233217 2021-11-16 14:50:10 -0800 [iOS 15] Nullptr crashes in ShareableBitmap::createGraphicsContext, mostly on twitter.com 2021-11-17 19:55:07 -0800 1 1 1 Unclassified WebKit Images WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 ajuma heycam heycam sabouhallawa webkit-bug-importer wenson_hsieh oldest_to_newest 1815666 0 ajuma 2021-11-16 14:50:10 -0800 Chrome for iOS is getting crash reports in ShareableBitmap::createGraphicsContext, mostly (> 50%) on twitter.com pages with large images. This is new in iOS 15.0, and is still occurring on iOS 15.2. Looking for recent changes in the call stack, I wonder if this is related to r281661. Here's the stack: CRASHED [EXC_BAD_ACCESS / KERN_INVALID_ADDRESS @ 0x00000018 ] 0x00000001923179a8 (WebKit + 0x003569a8) WebKit::wantsExtendedRange(WebKit::ShareableBitmap::Configuration const&) 0x0000000192317a08 (WebKit + 0x00356a08) WebKit::ShareableBitmap::createGraphicsContext() 0x0000000192317a08 (WebKit + 0x00356a08) WebKit::ShareableBitmap::createGraphicsContext() 0x0000000192317b58 (WebKit + 0x00356b58) WebKit::ShareableBitmap::makeCGImageCopy() 0x00000001923ad30c (WebKit + 0x003ec30c) WebKit::PageClientImpl::startDrag(WebCore::DragItem const&, WebKit::ShareableBitmap::Handle const&) 0x000000019274aba0 (WebKit + 0x00789ba0) WebKit::WebPageProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&) 0x00000001920192cc (WebKit + 0x000582cc) IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) 0x0000000192421a68 (WebKit + 0x00460a68) WebKit::WebProcessProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&) 0x0000000191ff700c (WebKit + 0x0003600c) IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) 0x0000000191ff661c (WebKit + 0x0003561c) IPC::Connection::dispatchIncomingMessages() 0x000000018f914778 (JavaScriptCore + 0x01133778) WTF::RunLoop::performWork() 0x000000018f9158e8 (JavaScriptCore + 0x011348e8) WTF::RunLoop::performWork(void*) 0x000000018395102c (CoreFoundation + 0x000bb02c) __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ 0x0000000183961cec (CoreFoundation + 0x000cbcec) __CFRunLoopDoSource0 0x000000018389bff4 (CoreFoundation + 0x00005ff4) __CFRunLoopDoSources0 0x00000001838a1800 (CoreFoundation + 0x0000b800) __CFRunLoopRun 0x00000001838b53c4 (CoreFoundation + 0x0001f3c4) CFRunLoopRunSpecific 0x000000019f0c6388 (GraphicsServices + 0x00001388) GSEventRunModal 0x000000018625b05c (UIKitCore + 0x0051b05c) -[UIApplication _run] 0x0000000185fd8b88 (UIKitCore + 0x00298b88) UIApplicationMain 1815685 1 heycam 2021-11-16 15:28:40 -0800 Thanks for the report, Ali. There were a few changes to ShareableBitmap in the iOS 15 release. I'll try to reproduce. 1815686 2 webkit-bug-importer 2021-11-16 15:30:14 -0800 <rdar://problem/85478309> 1815696 3 heycam 2021-11-16 15:51:13 -0800 It's possible ShareableBitmap::create returned null due to either numBytes overflowing (though that would require something like a 32k x 32k image) or the ShareableBitmapMalloc::tryMalloc call failing. Either way, PageClientImpl::startDrag should probably defend against ShareableBitmap::create returning null. 1815931 4 ajuma 2021-11-17 07:23:34 -0800 (In reply to Cameron McCormack (:heycam) from comment #3) > It's possible ShareableBitmap::create returned null due to either numBytes > overflowing (though that would require something like a 32k x 32k image) or > the ShareableBitmapMalloc::tryMalloc call failing. Either way, > PageClientImpl::startDrag should probably defend against > ShareableBitmap::create returning null. Thanks for having a look. A large fraction of the crash reports are happening when free memory is low, so it's probably the ShareableBitmapMalloc::tryMalloc call failing. 1816059 5 heycam 2021-11-17 12:30:54 -0800 (In reply to Ali Juma from comment #4) > Thanks for having a look. A large fraction of the crash reports are > happening when free memory is low, so it's probably the > ShareableBitmapMalloc::tryMalloc call failing. Oh actually this is the ShareableBitmap::create call that takes a shared memory handle, so there's no allocation failure here. But there are still paths where we can return null (mapping the shared memory failing, or numBytes is too big, or the shared memory size not matching the number of bytes we expect). 1816131 6 444579 heycam 2021-11-17 14:33:09 -0800 Created attachment 444579 Patch 1816285 7 ews-feeder 2021-11-17 19:55:05 -0800 Committed r285976 (244373@main): <https://commits.webkit.org/244373@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 444579. 444579 2021-11-17 14:33:09 -0800 2021-11-17 19:55:06 -0800 Patch bug-233217-20211118093308.patch text/plain 1518 heycam U3VidmVyc2lvbiBSZXZpc2lvbjogMjg1OTEzCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViS2l0L0No YW5nZUxvZyBiL1NvdXJjZS9XZWJLaXQvQ2hhbmdlTG9nCmluZGV4IDhmMWQ4OTEwNDI2Njk0OWQ2 NGFlYWRhMDQwMGUxNjcxYzRkYTQ1MjUuLjQwODlmMzkyZDRmMTk5MGRjZjNlMDcyYjA1ZWMzMGVj ZGI2ZDFkYWEgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJLaXQvQ2hhbmdlTG9nCisrKyBiL1NvdXJj ZS9XZWJLaXQvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMTQgQEAKKzIwMjEtMTEtMTcgIENhbWVyb24g TWNDb3JtYWNrICA8aGV5Y2FtQGFwcGxlLmNvbT4KKworICAgICAgICBQcm90ZWN0IGFnYWluc3Qg bnVsbCBTaGFyZWRCaXRtYXBzIHdoZW4gc3RhcnRpbmcgYSBkcmFnCisgICAgICAgIGh0dHBzOi8v YnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0yMzMyMTcKKyAgICAgICAgPHJkYXI6Ly9w cm9ibGVtLzg1NDc4MzA5PgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgor CisgICAgICAgICogVUlQcm9jZXNzL2lvcy9QYWdlQ2xpZW50SW1wbElPUy5tbToKKyAgICAgICAg KFdlYktpdDo6UGFnZUNsaWVudEltcGw6OnN0YXJ0RHJhZyk6CisKIDIwMjEtMTEtMTYgIFNpaHVp IExpdSAgPHNpaHVpX2xpdUBhcHBsZS5jb20+CiAKICAgICAgICAgSW1wbGVtZW50IEZpbGVTeXN0 ZW1GaWxlSGFuZGxlLmdldEZpbGUoKQpkaWZmIC0tZ2l0IGEvU291cmNlL1dlYktpdC9VSVByb2Nl c3MvaW9zL1BhZ2VDbGllbnRJbXBsSU9TLm1tIGIvU291cmNlL1dlYktpdC9VSVByb2Nlc3MvaW9z L1BhZ2VDbGllbnRJbXBsSU9TLm1tCmluZGV4IGUzNjM2MzRmYWNiZWFlOGU4YTdhZjQ2ZmE0ZjVi MTg3N2IxOWFkNmQuLmQwODY2NzM0ZjM0ZWY4NzY3NmEyZWM3ODRiNmU4NjU2NzBjMjMwOWIgMTAw NjQ0Ci0tLSBhL1NvdXJjZS9XZWJLaXQvVUlQcm9jZXNzL2lvcy9QYWdlQ2xpZW50SW1wbElPUy5t bQorKysgYi9Tb3VyY2UvV2ViS2l0L1VJUHJvY2Vzcy9pb3MvUGFnZUNsaWVudEltcGxJT1MubW0K QEAgLTkxMCw3ICs5MTAsMTAgQEAgdm9pZCBQYWdlQ2xpZW50SW1wbDo6ZGlkSGFuZGxlQWRkaXRp b25hbERyYWdJdGVtc1JlcXVlc3QoYm9vbCBhZGRlZCkKIAogdm9pZCBQYWdlQ2xpZW50SW1wbDo6 c3RhcnREcmFnKGNvbnN0IERyYWdJdGVtJiBpdGVtLCBjb25zdCBTaGFyZWFibGVCaXRtYXA6Okhh bmRsZSYgaW1hZ2UpCiB7Ci0gICAgW21fY29udGVudFZpZXcgX3N0YXJ0RHJhZzpTaGFyZWFibGVC aXRtYXA6OmNyZWF0ZShpbWFnZSktPm1ha2VDR0ltYWdlQ29weSgpIGl0ZW06aXRlbV07CisgICAg YXV0byBiaXRtYXAgPSBTaGFyZWFibGVCaXRtYXA6OmNyZWF0ZShpbWFnZSk7CisgICAgaWYgKCFi aXRtYXApCisgICAgICAgIHJldHVybjsKKyAgICBbbV9jb250ZW50VmlldyBfc3RhcnREcmFnOmJp dG1hcC0+bWFrZUNHSW1hZ2VDb3B5KCkgaXRlbTppdGVtXTsKIH0KIAogdm9pZCBQYWdlQ2xpZW50 SW1wbDo6d2lsbFJlY2VpdmVFZGl0RHJhZ1NuYXBzaG90KCkK