WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
236005
REGRESSION(
r288865
): SourceImage should never sink its ImageBuffer to a NativeImage
https://bugs.webkit.org/show_bug.cgi?id=236005
Summary
REGRESSION(r288865): SourceImage should never sink its ImageBuffer to a Nativ...
Said Abou-Hallawa
Reported
2022-02-01 23:28:02 PST
Created
attachment 450615
[details]
test case Since the SourceImage::nativeImage returns the sunk NativeImage, the SourceImage will be left with invalid ImageBuffer which should never be used. Repro steps: 1. Enable GPU Process rendering for DOM in mini browser. 2. Open the attached test case. Results: WebKit will crash with the following call stack: #0 0x0000000159f9d205 in std::__1::unique_ptr<WebCore::GraphicsContext, std::__1::default_delete<WebCore::GraphicsContext> >::operator bool() const at /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.3.Internal.sdk/usr/include/c++/v1/__memory/unique_ptr.h:303 #1 0x0000000159f9d14d in WebCore::IOSurface::ensureGraphicsContext() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/platform/graphics/cocoa/IOSurface.mm:379 #2 0x000000015c3f7cd5 in WebCore::ImageBufferIOSurfaceBackend::context() const at /Volumes/Data/WebKit/OpenSource/Source/WebCore/platform/graphics/cg/ImageBufferIOSurfaceBackend.cpp:125 #3 0x000000015c3f7d26 in WebCore::ImageBufferIOSurfaceBackend::flushContext() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/platform/graphics/cg/ImageBufferIOSurfaceBackend.cpp:135 #4 0x00000001294665f0 in WebCore::ConcreteImageBuffer<WebKit::ImageBufferShareableMappedIOSurfaceBackend>::flushContext() at /Volumes/Data/WebKit/OpenSource/WebKitBuild/Debug/WebCore.framework/PrivateHeaders/ConcreteImageBuffer.h:92 #5 0x000000012944f56a in WebKit::RemoteDisplayListRecorder::flushContext(WTF::ObjectIdentifier<WebCore::GraphicsContextFlushIdentifierType>) at /Volumes/Data/WebKit/OpenSource/Source/WebKit/GPUProcess/graphics/RemoteDisplayListRecorder.cpp:527 #6 0x00000001291ebd22 in void IPC::callMemberFunctionImpl<WebKit::RemoteDisplayListRecorder, void (WebKit::RemoteDisplayListRecorder::*)(WTF::ObjectIdentifier<WebCore::GraphicsContextFlushIdentifierType>), std::__1::tuple<WTF::ObjectIdentifier<WebCore::GraphicsContextFlushIdentifierType> >, 0ul>(WebKit::RemoteDisplayListRecorder*, void (WebKit::RemoteDisplayListRecorder::*)(WTF::ObjectIdentifier<WebCore::GraphicsContextFlushIdentifierType>), std::__1::tuple<WTF::ObjectIdentifier<WebCore::GraphicsContextFlushIdentifierType> >&&, std::__1::integer_sequence<unsigned long, 0ul>) at /Volumes/Data/WebKit/OpenSource/Source/WebKit/Platform/IPC/HandleMessage.h:125 #7 0x00000001291eb17d in void IPC::callMemberFunction<WebKit::RemoteDisplayListRecorder, void (WebKit::RemoteDisplayListRecorder::*)(WTF::ObjectIdentifier<WebCore::GraphicsContextFlushIdentifierType>), std::__1::tuple<WTF::ObjectIdentifier<WebCore::GraphicsContextFlushIdentifierType> >, std::__1::integer_sequence<unsigned long, 0ul> >(std::__1::tuple<WTF::ObjectIdentifier<WebCore::GraphicsContextFlushIdentifierType> >&&, WebKit::RemoteDisplayListRecorder*, void (WebKit::RemoteDisplayListRecorder::*)(WTF::ObjectIdentifier<WebCore::GraphicsContextFlushIdentifierType>)) at /Volumes/Data/WebKit/OpenSource/Source/WebKit/Platform/IPC/HandleMessage.h:131 #8 0x000000012918d779 in void IPC::handleMessage<Messages::RemoteDisplayListRecorder::FlushContext, WebKit::RemoteDisplayListRecorder, void (WebKit::RemoteDisplayListRecorder::*)(WTF::ObjectIdentifier<WebCore::GraphicsContextFlushIdentifierType>)>(IPC::Connection&, IPC::Decoder&, WebKit::RemoteDisplayListRecorder*, void (WebKit::RemoteDisplayListRecorder::*)(WTF::ObjectIdentifier<WebCore::GraphicsContextFlushIdentifierType>)) at /Volumes/Data/WebKit/OpenSource/Source/WebKit/Platform/IPC/HandleMessage.h:197 #9 0x00000001291894bf in WebKit::RemoteDisplayListRecorder::didReceiveStreamMessage(IPC::StreamServerConnectionBase&, IPC::Decoder&) at /Volumes/Data/WebKit/OpenSource/WebKitBuild/Debug/DerivedSources/WebKit/RemoteDisplayListRecorderMessageReceiver.cpp:218 #10 0x0000000129bd44fb in IPC::StreamServerConnection::dispatchStreamMessage(IPC::Decoder&&, IPC::StreamMessageReceiver&) at /Volumes/Data/WebKit/OpenSource/Source/WebKit/Platform/IPC/StreamServerConnection.cpp:254 #11 0x0000000129bd3e94 in IPC::StreamServerConnection::dispatchStreamMessages(unsigned long) at /Volumes/Data/WebKit/OpenSource/Source/WebKit/Platform/IPC/StreamServerConnection.cpp:229 #12 0x0000000129bd2854 in IPC::StreamConnectionWorkQueue::processStreams() at /Volumes/Data/WebKit/OpenSource/Source/WebKit/Platform/IPC/StreamConnectionWorkQueue.cpp:135 #13 0x0000000129bda890 in IPC::StreamConnectionWorkQueue::startProcessingThread()::$_0::operator()() at /Volumes/Data/WebKit/OpenSource/Source/WebKit/Platform/IPC/StreamConnectionWorkQueue.cpp:107 #14 0x0000000129bda849 in WTF::Detail::CallableWrapper<IPC::StreamConnectionWorkQueue::startProcessingThread()::$_0, void>::call() at /Volumes/Data/WebKit/OpenSource/WebKitBuild/Debug/usr/local/include/wtf/Function.h:53 #15 0x000000011d0a4672 in WTF::Function<void ()>::operator()() const at /Volumes/Data/WebKit/OpenSource/WebKitBuild/Debug/usr/local/include/wtf/Function.h:82 #16 0x000000011d167e88 in WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) at /Volumes/Data/WebKit/OpenSource/Source/WTF/wtf/Threading.cpp:191 #17 0x000000011d173aa5 in WTF::wtfThreadEntryPoint(void*) at /Volumes/Data/WebKit/OpenSource/Source/WTF/wtf/posix/ThreadingPOSIX.cpp:244 Another repro steps: 1. Save the attached file to LayoutTests/svg/custom/pattern-multiple-referencing.html 2. run-webkit-tests --debug LayoutTests/svg/custom/pattern-multiple-referencing.html --guard-malloc --repeat=10 0Result: WKTR will crash with the following call stack: Thread 0 0Crashed:: Dispatch queue: com.apple.main-thread 0 WebCore 0x14eebab9c WebCore::Pattern::repeatX() const + 12 (Pattern.h:80) 1 WebCore 0x14f9d0147 WebCore::Pattern::createPlatformPattern(WebCore::AffineTransform const&) const + 375 (PatternCG.cpp:74) 2 WebCore 0x14f99dd47 WebCore::GraphicsContextCG::applyFillPattern() + 135 (GraphicsContextCG.cpp:582) 3 WebCore 0x14f99f03f WebCore::GraphicsContextCG::fillRect(WebCore::FloatRect const&) + 1167 (GraphicsContextCG.cpp:812) 4 WebCore 0x1500b8517 WebCore::LegacyRenderSVGRect::fillShape(WebCore::GraphicsContext&) const + 167 (LegacyRenderSVGRect.cpp:120) 5 WebCore 0x1500d2af1 WebCore::RenderSVGResource::fillAndStrokePathOrShape(WebCore::GraphicsContext&, WTF::OptionSet<WebCore::RenderSVGResourceMode>, WebCore::Path const*, WebCore::RenderElement const*) const + 209 (RenderSVGResource.cpp:255) 6 WebCore 0x1500f00ae WebCore::RenderSVGResourcePattern::postApplyResource(WebCore::RenderElement&, WebCore::GraphicsContext*&, WTF::OptionSet<WebCore::RenderSVGResourceMode>, WebCore::Path const*, WebCore::RenderElement const*) + 270 (RenderSVGResourcePattern.cpp:204) 7 WebCore 0x1500bc4ad WebCore::LegacyRenderSVGShape::fillShape(WebCore::RenderStyle const&, WebCore::GraphicsContext&) + 221 (LegacyRenderSVGShape.cpp:224) 8 WebCore 0x1500bc96e WebCore::LegacyRenderSVGShape::fillStrokeMarkers(WebCore::PaintInfo&) + 190 (LegacyRenderSVGShape.cpp:270) 9 WebCore 0x1500bce29 WebCore::LegacyRenderSVGShape::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 425 (LegacyRenderSVGShape.cpp:304) 10 WebCore 0x1500ba442 WebCore::LegacyRenderSVGRoot::paintReplaced(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 1330 (LegacyRenderSVGRoot.cpp:294) 11 WebCore 0x14ff76d97 WebCore::RenderReplaced::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 1959 (RenderReplaced.cpp:262) 12 WebCore 0x14fe584e9 WebCore::paintPhase(WebCore::RenderElement&, WebCore::PaintPhase, WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 57 (RenderElement.cpp:1135) 13 WebCore 0x14fe58478 WebCore::RenderElement::paintAsInlineBlock(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 232 (RenderElement.cpp:1150) 14 WebCore 0x14fd3d09a WebCore::LegacyInlineElementBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 298 (LegacyInlineElementBox.cpp:81) 15 WebCore 0x14fd43ebf WebCore::LegacyInlineFlowBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 655 (LegacyInlineFlowBox.cpp:1132) 16 WebCore 0x14fd5eb03 WebCore::LegacyRootInlineBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 67 (LegacyRootInlineBox.cpp:172) 17 WebCore 0x14ff43e92 WebCore::RenderLineBoxList::paint(WebCore::RenderBoxModelObject*, WebCore::PaintInfo&, WebCore::LayoutPoint const&) const + 1346 (RenderLineBoxList.cpp:260)
Attachments
test case
(677 bytes, text/html)
2022-02-01 23:28 PST
,
Said Abou-Hallawa
no flags
Details
Patch
(8.16 KB, patch)
2022-02-02 00:43 PST
,
Said Abou-Hallawa
simon.fraser
: review+
Details
Formatted Diff
Diff
Patch
(8.11 KB, patch)
2022-02-02 10:42 PST
,
Said Abou-Hallawa
no flags
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Said Abou-Hallawa
Comment 1
2022-02-02 00:43:49 PST
Created
attachment 450625
[details]
Patch
Said Abou-Hallawa
Comment 2
2022-02-02 01:51:30 PST
Similar crashes appear also in EWS bots:
https://ews-build.s3-us-west-2.amazonaws.com/macOS-AppleSilicon-Big-Sur-Debug-WK2-Tests-EWS/r450507-22650/com.apple.WebKit.GPU.Development-822-crash-log.txt
Said Abou-Hallawa
Comment 3
2022-02-02 10:42:04 PST
Created
attachment 450671
[details]
Patch Fix a typo in the ChangeLog
EWS
Comment 4
2022-02-02 12:07:15 PST
Committed
r288977
(
246705@main
): <
https://commits.webkit.org/246705@main
> All reviewed patches have been landed. Closing bug and clearing flags on
attachment 450671
[details]
.
Radar WebKit Bug Importer
Comment 5
2022-02-02 12:08:17 PST
<
rdar://problem/88394478
>
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug