Bug 249689 - REGRESSION(255641@main): Web process crash in WebCore::isDescendantOfFullScreenLayer when when fullscreening video on reddit.com
Summary: REGRESSION(255641@main): Web process crash in WebCore::isDescendantOfFullScre...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Layout and Rendering (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Michael Catanzaro
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2022-12-20 18:02 PST by Michael Catanzaro
Modified: 2023-01-06 18:54 PST (History)
7 users (show)

See Also:

Attachments
gdb.txt (213.82 KB, text/plain)
2022-12-20 18:02 PST, Michael Catanzaro 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Catanzaro 2022-12-20 18:02:20 PST 
Created attachment 464130 [details]
gdb.txt

Visit https://www.reddit.com/r/IdiotsInCars/comments/zqehls/they_said_my_headlights_were_off_and_i_ran_the/ or any other reddit video and play the video, then click the fullscreen button. In Ephy Tech Preview with WebKitGTK 2.39.3, the web process will crash and the UI process hangs. I'll report a separate bug for the UI process hang. The crash looks like a cross-platform issue. Note in particular this=0x0 in frame 2, so the RenderLayerCompositor decided to use a nullptr RenderLayerModelObject. I'll attach a full backtrace with all member variables. Wonder if this reproduces in Safari.

#0  std::__uniq_ptr_impl<WebCore::RenderLayer, std::default_delete<WebCore::RenderLayer> >::_M_ptr() const
    (this=0xa8) at /usr/include/c++/12.1.0/bits/unique_ptr.h:191
#1  std::unique_ptr<WebCore::RenderLayer, std::default_delete<WebCore::RenderLayer> >::get() const (this=0xa8)
    at /usr/include/c++/12.1.0/bits/unique_ptr.h:462
#2  WebCore::RenderLayerModelObject::layer() const (this=0x0)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderLayerModelObject.h:48
#3  WebCore::isDescendantOfFullScreenLayer(WebCore::RenderLayer const&) (layer=...)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderLayerCompositor.cpp:2669
#4  0x00007f1687c58ed5 in WebCore::RenderLayerCompositor::requiresCompositingForPosition(WebCore::RenderLayerModelObject&, WebCore::RenderLayer const&, WebCore::RenderLayerCompositor::RequiresCompositingData&) const
    (this=0x7f16760202a0, renderer=..., layer=..., queryData=...)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderLayerCompositor.cpp:3352
#5  0x00007f1687c59104 in WebCore::RenderLayerCompositor::requiresCompositingLayer(WebCore::RenderLayer const&, WebCore::RenderLayerCompositor::RequiresCompositingData&) const (this=0x7f16760202a0, layer=<optimized out>, queryData=...)
    at /usr/include/c++/12.1.0/bits/unique_ptr.h:191
#6  0x00007f1687c59216 in WebCore::RenderLayerCompositor::needsToBeComposited(WebCore::RenderLayer const&, WebCore::RenderLayerCompositor::RequiresCompositingData&) const (this=0x7f16760202a0, layer=..., queryData=<optimized out>)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderLayerCompositor.cpp:2612
#7  0x00007f1687c5ebd5 in WebCore::RenderLayerCompositor::updateBacking(WebCore::RenderLayer&, WebCore::RenderLayerCompositor::RequiresCompositingData&, WebCore::RenderLayerCompositor::BackingSharingState*, WebCore::RenderLayerCompositor::BackingRequired)
    (this=0x7f16760202a0, layer=..., queryData=..., backingSharingState=<optimized out>, backingRequired=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderLayerCompositor.cpp:1827
#8  0x00007f1687c5ef55 in WebCore::RenderLayerCompositor::layerStyleChanged(WebCore::StyleDifference, WebCore::RenderLayer&, WebCore::RenderStyle const*)
    (this=0x7f16760202a0, diff=WebCore::StyleDifference::NewStyle, layer=..., oldStyle=0x0)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderLayerCompositor.cpp:1697
#9  0x00007f1687c645e1 in WebCore::RenderLayer::styleChanged(WebCore::StyleDifference, WebCore::RenderStyle const*)
    (this=0x7f148e5a1870, diff=WebCore::StyleDifference::NewStyle, oldStyle=0x0)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderLayer.cpp:5371
#10 0x00007f1687c6486b in WebCore::RenderLayerModelObject::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*)
    (this=this@entry=0x7f14161f8440, diff=diff@entry=WebCore::StyleDifference::NewStyle, oldStyle=oldStyle@entry=0x0)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderLayerModelObject.cpp:168
#11 0x00007f1687bcf09c in WebCore::RenderBox::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*)
     (this=this@entry=0x7f14161f8440, diff=diff@entry=WebCore::StyleDifference::NewStyle, oldStyle=oldStyle@entry=0x0)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderBox.cpp:319
#12 0x00007f1687b9211f in WebCore::RenderBlock::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*)
    (this=this@entry=0x7f14161f8440, diff=diff@entry=WebCore::StyleDifference::NewStyle, oldStyle=oldStyle@entry=0x0)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderBlock.cpp:459
#13 0x00007f1687b92612 in WebCore::RenderBlockFlow::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) (this=0x7f14161f8440, diff=WebCore::StyleDifference::NewStyle, oldStyle=0x0)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderBlockFlow.cpp:2147
#14 0x00007f1687def62b in WebCore::RenderTreeUpdater::createRenderer(WebCore::Element&, WebCore::RenderStyle&&)
    (this=this@entry=0x7ffea77cc4f0, element=..., style=...) at /usr/include/c++/12.1.0/bits/unique_ptr.h:191
#15 0x00007f1687def809 in WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdate const&) (this=this@entry=0x7ffea77cc4f0, element=..., elementUpdate=...)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:352
#16 0x00007f1687df174c in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&)
    (this=0x7ffea77cc4f0, root=<optimized out>)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:187
#17 0x00007f1687df1e43 in WebCore::RenderTreeUpdater::commit(std::unique_ptr<WebCore::Style::Update const, std::defaul--Type <RET> for more, q to quit, c to continue without paging--
t_delete<WebCore::Style::Update const> >)
     (this=0x7ffea77cc4f0, styleUpdate=std::unique_ptr<const WebCore::Style::Update> = {...})
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:114
#18 0x00007f1687102d4c in WebCore::Document::updateRenderTree(std::unique_ptr<WebCore::Style::Update const, std::default_delete<WebCore::Style::Update const> >)
     (this=this@entry=0x7f1626140c00, styleUpdate=std::unique_ptr<const WebCore::Style::Update> = {...})
    at /usr/include/c++/12.1.0/bits/unique_ptr.h:189
#19 0x00007f168711f13b in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType)
    (this=this@entry=0x7f1626140c00, type=<optimized out>, type@entry=WebCore::Document::ResolveStyleType::Normal)
    at /usr/include/c++/12.1.0/tuple:199
#20 0x00007f168711f8be in WebCore::Document::updateStyleIfNeeded() (this=0x7f1626140c00)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/dom/Document.cpp:2258
#21 WebCore::Document::updateStyleIfNeeded() (this=0x7f1626140c00)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/dom/Document.cpp:2233
#22 0x00007f1687120aab in WebCore::Document::updateLayoutIfDimensionsOutOfDate(WebCore::Element&, WebCore::DimensionsCheck) (this=0x7f1626140c00, element=..., dimensionsCheck=dimensionsCheck@entry=WebCore::HeightDimensionsCheck)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/dom/Document.cpp:2360
#23 0x00007f1687140b29 in WebCore::Element::clientHeight() (this=0x7f160209c850)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/dom/Element.cpp:1419
#24 0x00007f1686408c51 in WebCore::jsElement_clientHeightGetter
    (thisObject=<optimized out>, lexicalGlobalObject=<optimized out>)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/_builddir/WebCore/DerivedSources/JSElement.cpp:3050
#25 WebCore::IDLAttribute<WebCore::JSElement>::get<WebCore::jsElement_clientHeightGetter, (WebCore::CastedThisErrorBehavior)3> (attributeName=..., thisValue=<optimized out>, lexicalGlobalObject=<optimized out>)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/bindings/js/JSDOMAttribute.h:88
#26 WebCore::jsElement_clientHeight(JSC::JSGlobalObject*, JSC::EncodedJSValue, JSC::PropertyName)
    (lexicalGlobalObject=<optimized out>, thisValue=<optimized out>, attributeName=...)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/_builddir/WebCore/DerivedSources/JSElement.cpp:3055
#27 0x00007f16844f2708 in WTF::FunctionPtr<(WTF::PtrTag)57072, long (JSC::JSGlobalObject*, long, JSC::PropertyName), (WTF::FunctionAttributes)1>::operator()(JSC::JSGlobalObject*, long, JSC::PropertyName) const
    (this=0x7ffea77cca50, in#2=..., in#1=<optimized out>, in#0=<optimized out>)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/_builddir/WTF/Headers/wtf/FunctionPtr.h:101
#28 JSC::PropertySlot::customGetter(JSC::VM&, JSC::PropertyName) const
    (this=this@entry=0x7ffea77ccc20, vm=<optimized out>, propertyName=..., propertyName@entry=...)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/JavaScriptCore/runtime/PropertySlot.cpp:47
#29 0x00007f16841602bf in JSC::PropertySlot::getValue(JSC::JSGlobalObject*, JSC::PropertyName) const
    (propertyName=..., globalObject=<optimized out>, this=<optimized out>)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/JavaScriptCore/runtime/PropertySlot.h:405
#30 JSC::JSValue::get(JSC::JSGlobalObject*, JSC::PropertyName, JSC::PropertySlot&) const
    (slot=..., propertyName=..., globalObject=<optimized out>, this=0x7ffea77ccbd8)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/JavaScriptCore/runtime/JSCJSValueInlines.h:1045
#31 JSC::LLInt::performLLIntGetByID(JSC::BytecodeIndex, JSC::CodeBlock*, JSC::JSGlobalObject*, JSC::JSValue, JSC::Identifier const&, JSC::GetByIdModeMetadata&)
    (bytecodeIndex=..., codeBlock=0x7f14c5945b70, globalObject=<optimized out>, baseValue=..., ident=..., metadata=...) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:814
#32 0x00007f1684160ded in JSC::LLInt::llint_slow_path_get_by_id(JSC::CallFrame*, JSC::JSInstruction const*)
    (callFrame=0x7ffea77cce20, pc=0x7f1676a3b25e)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:888
#33 0x00007f16835a8734 in llint_op_get_by_id ()
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:118
#34 0x00007f14b56da9e8 in  ()
Comment 1 Michael Catanzaro 2022-12-20 18:05:32 PST 
The associated UI process hang is bug #249690 (which I'll assume, without evidence, to be GTK-specific).
Comment 2 Sam Sneddon [:gsnedders] 2022-12-21 07:27:16 PST 
> Wonder if this reproduces in Safari.

I can't reproduce it anywhere in Safari (either STP or stable, macOS Ventura), FWIW.
Comment 3 Michael Catanzaro 2023-01-04 13:01:46 PST 
There is a bug in RenderLayerCompositor::isDescendantOfFullScreenLayer, here:

    auto* fullScreenRenderer = dynamicDowncast<RenderLayerModelObject>(fullScreenElement->renderer());
    auto* fullScreenLayer = fullScreenRenderer->layer();
    if (!fullScreenRenderer || !fullScreenLayer)
        return FullScreenDescendant::NotApplicable;

The code first assumes that fullScreenRenderer is not nullptr (as if the dynamicDowncast cannot fail) and uses it unconditionally. Then it checks to see if it's nullptr on the very next line. No good. The downcast is surely failing here. There might be a platform-specific reason for that, but this is a cross-platform bug.
Comment 4 Michael Catanzaro 2023-01-04 14:00:06 PST 
Actually that's the only problem here. Fullscreen works fine with that fixed.
Comment 5 Brent Fulgham 2023-01-04 14:07:25 PST 
Certainly seems worth fixing!
Comment 6 Michael Catanzaro 2023-01-04 14:17:43 PST 
Pull request: https://github.com/WebKit/WebKit/pull/8213
Comment 7 Radar WebKit Bug Importer 2023-01-04 14:24:13 PST 
<rdar://problem/103888322>
Comment 8 EWS 2023-01-06 18:54:50 PST 
Committed 258593@main (e29dfab61f35): <https://commits.webkit.org/258593@main>

Reviewed commits have been landed. Closing PR #8213 and removing active labels.