211074 – [GTK] Crash in Nicosia::CairoOperationRecorder::drawGlyphs

Bug 211074 - [GTK] Crash in Nicosia::CairoOperationRecorder::drawGlyphs

Summary: [GTK] Crash in Nicosia::CairoOperationRecorder::drawGlyphs

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKitGTK (show other bugs)
Version:	WebKit Nightly Build
Hardware:	PC Linux

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-04-27 06:41 PDT by Michael Catanzaro
Modified:	2020-06-29 02:16 PDT (History)
CC List:	4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Catanzaro 2020-04-27 06:41:24 PDT

My Epiphany is in a weird state (reminds me of bug #201507, but different) where the web process crashes when loading target.com. As with bug #201507, the crash is 100% reproducible in my current UI process but not reproducible at all in new processes. Unlike bug #201507, this crash is not triggered by AC mode. It only occurs on target.com, not for poster circle.

Note, in particular, frame #12 here, where we have an illegal call to Nicosia::CairoOperationRecorder::drawGlyphs with this=0x0:

#12 0x00007f77fdf37958 in Nicosia::CairoOperationRecorder::drawGlyphs(WebCore::Font const&, WebCore::GlyphBuffer const&, unsigned int, unsigned int, WebCore::FloatPoint const&, WebCore::FontSmoothingMode) (this=0x0, font=..., glyphBuffer=..., from=<optimized out>, numGlyphs=<optimized out>, point=..., fontSmoothing=WebCore::FontSmoothingMode::AutoSmoothing) at ../Source/WebCore/platform/graphics/nicosia/cairo/NicosiaCairoOperationRecorder.cpp:529



Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f77fdf37958 in std::__exchange<_cairo_scaled_font*, decltype(nullptr)&>(_cairo_scaled_font*&, decltype(nullptr)&) (__new_val=<optimized out>, 
    __obj=@0x7fffcb2dd938: 0x0) at /usr/include/c++/9.2.0/bits/move.h:149
149	    __exchange(_Tp& __obj, _Up&& __new_val)
#0  0x00007f77fdf37958 in std::__exchange<_cairo_scaled_font*, decltype(nullptr)&>(_cairo_scaled_font*&, decltype(nullptr)&)
    (__new_val=<optimized out>, __obj=@0x7fffcb2dd938: 0x0)
    at /usr/include/c++/9.2.0/bits/move.h:149
#1  0x00007f77fdf37958 in std::exchange<_cairo_scaled_font*, decltype(nullptr)&>(_cairo_scaled_font*&, decltype(nullptr)&)
    (__new_val=<optimized out>, __obj=@0x7fffcb2dd938: 0x0)
    at /usr/include/c++/9.2.0/utility:287
#2  0x00007f77fdf37958 in WTF::DumbPtrTraits<_cairo_scaled_font>::exchange<decltype(nullptr)>(_cairo_scaled_font*&, decltype(nullptr)&&)
    (newValue=<optimized out>, ptr=@0x7fffcb2dd938: 0x0)
    at DerivedSources/ForwardingHeaders/wtf/DumbPtrTraits.h:40
#3  0x00007f77fdf37958 in WTF::RefPtr<_cairo_scaled_font, WTF::DumbPtrTraits<_cairo_scaled_font> >::~RefPtr() (this=0x7fffcb2dd938, __in_chrg=<optimized out>)
    at DerivedSources/ForwardingHeaders/wtf/RefPtr.h:70
#4  0x00007f77fdf37958 in std::_Head_base<4ul, WTF::RefPtr<_cairo_scaled_font, WTF::DumbPtrTraits<_cairo_scaled_font> >, false>::~_Head_base()
    (this=0x7fffcb2dd938, __in_chrg=<optimized out>)
    at /usr/include/c++/9.2.0/tuple:120
#5  0x00007f77fdf37958 in std::_Tuple_impl<4ul, WTF::RefPtr<_cairo_scaled_font, WTF::DumbPtrTraits<_cairo_scaled_font> >, float, WTF::Vector<cairo_glyph_t, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, float, unsigned int, float, WebCore::FloatSize, WebCore::Color, WebCore::FontSmoothingMode>::~_Tuple_impl()
    (this=0x7fffcb2dd8f8, __in_chrg=<optimized out>) at /usr/include/c++/9.2.0/tuple:185
#6  0x00007f77fdf37958 in std::_Tuple_impl<3ul, WebCore::FloatPoint, WTF::RefPtr<_cairo_scaled_font, WTF::DumbPtrTraits<_cairo_scaled_font> >, float, WTF::Vector<cairo_glyph_t, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, float, unsigned int, float, WebCore::FloatSize, WebCore::Color, WebCore::FontSmoothingMode>::~_Tuple_impl() (this=0x7fffcb2dd8f8, __in_chrg=<optimized out>) at /usr/include/c++/9.2.0/tuple:185
#7  0x00007f77fdf37958 in std::_Tuple_impl<2ul, WebCore::Cairo::ShadowState, WebCore::FloatPoint, WTF::RefPtr<_cairo_scaled_font, WTF::DumbPtrTraits<_cairo_scaled_font> >, float, WTF::Vector<cairo_glyph_t, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, float, unsigned int, float, WebCore::FloatSize, WebCore::Color, WebCore::FontSmoothingMode>::~_Tuple_impl() (this=0x7fffcb2dd8f8, __in_chrg=<optimized out>) at /usr/include/c++/9.2.0/tuple:185
#8  0x00007f77fdf37958 in std::_Tuple_impl<1ul, WebCore::Cairo::StrokeSource, WebCore::Cairo::ShadowState, WebCore::FloatPoint, WTF::RefPtr<_cairo_scaled_font, WTF::DumbPtrTraits<_cairo_scaled_font> >, float, WTF::Vector<cairo_glyph_t, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, float, unsigned int, float, WebCore::FloatSize, WebCore::Color, WebCore::FontSmoothingMode>::~_Tuple_impl() (this=0x7fffcb2dd8f8, __in_chrg=<optimized out>) at /usr/include/c++/9.2.0/tuple:185
#9  0x00007f77fdf37958 in std::_Tuple_impl<0ul, WebCore::Cairo::FillSource, WebCore::Cairo::StrokeSource, WebCore::Cairo::ShadowState, WebCore::FloatPoint, WTF::RefPtr<_cairo_scaled_font, WTF::DumbPtrTraits<_cairo_scaled_font> >, float, WTF::Vector<cairo_glyph_t, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, float, unsigned int, float, WebCore::FloatSize, WebCore::Color, WebCore::FontSmoothingMode>::~_Tuple_impl() (this=0x7fffcb2dd8f8, __in_chrg=<optimized out>) at /usr/include/c++/9.2.0/tuple:185
#10 0x00007f77fdf37958 in std::tuple<WebCore::Cairo::FillSource, WebCore::Cairo::StrokeSource, WebCore::Cairo::ShadowState, WebCore::FloatPoint, WTF::RefPtr<_cairo_scaled_font, WTF::DumbPtrTraits<_cairo_scaled_font> >, float, WTF::Vector<cairo_glyph_t, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, float, unsigned int, float, WebCore::FloatSize, WebCore::Color, WebCore::FontSmoothingMode>::~tuple() (this=0x7fffcb2dd8f8, __in_chrg=<optimized out>) at /usr/include/c++/9.2.0/tuple:523
#11 0x00007f77fdf37958 in Nicosia::createCommand<Nicosia::CairoOperationRecorder::drawGlyphs(const WebCore::Font&, const WebCore::GlyphBuffer&, unsigned int, unsigned int, const WebCore::FloatPoint&, WebCore::FontSmoothingMode)::DrawGlyphs, WebCore::Cairo::FillSource, WebCore::Cairo::StrokeSource, WebCore::Cairo::ShadowState, const WebCore::FloatPoint&, WTF::RefPtr<_cairo_scaled_font, WTF::DumbPtrTraits<_cairo_scaled_font> >, float, WTF::Vector<cairo_glyph_t, 0, WTF::CrashOnOverflow, 16, WTF::FastMalloc>, float&, unsigned int const&, float const&, const WebCore::FloatSize&, const WebCore::Color&, WebCore::FontSmoothingMode&> () at ../Source/WebCore/platform/graphics/nicosia/cairo/NicosiaCairoOperationRecorder.cpp:64
#12 0x00007f77fdf37958 in Nicosia::CairoOperationRecorder::drawGlyphs(WebCore::Font const&, WebCore::GlyphBuffer const&, unsigned int, unsigned int, WebCore::FloatPoint const&, WebCore::FontSmoothingMode) (this=0x0, font=..., glyphBuffer=..., from=<optimized out>, numGlyphs=<optimized out>, point=..., fontSmoothing=WebCore::FontSmoothingMode::AutoSmoothing) at ../Source/WebCore/platform/graphics/nicosia/cairo/NicosiaCairoOperationRecorder.cpp:529
#13 0x0000000101000101 in  ()
#14 0x0001000000000000 in  ()
#15 0x000000003f800000 in  ()
#16 0x00007f77fd483beb in std::__exchange<WebCore::WebGLBuffer*, decltype(nullptr)&>(WebCore::WebGLBuffer*&, decltype(nullptr)&) (__new_val=<optimized out>, __obj=@0x7fffcb2dda70: 0x7f77ed3fbb00) at /usr/include/c++/9.2.0/bits/move.h:149
#17 0x00007f77fd483beb in std::exchange<WebCore::WebGLBuffer*, decltype(nullptr)&>(WebCore::WebGLBuffer*&, decltype(nullptr)&) (__new_val=<optimized out>, __obj=@0x7fffcb2dda70: 0x7f77ed3fbb00) at /usr/include/c++/9.2.0/utility:287
#18 0x00007f77fd483beb in WTF::DumbPtrTraits<WebCore::WebGLBuffer>::exchange<decltype(nullptr)>(WebCore::WebGLBuffer*&, decltype(nullptr)&&) (newValue=<optimized out>, ptr=@0x7fffcb2dda70: 0x7f77ed3fbb00) at DerivedSources/ForwardingHeaders/wtf/DumbPtrTraits.h:40
#19 0x00007f77fd483beb in WTF::RefPtr<WebCore::WebGLBuffer, WTF::DumbPtrTraits<WebCore::WebGLBuffer> >::leakRef() (this=0x7fffcb2dda70) at DerivedSources/ForwardingHeaders/wtf/RefPtr.h:125
#20 0x00007f77fd483beb in WTF::RefPtr<WebCore::WebGLBuffer, WTF::DumbPtrTraits<WebCore::WebGLBuffer> >::RefPtr(WTF::RefPtr<WebCore::WebGLBuffer, WTF::DumbPtrTraits<WebCore::WebGLBuffer> >&&) (o=..., this=<synthetic pointer>) at DerivedSources/ForwardingHeaders/wtf/RefPtr.h:62
#21 0x00007f77fd483beb in WTF::RefPtr<WebCore::WebGLBuffer, WTF::DumbPtrTraits<WebCore::WebGLBuffer> >::operator=(WTF::RefPtr<WebCore::WebGLBuffer, WTF::DumbPtrTraits<WebCore::WebGLBuffer> >&&) (o=..., this=0x7fffcb2ddd00) at DerivedSources/ForwardingHeaders/wtf/RefPtr.h:163
#22 0x00007f77fd483beb in WebCore::WebGLRenderingContextBase::initVertexAttrib0() (this=0x7fffcb2ddb10) at ../Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp:6150
#23 0xdaa039c7f156d100 in  ()
#24 0x00007f77ece00000 in  ()
#25 0x00007f77ec3049d0 in  ()
#26 0x00007f77ec3049d0 in  ()
#27 0x00007fffcb2ddc50 in  ()
#28 0x00007fffcb2ddbb0 in  ()
#29 0x00007f77ed1edc68 in  ()
#30 0x00007fffcb2ddb10 in  ()
#31 0x00007f77fd35ef23 in WebCore::HTMLBodyElement::parseAttribute(WebCore::QualifiedName const&, WTF::AtomString const&) (this=0x7d4aa000, name=..., value=...) at DerivedSources/ForwardingHeaders/wtf/text/AtomString.h:91
#32 0x0001000000000000 in  ()
#33 0x000000003f800000 in  ()
#34 0x0000000000000000 in  ()

Comment 1 Michael Catanzaro 2020-04-27 06:42:12 PDT

BTW this is with 2.28.1, since we don't have 2.28.2 in Tech Preview yet.

Comment 2 Carlos Garcia Campos 2020-06-29 02:16:40 PDT

This is weird, AFAIK Nicosia::CairoOperationRecorder is only used for threaded rendering, which can't be enabled in the GTK port. I wonder how you ended up with a recording graphics context. Zan?