217323 2020-10-05 11:06:17 -0700 [GTK][X11] WebProcess crash in WebCore::GLContextGLX::createPbufferContext() with NVidia proprietary drivers 2020-12-02 14:14:42 -0800 1 1 1 Unclassified WebKit WebKitGTK WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED https://bugs.webkit.org/show_bug.cgi?id=199666 https://bugs.webkit.org/show_bug.cgi?id=219456 P2 Normal --- 1 eocanha eocanha aperez bugs-noreply eocanha magomez oldest_to_newest 1694761 0 eocanha 2020-10-05 11:06:17 -0700 I'm getting this crash on trunk@267957 when using NVidia binary drivers: #0 WebCore::GLContextGLX::createPbufferContext(WebCore::PlatformDisplay&, __GLXcontextRec*) (platformDisplay=..., sharingContext=0x0) at ../../Source/WebCore/platform/graphics/glx/GLContextGLX.cpp:232 #1 0x00007f85bdd7541d in WebCore::GLContextGLX::createSharingContext(WebCore::PlatformDisplay&) (platformDisplay=...) at ../../Source/WebCore/platform/graphics/glx/GLContextGLX.cpp:295 #2 0x00007f85bdd1e5cf in WebCore::GLContext::createSharingContext(WebCore::PlatformDisplay&) (display=...) at ../../Source/WebCore/platform/graphics/GLContext.cpp:115 #3 0x00007f85bdd1fc73 in WebCore::PlatformDisplay::sharingGLContext() (this=0x7f85a1dd0000) at ../../Source/WebCore/platform/graphics/PlatformDisplay.cpp:179 #4 0x00007f85bdd752df in WebCore::GLContextGLX::createContext(unsigned long, WebCore::PlatformDisplay&) (window=192937988, platformDisplay=...) at ../../Source/WebCore/platform/graphics/glx/GLContextGLX.cpp:283 #5 0x00007f85bdd1e415 in WebCore::GLContext::createContextForWindow(unsigned long, WebCore::PlatformDisplay*) (windowHandle=192937988, platformDisplay=0x7f85a1dd0000) at ../../Source/WebCore/platform/graphics/GLContext.cpp:89 #6 0x00007f85bab4e220 in WebKit::ThreadedCompositor::createGLContext() (this=0x7f853a4f1780) at ../../Source/WebKit/Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.cpp:87 #7 0x00007f85bab4dec9 in operator()() const (__closure=0x7f853a4e04b8) at ../../Source/WebKit/Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.cpp:73 #8 0x00007f85bab53e36 in WTF::Detail::CallableWrapper<WebKit::ThreadedCompositor::ThreadedCompositor(WebKit::ThreadedCompositor::Client&, WebKit::ThreadedDisplayRefreshMonitor::Client&, WebCore::PlatformDisplayID, const WebCore::IntSize&, float, WebCore::TextureMapper::PaintFlags)::<lambda()>, void>::call(void) (this=0x7f853a4e04b0) at DerivedSources/ForwardingHeaders/wtf/Function.h:52 #9 0x00007f85ba034adb in WTF::Function<void ()>::operator()() const (this=0x7f853a4e04d8) at DerivedSources/ForwardingHeaders/wtf/Function.h:83 #10 0x00007f85bab4d7c3 in operator()() const (__closure=0x7f853a4e04d0) at ../../Source/WebKit/Shared/CoordinatedGraphics/threadedcompositor/CompositingRunLoop.cpp:90 #11 0x00007f85bab53e56 in WTF::Detail::CallableWrapper<WebKit::CompositingRunLoop::performTaskSync(WTF::Function<void()>&&)::<lambda()>, void>::call(void) (this=0x7f853a4e04c8) at DerivedSources/ForwardingHeaders/wtf/Function.h:52 #12 0x00007f85ba034adb in WTF::Function<void ()>::operator()() const (this=0x7f853a3fe940) at DerivedSources/ForwardingHeaders/wtf/Function.h:83 #13 0x00007f85abb12e7f in WTF::RunLoop::performWork() (this=0x7f853a4d8000) at ../../Source/WTF/wtf/RunLoop.cpp:123 #14 0x00007f85abb9c7ea in operator()(gpointer) const (__closure=0x0, userData=0x7f853a4d8000) at ../../Source/WTF/wtf/glib/RunLoopGLib.cpp:80 #15 0x00007f85abb9c80e in _FUN(gpointer) () at ../../Source/WTF/wtf/glib/RunLoopGLib.cpp:82 #16 0x00007f85abb9c77d in operator()(GSource*, GSourceFunc, gpointer) const (__closure=0x0, source=0x7f8540005c10, callback=0x7f85abb9c7f1 <_FUN(gpointer)>, userData=0x7f853a4d8000) at ../../Source/WTF/wtf/glib/RunLoopGLib.cpp:53 #17 0x00007f85abb9c7cb in _FUN(GSource*, GSourceFunc, gpointer) () at ../../Source/WTF/wtf/glib/RunLoopGLib.cpp:56 #18 0x00007f85a4c1304f in g_main_dispatch (context=0x7f854000b2a0) at ../glib/gmain.c:3325 #19 g_main_context_dispatch (context=0x7f854000b2a0) at ../glib/gmain.c:4016 #20 0x00007f85a4c133f8 in g_main_context_iterate (context=0x7f854000b2a0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:4092 #21 0x00007f85a4c13713 in g_main_loop_run (loop=0x7f8540008800) at ../glib/gmain.c:4290 #22 0x00007f85abb9cd94 in WTF::RunLoop::run() () at ../../Source/WTF/wtf/glib/RunLoopGLib.cpp:108 #23 0x00007f85bab4d3dd in operator()() const (__closure=0x7f853a4e04a0) at ../../Source/WebKit/Shared/CoordinatedGraphics/threadedcompositor/CompositingRunLoop.cpp:49 #24 0x00007f85bab53eb6 in WTF::Detail::CallableWrapper<WebKit::createRunLoop()::<lambda()>, void>::call(void) (this=0x7f853a4e0498) at DerivedSources/ForwardingHeaders/wtf/Function.h:52 --Type <RET> for more, q to quit, c to continue without paging-- #25 0x00007f85ba034adb in WTF::Function<void ()>::operator()() const (this=0x7f853a3fec30) at DerivedSources/ForwardingHeaders/wtf/Function.h:83 #26 0x00007f85abb18aa3 in WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) (newThreadContext=0x7f853a4e4410) at ../../Source/WTF/wtf/Threading.cpp:179 #27 0x00007f85abba7f7b in WTF::wtfThreadEntryPoint(void*) (context=0x7f853a4e4410) at ../../Source/WTF/wtf/posix/ThreadingPOSIX.cpp:213 #28 0x00007f85a5d074d2 in start_thread (arg=<optimized out>) at pthread_create.c:477 #29 0x00007f85a387d4d3 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 The crash wasn't present on trunk@266718. After debugging it with rr, I realized that the call to glXChooseFBConfig() returns early in my specific case, leaving returnedElements untouched and uninitialized[1], usually with a value different from zero. This causes the wrong branch to be taken and triggers the crash, as the configs variable is holding a null pointer. This problem might be related or be a subset of the issue reported in https://bugs.webkit.org/show_bug.cgi?id=199666#c2 [1] https://github.com/WebKit/webkit/blob/9fb817f9a912a7860499f63fd9661f399511c3fe/Source/WebCore/platform/graphics/glx/GLContextGLX.cpp#L224 1694774 1 410535 eocanha 2020-10-05 11:36:25 -0700 Created attachment 410535 Patch 1694786 2 aperez 2020-10-05 12:12:35 -0700 Good catch, by the way! 1694839 3 ews-feeder 2020-10-05 13:55:58 -0700 Committed r268000: <https://trac.webkit.org/changeset/268000> All reviewed patches have been landed. Closing bug and clearing flags on attachment 410535. 410535 2020-10-05 11:36:25 -0700 2020-10-05 13:55:59 -0700 Patch bug-217323-20201005203624.patch text/plain 1717 eocanha U3VidmVyc2lvbiBSZXZpc2lvbjogMjY3OTU3CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggNjEzODZjNmQ5OGI3ZWE4 OTgzYmVhNTM5NzM2ZTk1YTBmYzA5ZWM1OS4uOTk0MWJmZjMwNTgwMmVhMjk2YjhmYjQ4Y2QzN2Fl ZjgwZDEwNjQ2MCAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE2IEBACisyMDIwLTEwLTA1ICBFbnJp cXVlIE9jYcOxYSBHb256w6FsZXogIDxlb2NhbmhhQGlnYWxpYS5jb20+CisKKyAgICAgICAgW0dU S11bWDExXSBXZWJQcm9jZXNzIGNyYXNoIGluIFdlYkNvcmU6OkdMQ29udGV4dEdMWDo6Y3JlYXRl UGJ1ZmZlckNvbnRleHQoKSB3aXRoIE5WaWRpYSBwcm9wcmlldGFyeSBkcml2ZXJzCisgICAgICAg IGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0yMTczMjMKKworICAgICAg ICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBUaGUgcmV0dXJuZWRFbGVt ZW50cyB2YXJpYWJsZSBtaWdodCByZW1haW4gdW5pbml0aWFsaXplZCBpZiB0aGUgZ2xYQ2hvb3Nl RkJDb25maWcoKQorICAgICAgICBmdW5jdGlvbiBjYWxsIGZhaWxzLCBsZWFkaW5nIHRvIGV4ZWN1 dGlvbiBvZiB0aGUgd3JvbmcgY29kZSBicmFuY2ggbGF0ZXIuCisKKyAgICAgICAgKiBwbGF0Zm9y bS9ncmFwaGljcy9nbHgvR0xDb250ZXh0R0xYLmNwcDoKKyAgICAgICAgKFdlYkNvcmU6OkdMQ29u dGV4dEdMWDo6Y3JlYXRlUGJ1ZmZlckNvbnRleHQpOiBJbml0aWFsaXplZCB0aGUgcmV0dXJuZWRF bGVtZW50cyB2YXJpYWJsZS4KKwogMjAyMC0xMC0wNSAgUm9iIEJ1aXMgIDxyYnVpc0BpZ2FsaWEu Y29tPgogCiAgICAgICAgIE1JTUUgdHlwZSBwYXJzZXIgc2hvdWxkIHNraXAgdHJhaWxpbmcgSFRU UCB3aGl0ZXNwYWNlCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9wbGF0Zm9ybS9ncmFwaGlj cy9nbHgvR0xDb250ZXh0R0xYLmNwcCBiL1NvdXJjZS9XZWJDb3JlL3BsYXRmb3JtL2dyYXBoaWNz L2dseC9HTENvbnRleHRHTFguY3BwCmluZGV4IDgxNTU3NzEwYjJjZjQ2M2VlZmFlMDZjNzMyMzQ5 MTUxMDcyYjc1MTUuLmEwNmZmOWViOTNjMzg4NGFiNjA2ZmZmOWM2YTgzYWI5M2Q4OGM3ZTcgMTAw NjQ0Ci0tLSBhL1NvdXJjZS9XZWJDb3JlL3BsYXRmb3JtL2dyYXBoaWNzL2dseC9HTENvbnRleHRH TFguY3BwCisrKyBiL1NvdXJjZS9XZWJDb3JlL3BsYXRmb3JtL2dyYXBoaWNzL2dseC9HTENvbnRl eHRHTFguY3BwCkBAIC0yMjEsNyArMjIxLDcgQEAgc3RkOjp1bmlxdWVfcHRyPEdMQ29udGV4dEdM WD4gR0xDb250ZXh0R0xYOjpjcmVhdGVQYnVmZmVyQ29udGV4dChQbGF0Zm9ybURpc3BsYXkKICAg ICAgICAgMAogICAgIH07CiAKLSAgICBpbnQgcmV0dXJuZWRFbGVtZW50czsKKyAgICBpbnQgcmV0 dXJuZWRFbGVtZW50cyA9IDA7CiAgICAgRGlzcGxheSogZGlzcGxheSA9IGRvd25jYXN0PFBsYXRm b3JtRGlzcGxheVgxMT4ocGxhdGZvcm1EaXNwbGF5KS5uYXRpdmUoKTsKICAgICBYVW5pcXVlUHRy PEdMWEZCQ29uZmlnPiBjb25maWdzKGdsWENob29zZUZCQ29uZmlnKGRpc3BsYXksIDAsIGZiQ29u ZmlnQXR0cmlidXRlcywgJnJldHVybmVkRWxlbWVudHMpKTsKICAgICBpZiAoIXJldHVybmVkRWxl bWVudHMpCg==