223780 2021-03-25 21:41:04 -0700 [GPU Process] Don't ever replay DisplayList items of a RemoteImageBuffer in WebProcess 2021-03-28 21:50:10 -0700 1 1 1 Unclassified WebKit Canvas WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 sabouhallawa sabouhallawa dino simon.fraser thorton webkit-bug-importer wenson_hsieh oldest_to_newest 1744063 0 sabouhallawa 2021-03-25 21:41:04 -0700 If the GPU Process is terminated while the Web Process is still alive, the destructor of RemoteImageBufferProxy will fail to flushDrawingContext() because m_remoteRenderingBackendProxy will be nullptr. So when the destructor of the base class DisplayList::ImageBuffer is called, the m_drawingContext.m_displayList will have elements. DisplayList::DrawingContext::replayDisplayList() will be called to replay these items. This may also lead to the following crash if any of these DisplayList items were encoded for GPU Process. Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.CoreFoundation 0x0000000195832744 CFGetTypeID + 92 1 com.apple.CoreGraphics 0x000000019aa38fa0 CGPathIsEmpty + 28 2 com.apple.WebCore 0x000000010d49dfc8 WebCore::GraphicsContext::drawPath(WebCore::Path const&) + 64 3 com.apple.WebCore 0x000000010f1808a0 WebCore::DisplayList::Replayer::replay(WebCore::FloatRect const&, bool) + 5584 4 com.apple.WebCore 0x000000010f16f230 WebCore::DisplayList::DrawingContext::replayDisplayList(WebCore::GraphicsContext&) + 176 5 com.apple.WebKit 0x0000000105a5053c WebCore::DisplayList::ImageBuffer<WebKit::ImageBufferShareableMappedIOSurfaceBackend>::~ImageBuffer() + 60 6 com.apple.WebKit 0x0000000105a4f5c8 WebKit::RemoteImageBufferProxy<WebKit::ImageBufferShareableMappedIOSurfaceBackend>::~RemoteImageBufferProxy() + 16 7 com.apple.WebCore 0x000000010d555c8c WebCore::HTMLCanvasElement::~HTMLCanvasElement() + 912 8 com.apple.WebCore 0x000000010d5558e4 WebCore::HTMLCanvasElement::~HTMLCanvasElement() + 16 9 com.apple.JavaScriptCore 0x000000010454b1c4 JSC::PreciseAllocation::sweep() + 76 10 com.apple.JavaScriptCore 0x00000001045433b8 JSC::MarkedSpace::sweepPreciseAllocations() + 104 11 com.apple.JavaScriptCore 0x0000000104522194 JSC::Heap::finalize() + 104 1744065 1 sabouhallawa 2021-03-25 21:42:44 -0700 <rdar://75852494> 1744067 2 424318 sabouhallawa 2021-03-25 21:55:00 -0700 Created attachment 424318 Patch 1744679 3 ews-feeder 2021-03-28 21:50:08 -0700 Committed r275157: <https://commits.webkit.org/r275157> All reviewed patches have been landed. Closing bug and clearing flags on attachment 424318. 424318 2021-03-25 21:55:00 -0700 2021-03-28 21:50:09 -0700 Patch bug-223780-20210325215459.patch text/plain 1733 sabouhallawa U3VidmVyc2lvbiBSZXZpc2lvbjogMjc1MDcxCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViS2l0L0No YW5nZUxvZyBiL1NvdXJjZS9XZWJLaXQvQ2hhbmdlTG9nCmluZGV4IDQ4ZDE0OGY2ODUwYjAwZWZi OThiZWQ3MDliNjc4NjkyOTVjODcwOTYuLjc4OWUyNzQ1MGRlZWE2NTI5ZGZkNjFmMWViZjk0ZjQ3 NDJiZDk0ZTQgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJLaXQvQ2hhbmdlTG9nCisrKyBiL1NvdXJj ZS9XZWJLaXQvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMTYgQEAKKzIwMjEtMDMtMjUgIFNhaWQgQWJv dS1IYWxsYXdhICA8c2FpZEBhcHBsZS5jb20+CisKKyAgICAgICAgW0dQVSBQcm9jZXNzXSBEb24n dCBldmVyIHJlcGxheSBEaXNwbGF5TGlzdCBpdGVtcyBvZiBhIFJlbW90ZUltYWdlQnVmZmVyIGlu IFdlYlByb2Nlc3MKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dp P2lkPTIyMzc4MAorICAgICAgICA8cmRhcjovLzc1ODUyNDk0PgorCisgICAgICAgIFJldmlld2Vk IGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIE1ha2Ugc3VyZSB0aGUgZGVzdHJ1Y3RvciBv ZiBSZW1vdGVJbWFnZUJ1ZmZlclByb3h5IGNsZWFycyBpdHMgRGlzcGxheUxpc3QKKyAgICAgICAg c28gdGhlIGRlc3RydWN0b3Igb2YgdGhlIGJhc2UgY2xhc3MgZG9lcyBub3QgcmVwbGF5IGl0cyBp dGVtcyBpbiBXZWJQcm9jZXNzLgorCisgICAgICAgICogV2ViUHJvY2Vzcy9HUFUvZ3JhcGhpY3Mv UmVtb3RlSW1hZ2VCdWZmZXJQcm94eS5oOgorCiAyMDIxLTAzLTI1ICBKZXNzaWUgQmVybGluICA8 amJlcmxpbkB3ZWJraXQub3JnPgogCiAgICAgICAgIFJlbW92ZSAxMC4xMyBERVBMT1lNRU5UX1RB UkdFVHMgYW5kIFNZU1RFTV9WRVJTSU9OX1BSRUZJWHMKZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJL aXQvV2ViUHJvY2Vzcy9HUFUvZ3JhcGhpY3MvUmVtb3RlSW1hZ2VCdWZmZXJQcm94eS5oIGIvU291 cmNlL1dlYktpdC9XZWJQcm9jZXNzL0dQVS9ncmFwaGljcy9SZW1vdGVJbWFnZUJ1ZmZlclByb3h5 LmgKaW5kZXggNWJiZjI1NjMwNjI5MGU0OWFjOGRiMzFiNWQwMWFjOTZiNTZhYWM0Mi4uZjVhNjAy MTRlZDgzNDIwNzhmNjdkMDEyNDJjMDVhYWI3OWU0MDRiNyAxMDA2NDQKLS0tIGEvU291cmNlL1dl YktpdC9XZWJQcm9jZXNzL0dQVS9ncmFwaGljcy9SZW1vdGVJbWFnZUJ1ZmZlclByb3h5LmgKKysr IGIvU291cmNlL1dlYktpdC9XZWJQcm9jZXNzL0dQVS9ncmFwaGljcy9SZW1vdGVJbWFnZUJ1ZmZl clByb3h5LmgKQEAgLTY0LDggKzY0LDExIEBAIHB1YmxpYzoKIAogICAgIH5SZW1vdGVJbWFnZUJ1 ZmZlclByb3h5KCkKICAgICB7Ci0gICAgICAgIGlmICghbV9yZW1vdGVSZW5kZXJpbmdCYWNrZW5k UHJveHkpCisgICAgICAgIGlmICghbV9yZW1vdGVSZW5kZXJpbmdCYWNrZW5kUHJveHkpIHsKKyAg ICAgICAgICAgIGNsZWFyRGlzcGxheUxpc3QoKTsKICAgICAgICAgICAgIHJldHVybjsKKyAgICAg ICAgfQorCiAgICAgICAgIGZsdXNoRHJhd2luZ0NvbnRleHQoKTsKICAgICAgICAgbV9yZW1vdGVS ZW5kZXJpbmdCYWNrZW5kUHJveHktPnJlbW90ZVJlc291cmNlQ2FjaGVQcm94eSgpLnJlbGVhc2VJ bWFnZUJ1ZmZlcihtX3JlbmRlcmluZ1Jlc291cmNlSWRlbnRpZmllcik7CiAgICAgICAgIG1fcmVt b3RlUmVuZGVyaW5nQmFja2VuZFByb3h5LT5yZWxlYXNlUmVtb3RlUmVzb3VyY2UobV9yZW5kZXJp bmdSZXNvdXJjZUlkZW50aWZpZXIpOwo=