214241 2020-07-12 14:20:08 -0700 [WinCairo] ANGLE D3D renderer can crash when PlatformDisplayWin is destructed in IPC thread 2020-07-28 13:23:16 -0700 1 1 1 Unclassified WebKit Platform WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 fujii fujii don.olmstead ross.kirsling webkit-bug-importer oldest_to_newest 1670918 0 fujii 2020-07-12 14:20:08 -0700 [WinCairo] Crashed while destructing GLContextEGL I observed a crash after browsing some sites and closing the MiniBroser. I don't know how to reproduce this crash. I was using WinCairo WK2 release r263953, Callstack: > atidxx64.dll!00007ffabcddfa03() Unknown > atiuxp64.dll!00007ffabde0c89e() Unknown > d3d11.dll!CResource<ID3D11Buffer>::CLS::FinalRelease() Unknown > d3d11.dll!TCLSWrappers<class CBuffer>::CLSDestroy(struct CBuffer::CLS *,class CContext *) Unknown > d3d11.dll!CLayeredObjectWithCLS<class CBuffer>::~CLayeredObjectWithCLS<class CBuffer>(void) Unknown > d3d11.dll!CLayeredObjectWithCLS<class CBuffer>::Release(void) Unknown > d3d11.dll!NDXGI::CDeviceChild<struct IDXGIResource1,struct IDXGISwapChainInternal>::FinalRelease(void) Unknown > d3d11.dll!CLayeredObject<NDXGI::CResource>::Release() Unknown > d3d11.dll!CUseCountedObject<NOutermost::CDeviceChild>::`scalar deleting destructor'() Unknown > d3d11.dll!CUseCountedObject<class NOutermost::CDeviceChild>::UCDestroy(void) Unknown > d3d11.dll!CUseCountedObject<class NOutermost::CDeviceChild>::Release(void) Unknown > [Inline Frame] libGLESv2.dll!rx::TypedData<ID3D11Buffer>::~TypedData() Line 362 C++ > [Inline Frame] libGLESv2.dll!std::default_delete<rx::TypedData<ID3D11Buffer>>::operator()(rx::TypedData<ID3D11Buffer> * _Ptr) Line 1758 C++ > [Inline Frame] libGLESv2.dll!std::unique_ptr<rx::TypedData<ID3D11Buffer>,std::default_delete<rx::TypedData<ID3D11Buffer>>>::reset(rx::TypedData<ID3D11Buffer> * _Ptr) Line 1908 C++ > libGLESv2.dll!rx::Resource11Base<ID3D11Buffer,UniquePtr,rx::TypedData<ID3D11Buffer>>::~Resource11Base() Line 225 C++ > libGLESv2.dll!rx::Buffer11::NativeStorage::~NativeStorage() Line 1130 C++ > [Inline Frame] libGLESv2.dll!SafeDelete(rx::Buffer11::BufferStorage * & resource) Line 100 C++ > libGLESv2.dll!rx::Buffer11::~Buffer11() Line 360 C++ > libGLESv2.dll!rx::Buffer11::~Buffer11() Line 357 C++ > [Inline Frame] libGLESv2.dll!SafeDelete(rx::BufferImpl * & resource) Line 100 C++ > libGLESv2.dll!gl::Buffer::~Buffer() Line 51 C++ > libGLESv2.dll!gl::Buffer::~Buffer() Line 50 C++ > [Inline Frame] libGLESv2.dll!angle::RefCountObject<gl::Context,angle::Result>::release(const gl::Context * context) Line 46 C++ > [Inline Frame] libGLESv2.dll!gl::ProgramPipelineManager::DeleteObject(const gl::Context * context, gl::ProgramPipeline * pipeline) Line 409 C++ > libGLESv2.dll!gl::TypedResourceManager<gl::ProgramPipeline,gl::HandleAllocator,gl::ProgramPipelineManager,gl::ProgramPipelineID>::reset(const gl::Context * context) Line 74 C++ > libGLESv2.dll!gl::ResourceManagerBase<gl::HandleAllocator>::release(const gl::Context * context) Line 59 C++ > libGLESv2.dll!gl::Context::onDestroy(const egl::Display * display) Line 571 C++ > libGLESv2.dll!egl::Display::destroyContext(const egl::Thread * thread, gl::Context * context) Line 1219 C++ > libGLESv2.dll!EGL_DestroyContext(void * dpy, void * ctx) Line 409 C++ > WebKit2.dll!WebCore::GLContextEGL::~GLContextEGL() Line 359 C++ > WebKit2.dll!WebCore::GLContextEGL::~GLContextEGL() Line 346 C++ > [Inline Frame] WebKit2.dll!std::default_delete<WebCore::GLContext>::operator()(WebCore::GLContext * _Ptr) Line 1758 C++ > [Inline Frame] WebKit2.dll!std::unique_ptr<WebCore::GLContext,std::default_delete<WebCore::GLContext>>::~unique_ptr() Line 1873 C++ > [Inline Frame] WebKit2.dll!WebCore::PlatformDisplay::~PlatformDisplay() Line 166 C++ > WebKit2.dll!WebCore::PlatformDisplayWin::~PlatformDisplayWin() Line 42 C++ > [External Code] > WebKit2.dll!WebKit::AuxiliaryProcess::didClose(IPC::Connection &) Line 60 C++ > WebKit2.dll!IPC::Connection::connectionDidClose() Line 856 C++ > WebKit2.dll!IPC::Connection::readEventHandler() Line 155 C++ > [Inline Frame] WTF.dll!WTF::Function<void ()>::operator()() Line 84 C++ > WTF.dll!WTF::RunLoop::performWork() Line 140 C++ > [Inline Frame] WTF.dll!WTF::RunLoop::wndProc(HWND__ * hWnd, unsigned int message, unsigned __int64 wParam, __int64 lParam) Line 56 C++ > WTF.dll!WTF::RunLoop::RunLoopWndProc(HWND__ * hWnd, unsigned int message, unsigned __int64 wParam, __int64 lParam) Line 39 C++ > [External Code] > WTF.dll!WTF::RunLoop::run() Line 73 C++ > [Inline Frame] WTF.dll!WTF::Function<void ()>::operator()() Line 84 C++ > WTF.dll!WTF::Thread::entryPoint(WTF::Thread::NewThreadContext * newThreadContext) Line 168 C++ > WTF.dll!WTF::wtfThreadEntryPoint(void * data) Line 153 C++ > [External Code] 1675152 1 fujii 2020-07-26 18:21:57 -0700 ANGLE D3D renderer isn't thread-safe. PlatformDisplay was destructed in IPC thread. This is not expected for WinCairo. WinCairo shouldn't destruct PlatformDisplay because it can cause crash (Bug 170331). PlatformDisplay::sharedDisplay has static variable of std::unique_ptr<PlatformDisplay>. This triggers PlatformDisplay dtor. This is not expected for WinCairo. 1675482 2 405333 fujii 2020-07-27 17:51:22 -0700 Created attachment 405333 Patch 1675736 3 405333 don.olmstead 2020-07-28 12:32:48 -0700 Comment on attachment 405333 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=405333&action=review r=me with nit about name > Source/WebCore/ChangeLog:3 > + [WinCairo] ANGLE D3D renderer rarely crashes while destructing PlatformDisplayWin in IPC thread Maybe a better bug name would be something like this? [WinCairo] ANGLE D3D renderer can crash when PlatformDisplayWin is destructed in IPC thread 1675760 4 fujii 2020-07-28 13:22:18 -0700 Committed r265003: <https://trac.webkit.org/changeset/265003> 1675762 5 webkit-bug-importer 2020-07-28 13:23:16 -0700 <rdar://problem/66234135> 405333 2020-07-27 17:51:22 -0700 2020-07-28 12:32:48 -0700 Patch bug-214241-20200728095121.patch text/plain 2284 fujii U3VidmVyc2lvbiBSZXZpc2lvbjogMjY0OTA4CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggYWFmNDI1MDI1OTY5NzE3 ZDM0OWE3YzY5NjI3OTMwNmM1ZTNiMmQ4MS4uMzg0Y2I0MThlMDc4MWY4ZGZiM2ZhZWRkOGZmZmJh M2E1NGY2ZGU0ZSAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDIwIEBACisyMDIwLTA3LTI3ICBGdWpp aSBIaXJvbm9yaSAgPEhpcm9ub3JpLkZ1amlpQHNvbnkuY29tPgorCisgICAgICAgIFtXaW5DYWly b10gQU5HTEUgRDNEIHJlbmRlcmVyIHJhcmVseSBjcmFzaGVzIHdoaWxlIGRlc3RydWN0aW5nIFBs YXRmb3JtRGlzcGxheVdpbiBpbiBJUEMgdGhyZWFkCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJr aXQub3JnL3Nob3dfYnVnLmNnaT9pZD0yMTQyNDEKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JP RFkgKE9PUFMhKS4KKworICAgICAgICBXZWIgcHJvY2VzcyBjYWxscyBfZXhpdCgpIGluIElQQyB0 aHJlYWQgd2hlbiB0aGUgSVBDIGNvbm5lY3Rpb24gaXMKKyAgICAgICAgY2xvc2VkLiBQbGF0Zm9y bURpc3BsYXk6OnNoYXJlZERpc3BsYXkgaGFzIGEgc3RhdGljIHZhcmlhYmxlIG9mCisgICAgICAg IHN0ZDo6dW5pcXVlX3B0cjxQbGF0Zm9ybURpc3BsYXk+IHRvIGVuc3VyZSBpdCB3aWxsIGJlIGRl c3RydWN0ZWQKKyAgICAgICAgb24gdGhlIHByb2Nlc3MgdGVybWluYXRpb24uIFRoaXMgcmFyZWx5 IGNhdXNlcyBjcmFzaGVzIGluIEFOR0xFCisgICAgICAgIGJlY2F1c2UgQU5HTEUgRDNEIHJlbmRl cmVyIGlzbid0IHRocmVhZC1zYWZlIGF0IHRoZSBtb21lbnQuCisKKyAgICAgICAgKiBwbGF0Zm9y bS9ncmFwaGljcy9QbGF0Zm9ybURpc3BsYXkuY3BwOgorICAgICAgICAoV2ViQ29yZTo6UGxhdGZv cm1EaXNwbGF5OjpzaGFyZWREaXNwbGF5KTogRG9uJ3QgZGVzdHJ1Y3QKKyAgICAgICAgUGxhdGZv cm1EaXNwbGF5LiBVc2UgdW5pcXVlX3B0cjo6cmVsZWFzZSB0byBsZWFrIGl0LgorCiAyMDIwLTA3 LTI1ICBTaW1vbiBGcmFzZXIgIDxzaW1vbi5mcmFzZXJAYXBwbGUuY29tPgogCiAgICAgICAgIFNj cm9sbCBTbmFwIGJyb2tlbiB3aGVuIHVzaW5nIFJUTCBsYXlvdXQKZGlmZiAtLWdpdCBhL1NvdXJj ZS9XZWJDb3JlL3BsYXRmb3JtL2dyYXBoaWNzL1BsYXRmb3JtRGlzcGxheS5jcHAgYi9Tb3VyY2Uv V2ViQ29yZS9wbGF0Zm9ybS9ncmFwaGljcy9QbGF0Zm9ybURpc3BsYXkuY3BwCmluZGV4IDAwMjM0 OTZmMzQwNTg4NTMyYTcwYWI4NjhhZDM5ZTAzZWJiYjhhNjAuLmQ5ODY2NmI1NGVhMmM1NWQ5YzBm Njg4YWY3Yjc4ODAxODk4ODc2OWUgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJDb3JlL3BsYXRmb3Jt L2dyYXBoaWNzL1BsYXRmb3JtRGlzcGxheS5jcHAKKysrIGIvU291cmNlL1dlYkNvcmUvcGxhdGZv cm0vZ3JhcGhpY3MvUGxhdGZvcm1EaXNwbGF5LmNwcApAQCAtMTI2LDYgKzEyNiwxMiBAQCBzdGQ6 OnVuaXF1ZV9wdHI8UGxhdGZvcm1EaXNwbGF5PiBQbGF0Zm9ybURpc3BsYXk6OmNyZWF0ZVBsYXRm b3JtRGlzcGxheSgpCiAKIFBsYXRmb3JtRGlzcGxheSYgUGxhdGZvcm1EaXNwbGF5OjpzaGFyZWRE aXNwbGF5KCkKIHsKKyNpZiBQTEFURk9STShXSU4pCisgICAgLy8gQU5HTEUgRDNEIHJlbmRlcmVy IGlzbid0IHRocmVhZC1zYWZlLiBEb24ndCBkZXN0cnVjdCBpdCBvbiBub24tbWFpbiB0aHJlYWRz IHdoaWNoIGNhbGxzIF9leGl0KCkuCisgICAgQVNTRVJUKGlzTWFpblRocmVhZCgpKTsKKyAgICBz dGF0aWMgUGxhdGZvcm1EaXNwbGF5KiBkaXNwbGF5ID0gY3JlYXRlUGxhdGZvcm1EaXNwbGF5KCku cmVsZWFzZSgpOworICAgIHJldHVybiAqZGlzcGxheTsKKyNlbHNlCiAgICAgc3RhdGljIHN0ZDo6 b25jZV9mbGFnIG9uY2VGbGFnOwogICAgIElHTk9SRV9DTEFOR19XQVJOSU5HU19CRUdJTigiZXhp dC10aW1lLWRlc3RydWN0b3JzIikKICAgICBzdGF0aWMgc3RkOjp1bmlxdWVfcHRyPFBsYXRmb3Jt RGlzcGxheT4gZGlzcGxheTsKQEAgLTEzNCw2ICsxNDAsNyBAQCBQbGF0Zm9ybURpc3BsYXkmIFBs YXRmb3JtRGlzcGxheTo6c2hhcmVkRGlzcGxheSgpCiAgICAgICAgIGRpc3BsYXkgPSBjcmVhdGVQ bGF0Zm9ybURpc3BsYXkoKTsKICAgICB9KTsKICAgICByZXR1cm4gKmRpc3BsYXk7CisjZW5kaWYK IH0KIAogc3RhdGljIFBsYXRmb3JtRGlzcGxheSogc19zaGFyZWREaXNwbGF5Rm9yQ29tcG9zaXRp bmc7Cg==