entry=0x24f3858, att=att@entry=0x24f3a04) at ../mesa-22.0.3/src/mesa/main/fbobject.c:590
#3 0x6a08cad0 in set_texture_attachment (layered=0 '\000', layer=1778962583, samples=38787704, level=3553, texTarget=<optimized out>, texObj=0x24fda78, att=0x24f3a04, fb=0x24f3858, ctx=0x6bfc8020)
at ../mesa-22.0.3/src/mesa/main/fbobject.c:631
#4 _mesa_framebuffer_texture (ctx=0x6bfc8020, fb=0x24f3858, attachment=36064, att=0x24f3a04, texObj=<optimized out>, textarget=<optimized out>, level=0, samples=0, layer=0, layered=0 '\000')
at ../mesa-22.0.3/src/mesa/main/fbobject.c:4019
#5 0x6a08cdb0 in framebuffer_texture_with_dims (dims=3553, target=<optimized out>, framebuffer=<optimized out>, attachment=<optimized out>, textarget=<optimized out>, texture=<optimized out>, level=0, samples=0, layer=0, caller=0x0,
dsa=false) at ../mesa-22.0.3/src/mesa/main/fbobject.c:4121
#6 0x6a08d096 in _mesa_FramebufferTexture2D (target=<optimized out>, attachment=<optimized out>, textarget=3553, texture=<optimized out>, level=0) at ../mesa-22.0.3/src/mesa/main/fbobject.c:4159
#7 0x74d28e58 in WebCore::BitmapTextureGL::createFboIfNeeded() [clone .part.0] () from /opt/browsers/1.0/sysroots/cortexa7t2hf-neon-vfpv4-poky-linux-gnueabi/usr/lib/libWPEWebKit-2.0.so.0.0.0
#8 0x74d29b0c in WebCore::BitmapTextureGL::bindAsSurface() () from /opt/browsers/1.0/sysroots/cortexa7t2hf-neon-vfpv4-poky-linux-gnueabi/usr/lib/libWPEWebKit-2.0.so.0.0.0
#9 0x74d2a984 in WebCore::TextureMapperGL::bindSurface(WebCore::BitmapTexture*) () from /opt/browsers/1.0/sysroots/cortexa7t2hf-neon-vfpv4-poky-linux-gnueabi/usr/lib/libWPEWebKit-2.0.so.0.0.0
#10 0x74d27c9c in WebCore::TextureMapperLayer::paintWith3DRenderingContext(WebCore::TextureMapperPaintOptions&) () from /opt/browsers/1.0/sysroots/cortexa7t2hf-neon-vfpv4-poky-linux-gnueabi/usr/lib/libWPEWebKit-2.0.so.0.0.0
#11 0x76e9e964 in ?? () from /opt/browsers/1.0/sysroots/cortexa7t2hf-neon-vfpv4-poky-linux-gnueabi/usr/lib/libWPEWebKit-2.0.so.0.0.0
```
The crash seems a side-effect of:
TextureMapper: Attach a depth buffer for BitmapTextureGL for 3D transform
https://bugs.webkit.org/show_bug.cgi?id=244526
since this crash is not reproducible after a partial revert of the https://commits.webkit.org/255021@main commit.
``` diff
diff --git a/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp b/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp
index f891d9bc8c70..f627ebdecaf8 100644
--- a/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp
+++ b/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp
@@ -754,9 +754,10 @@ void TextureMapperLayer::paintRecursive(TextureMapperPaintOptions& options)
SetForScope scopedOpacity(options.opacity, options.opacity * m_currentOpacity);
- if (m_state.preserves3D)
- paintWith3DRenderingContext(options);
- else if (shouldBlend())
+ if (shouldBlend())
paintUsingOverlapRegions(options);
else
paintSelfChildrenReplicaFilterAndMask(options);
```
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Pablo Saavedra
The problem is reproducible on WPE using `cog -P wl https://webkit.org/blog-files/3d-transforms/poster-circle.html`
Fujii Hironori
glFramebufferTexture2D is used not only for 3D rendering context, but also for layers with filters and semi-transparent.
Does css3/filters/effect-blur-hw.html also crash?
glFramebufferTexture2D was used even before 255021@main.
Pablo Saavedra
I will set this issue as invalid since I was not able to reproduce it yesterday but 2 days ago it was quite consistently.
I am going to assume some mistake or some problem during the image generation.
If I have another occurrence of it I will reopen the issue with the more information (including tests on css3/filters/effect-blur-hw.html ).
Sorry Fujii Hironori for the noise.