274780 2024-05-28 08:22:18 -0700 [WPE][GTK] Crash in WebCore::TextDecorationPainter::paintBackgroundDecorations when compiled with Clang with LTO enabled 2024-08-16 03:46:12 -0700 1 1 1 Unclassified WebKit Layout and Rendering Other Unspecified Unspecified RESOLVED FIXED https://bugzilla.redhat.com/show_bug.cgi?id=2281612 InRadar P2 Normal --- 1 mcrha aperez adamw aperez bfulgham bugs-noreply mcatanzaro mikhail.v.gavrilov muziknavi simon.fraser webkit-bug-importer yaneti zalan oldest_to_newest 2038193 0 mcrha 2024-05-28 08:22:18 -0700 Moving this from a downstream bug: https://gitlab.gnome.org/GNOME/evolution/-/issues/2759 Reproducer with MiniBrowser from webkit2gtk4.1-2.45.2-2.fc41.x86_64: a) run from a terminal: /usr/libexec/webkit2gtk-4.1/MiniBrowser https://www.gnome.org b) click on the "Get GNOME" link at the top (or maybe other) The terminal says: ** (MiniBrowser:6350): WARNING **: 17:12:18.205: WebProcess CRASHED After which also the MiniBrowser itself crashes. coredumpctl says: Tue 2024-05-28 17:12:18 CEST 6372 1000 1000 SIGSEGV none /usr/libexec/webkit2gtk-4.1/WebKitWebProcess - Tue 2024-05-28 17:12:21 CEST 6350 1000 1000 SIGSEGV present /usr/libexec/webkit2gtk-4.1/MiniBrowser 5.9M The WebProcess gdb output (the downstream bug contains a different backtrace though): Thread 1 "WebKitWebProces" received signal SIGSEGV, Segmentation fault. 0x00007fa99ee42938 in auto WebCore::TextDecorationPainter::paintBackgroundDecorations(WebCore::RenderStyle const&, WebCore::TextRun const&, WebCore::TextDecorationPainter::BackgroundDecorationGeometry const&, WTF::OptionSet<WebCore::TextDecorationLine>, WebCore::TextDecorationPainter::Styles const&)::$_0::operator()<WebCore::TextDecorationLine, WebCore::TextDecorationStyle, WebCore::Color const, WebCore::FloatRect>(WebCore::TextDecorationLine, WebCore::TextDecorationStyle, WebCore::Color const&, WebCore::FloatRect&) const () from /lib64/libwebkit2gtk-4.1.so.0 (gdb) bt #0 0x00007fa99ee42938 in auto WebCore::TextDecorationPainter::paintBackgroundDecorations(WebCore::RenderStyle const&, WebCore::TextRun const&, WebCore::TextDecorationPainter::BackgroundDecorationGeometry const&, WTF::OptionSet<WebCore::TextDecorationLine>, WebCore::TextDecorationPainter::Styles const&)::$_0::operator()<WebCore::TextDecorationLine, WebCore::TextDecorationStyle, WebCore::Color const, WebCore::FloatRect>(WebCore::TextDecorationLine, WebCore::TextDecorationStyle, WebCore::Color const&, WebCore::FloatRect&) const () at /lib64/libwebkit2gtk-4.1.so.0 #1 0x00007fa99ee37ba0 in WebCore::TextDecorationPainter::paintBackgroundDecorations(WebCore::RenderStyle const&, WebCore::TextRun const&, WebCore::TextDecorationPainter::BackgroundDecorationGeometry const&, WTF::OptionSet<WebCore::TextDecorationLine>, WebCore::TextDecorationPainter::Styles const&) () at /lib64/libwebkit2gtk-4.1.so.0 #2 0x00007fa99ee33811 in WebCore::TextBoxPainter<WebCore::InlineIterator::BoxModernPath>::paintForegroundAndDecorations() () at /lib64/libwebkit2gtk-4.1.so.0 #3 0x00007fa99ee30ab8 in WebCore::TextBoxPainter<WebCore::InlineIterator::BoxModernPath>::paint() () at /lib64/libwebkit2gtk-4.1.so.0 #4 0x00007fa99e6547ed in WebCore::LayoutIntegration::InlineContentPainter::paintDisplayBox(WebCore::InlineDisplay::Box const&) () at /lib64/libwebkit2gtk-4.1.so.0 #5 0x00007fa99e65494b in WebCore::LayoutIntegration::InlineContentPainter::paint() () at /lib64/libwebkit2gtk-4.1.so.0 #6 0x00007fa99e65a913 in WebCore::LayoutIntegration::LineLayout::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::RenderInline const*) () at /lib64/libwebkit2gtk-4.1.so.0 #7 0x00007fa99ec6ef37 in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) () at /lib64/libwebkit2gtk-4.1.so.0 #8 0x00007fa99ec6db9e in WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) () at /lib64/libwebkit2gtk-4.1.so.0 #9 0x00007fa99ec6e523 in WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool, WebCore::RenderBlock::PaintBlockType) () at /lib64/libwebkit2gtk-4.1.so.0 #10 0x00007fa99ec6e31f in WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) () at /lib64/libwebkit2gtk-4.1.so.0 #11 0x00007fa99ec6ef1f in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) () at /lib64/libwebkit2gtk-4.1.so.0 #12 0x00007fa99ec6db9e in WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) () at /lib64/libwebkit2gtk-4.1.so.0 #13 0x00007fa99ecdd7a3 in WebCore::RenderElement::paintAsInlineBlock(WebCore::PaintInfo&, WebCore::LayoutPoint const&) () at /lib64/libwebkit2gtk-4.1.so.0 #14 0x00007fa99ec6e50e in WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool, WebCore::RenderBlock::PaintBlockType) () at /lib64/libwebkit2gtk-4.1.so.0 #15 0x00007fa99ecf31af in WebCore::RenderFlexibleBox::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) () at /lib64/libwebkit2gtk-4.1.so.0 #16 0x00007fa99ec6ef1f in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) () at /lib64/libwebkit2gtk-4.1.so.0 #17 0x00007fa99ec6db9e in WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) () at /lib64/libwebkit2gtk-4.1.so.0 #18 0x00007fa99ec6e523 in WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool, WebCore::RenderBlock::PaintBlockType) () at /lib64/libwebkit2gtk-4.1.so.0 #19 0x00007fa99ec6e31f in WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) () at /lib64/libwebkit2gtk-4.1.so.0 #20 0x00007fa99ec6ef1f in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) () at /lib64/libwebkit2gtk-4.1.so.0 #21 0x00007fa99ec6db9e in WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) () at /lib64/libwebkit2gtk-4.1.so.0 #22 0x00007fa99ec6e523 in WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool, WebCore::RenderBlock::PaintBlockType) () at /lib64/libwebkit2gtk-4.1.so.0 #23 0x00007fa99ec6e31f in WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) () at /lib64/libwebkit2gtk-4.1.so.0 #24 0x00007fa99ec6ef1f in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) () at /lib64/libwebkit2gtk-4.1.so.0 #25 0x00007fa99ec6db9e in WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) () at /lib64/libwebkit2gtk-4.1.so.0 #26 0x00007fa99ec6e523 in WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool, WebCore::RenderBlock::PaintBlockType) () at /lib64/libwebkit2gtk-4.1.so.0 #27 0x00007fa99ec6e31f in WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) () at /lib64/libwebkit2gtk-4.1.so.0 #28 0x00007fa99ec6ef1f in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) () at /lib64/libwebkit2gtk-4.1.so.0 #29 0x00007fa99ec6db9e in WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) () at /lib64/libwebkit2gtk-4.1.so.0 #30 0x00007fa99ec6e523 in WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool, WebCore::RenderBlock::PaintBlockType) () at /lib64/libwebkit2gtk-4.1.so.0 #31 0x00007fa99ec6e31f in WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) () at /lib64/libwebkit2gtk-4.1.so.0 #32 0x00007fa99ec6ef1f in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) () at /lib64/libwebkit2gtk-4.1.so.0 #33 0x00007fa99ec6db9e in WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) () at /lib64/libwebkit2gtk-4.1.so.0 #34 0x00007fa99ed380f9 in WebCore::RenderLayer::paintForegroundForFragmentsWithPhase(WebCore::PaintPhase, WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::PaintBehavior>, WebCore::RenderObject*) () at /lib64/libwebkit2gtk-4.1.so.0 #35 0x00007fa99ed3285b in WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) () at /lib64/libwebkit2gtk-4.1.so.0 #36 0x00007fa99ed332f2 in WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) () at /lib64/libwebkit2gtk-4.1.so.0 #37 0x00007fa99ed332f2 in WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) () at /lib64/libwebkit2gtk-4.1.so.0 #38 0x00007fa99ed535d4 in WebCore::RenderLayerBacking::paintIntoLayer(WebCore::GraphicsLayer const*, WebCore::GraphicsContext&, WebCore::IntRect const&, WTF::OptionSet<WebCore::PaintBehavior>, WebCore::RegionContext*)::$_0::operator()(WebCore::RenderLayer&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) const () at /lib64/libwebkit2gtk-4.1.so.0 #39 0x00007fa99ed53082 in WebCore::RenderLayerBacking::paintIntoLayer(WebCore::GraphicsLayer const*, WebCore::GraphicsContext&, WebCore::IntRect const&, WTF::OptionSet<WebCore::PaintBehavior>, WebCore::RegionContext*) () at /lib64/libwebkit2gtk-4.1.so.0 #40 0x00007fa99ed53e4b in WebCore::RenderLayerBacking::paintContents(WebCore::GraphicsLayer const*, WebCore::GraphicsContext&, WebCore::FloatRect const&, WTF::OptionSet<WebCore::GraphicsLayerPaintBehavior>) () at /lib64/libwebkit2gtk-4.1.so.0 #41 0x00007fa99ce89e99 in WebCore::CoordinatedGraphicsLayer::paintTile(WebCore::IntRect const&, WebCore::IntRect const&, float)::$_1::operator()(WebCore::GraphicsContext&) const () at /lib64/libwebkit2gtk-4.1.so.0 #42 0x00007fa99ce89803 in WebCore::CoordinatedGraphicsLayer::paintTile(WebCore::IntRect const&, WebCore::IntRect const&, float) () at /lib64/libwebkit2gtk-4.1.so.0 #43 0x00007fa99ce859dc in WebCore::CoordinatedGraphicsLayer::updateContentBuffers() () at /lib64/libwebkit2gtk-4.1.so.0 #44 0x00007fa99ce850e6 in WebCore::CoordinatedGraphicsLayer::updateContentBuffersIncludingSubLayers() () at /lib64/libwebkit2gtk-4.1.so.0 #45 0x00007fa99ce8511c in WebCore::CoordinatedGraphicsLayer::updateContentBuffersIncludingSubLayers() () at /lib64/libwebkit2gtk-4.1.so.0 #46 0x00007fa99ce8511c in WebCore::CoordinatedGraphicsLayer::updateContentBuffersIncludingSubLayers() () at /lib64/libwebkit2gtk-4.1.so.0 #47 0x00007fa99ce8511c in WebCore::CoordinatedGraphicsLayer::updateContentBuffersIncludingSubLayers() () at /lib64/libwebkit2gtk-4.1.so.0 #48 0x00007fa99ce8511c in WebCore::CoordinatedGraphicsLayer::updateContentBuffersIncludingSubLayers() () at /lib64/libwebkit2gtk-4.1.so.0 #49 0x00007fa99ce8511c in WebCore::CoordinatedGraphicsLayer::updateContentBuffersIncludingSubLayers() () at /lib64/libwebkit2gtk-4.1.so.0 #50 0x00007fa99cdffbfd in WebKit::CompositingCoordinator::flushPendingLayerChanges(WTF::OptionSet<WebCore::FinalizeRenderingUpdateFlags>) () at /lib64/libwebkit2gtk-4.1.so.0 #51 0x00007fa99ce0ba65 in WebKit::LayerTreeHost::layerFlushTimerFired() () at /lib64/libwebkit2gtk-4.1.so.0 #52 0x00007fa99baaca85 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_0::__invoke(void*) [clone .llvm.2038710169385785088] () at /lib64/libjavascriptcoregtk-4.1.so.0 #53 0x00007fa99baab831 in WTF::RunLoop::$_0::__invoke(_GSource*, int (*)(void*), void*) () at /lib64/libjavascriptcoregtk-4.1.so.0 #54 0x00007fa99820c90c in g_main_context_dispatch_unlocked.lto_priv () at /lib64/libglib-2.0.so.0 #55 0x00007fa99826d978 in g_main_context_iterate_unlocked.isra () at /lib64/libglib-2.0.so.0 #56 0x00007fa9982128c7 in g_main_loop_run () at /lib64/libglib-2.0.so.0 #57 0x00007fa99baabe29 in WTF::RunLoop::run() () at /lib64/libjavascriptcoregtk-4.1.so.0 #58 0x00007fa99ce185ac in WebKit::WebProcessMain(int, char**) () at /lib64/libwebkit2gtk-4.1.so.0 #59 0x00007fa99c23c1c8 in __libc_start_call_main () at /lib64/libc.so.6 #60 0x00007fa99c23c28b in __libc_start_main_impl () at /lib64/libc.so.6 #61 0x0000000000401075 in _start () ======================================================================= The MiniBrowser backtrace: (gdb) bt #0 0x00007f629e092502 in WebKit::WebPageProxy::keyEventHandlingCompleted(std::optional<WebKit::WebEventType>, bool) () at /lib64/libwebkit2gtk-4.1.so.0 #1 0x00007f629e00fb1f in WTF::Detail::CallableWrapper<WebKit::AuxiliaryProcessProxy::sendMessage(WTF::UniqueRef<IPC::Encoder>&&, WTF::OptionSet<IPC::SendOption>, std::optional<IPC::ConnectionAsyncReplyHandler>, WebKit::AuxiliaryProcessProxy::ShouldStartProcessThrottlerActivity)::$_1, void, IPC::Decoder*>::call(IPC::Decoder*) () at /lib64/libwebkit2gtk-4.1.so.0 #2 0x00007f629dfd7d81 in WTF::Detail::CallableWrapper<IPC::Connection::sendMessageWithAsyncReply(WTF::UniqueRef<IPC::Encoder>&&, IPC::ConnectionAsyncReplyHandler, WTF::OptionSet<IPC::SendOption>, std::optional<WTF::Thread::QOS>)::$_0, void>::call() [clone .llvm.15857245043833178621] () at /lib64/libwebkit2gtk-4.1.so.0 #3 0x00007f629ca4430b in WTF::RunLoop::performWork() () at /lib64/libjavascriptcoregtk-4.1.so.0 #4 0x00007f629caac9dd in WTF::RunLoop::RunLoop()::$_0::__invoke(void*) () at /lib64/libjavascriptcoregtk-4.1.so.0 #5 0x00007f629caab831 in WTF::RunLoop::$_0::__invoke(_GSource*, int (*)(void*), void*) () at /lib64/libjavascriptcoregtk-4.1.so.0 #6 0x00007f62a21f290c in g_main_context_dispatch_unlocked.lto_priv () at /lib64/libglib-2.0.so.0 #7 0x00007f62a2253978 in g_main_context_iterate_unlocked.isra () at /lib64/libglib-2.0.so.0 #8 0x00007f62a21f3d83 in g_main_context_iteration () at /lib64/libglib-2.0.so.0 #9 0x00007f629b3135bd in g_application_run () at /lib64/libgio-2.0.so.0 #10 0x00000000004194ed in main () P.S.: the debuginfo for WebKitGTK is too large, I'm sorry 2038194 1 mcatanzaro 2024-05-28 08:29:39 -0700 This might be a GCC LTO bug, see https://bugzilla.redhat.com/show_bug.cgi?id=2281612 2038196 2 mcatanzaro 2024-05-28 08:56:39 -0700 Wait, we switch to Clang because that's recommended for building Skia, so it can't be a GCC bug. :P 2038437 3 471541 yaneti 2024-05-29 07:19:23 -0700 Created attachment 471541 test -fno-lto for TextDecorationPainter.cpp As a learning experiment tried to isolate TextDecorationPainter.cpp from LTO and the result seems to not crash. 2038443 4 aperez 2024-05-29 07:44:40 -0700 Which version of Clang resulted in the TextDecorationPainter crash? I used to hit this often, but now using Clang 17 the problems seems to be gone. I don't remember which version of Clang I had at the time, but I remembered that I had a workaround in one of my Git stashes that I never got to truly understand why it made things work... I had the intention of reporting the issue to the LLVM/Clang people but never got round to it. Here's the workaround: ---- 8< ---- 8< ---- diff --git a/Source/WebCore/rendering/TextDecorationPainter.cpp b/Source/WebCore/rendering/TextDecorationPainter.cpp index 895c512156da..02d8f00d5aae 100644 --- a/Source/WebCore/rendering/TextDecorationPainter.cpp +++ b/Source/WebCore/rendering/TextDecorationPainter.cpp @@ -128,25 +128,26 @@ static DashArray translateIntersectionPointsToSkipInkBoundaries(const DashArray& // Step 2: Deal with intersecting ranges. Vector<std::pair<float, float>> intermediateTuples; if (tuples.size() >= 2) { - intermediateTuples.append(*tuples.begin()); - for (auto i = tuples.begin() + 1; i != tuples.end(); i++) { + intermediateTuples.append(tuples[0]); + for (size_t i = 1; i < tuples.size(); i++) { float& firstEnd = intermediateTuples.last().second; - float secondStart = i->first; - float secondEnd = i->second; + float secondStart = tuples[i].first; + float secondEnd = tuples[i].second; if (secondStart <= firstEnd && secondEnd <= firstEnd) { // Ignore this range completely } else if (secondStart <= firstEnd) firstEnd = secondEnd; else - intermediateTuples.append(*i); + intermediateTuples.append(tuples[i]); } } else - intermediateTuples = tuples; + intermediateTuples = WTFMove(tuples); // Step 3: Output the space between the ranges, but only if the space warrants an underline. float previous = 0; DashArray result; - for (const auto& tuple : intermediateTuples) { + for (size_t i = 0; i < intermediateTuples.size(); i++) { + const auto& tuple = intermediateTuples[i]; if (tuple.first - previous > dilationAmount) { result.append(previous); result.append(tuple.first); 2038444 5 yaneti 2024-05-29 07:48:19 -0700 > Which version of Clang resulted in the TextDecorationPainter crash? I used > to hit this often, but now using Clang 17 the problems seems to be gone. Rawhide is currently on Clang 18.1.6(In reply to Adrian Perez from comment #4) 2038461 6 adamw 2024-05-29 08:21:31 -0700 The webkitgtk build I'm using was built with 18.1.4-3.fc41 . Other reporters have said a more recent build done with 18.1.6-3.fc41 is also affected. 2038582 7 mcatanzaro 2024-05-29 14:51:40 -0700 Well I had started a build that disables LTO, but let's try Adrian's patch instead. 2038727 8 yaneti 2024-05-30 01:55:59 -0700 Thanks, webkitgtk-2.45.3-3.fc41 works for me 2039021 9 mcatanzaro 2024-05-31 06:16:40 -0700 *** Bug 274956 has been marked as a duplicate of this bug. *** 2043134 10 yaneti 2024-06-25 23:59:13 -0700 AFAICS this fix hasn't landed yet. @mcatanzaro now that you've removed it? in rawhide, webkitgtk-2.45.4-1.fc41 is crashing again 2043175 11 mcatanzaro 2024-06-26 06:43:24 -0700 Oops, I just assumed we had fixed this. I'll restore the patch in rawhide. I guess we'll just need to land Adrian's patch, even though it makes the code worse. Adrian, do you want to create a pull request? Unfortunately switching from GCC to Clang means it's going to be harder to attract compiler developers to investigate the bug reports, and LTO bugs are by far the hardest to report. It's probably not realistic to expect us to get a useful compiler bug report here. 2043176 12 mcatanzaro 2024-06-26 06:44:58 -0700 Or we could land Yanko's patch instead, removing TextDecorationPainter.cpp from the unified build and adding -fno-lto. (In reply to Michael Catanzaro from comment #11) > It's probably not realistic to expect us to > get a useful compiler bug report here. If anybody *does* have time to report a Clang bug, that would be wonderful and ideal. But it won't be easy. 2043254 13 mcatanzaro 2024-06-26 13:42:40 -0700 (In reply to Michael Catanzaro from comment #11) > I guess we'll just need to land Adrian's patch, even though it makes the > code worse. Adrian, do you want to create a pull request? We agreed I'll create a pull request for this. 2044522 14 mcatanzaro 2024-07-03 13:08:53 -0700 Unfortunately I'm not able to reproduce this crash in my development build. Unassigning myself. I think I'll just turn off LTO in Fedora again. That's easier than carrying a mysterious patch. If it causes crashes here, probably something else is broken somewhere without crashing.... 2052725 15 mcatanzaro 2024-08-14 08:14:18 -0700 *** Bug 278090 has been marked as a duplicate of this bug. *** 2052749 16 mcatanzaro 2024-08-14 09:06:10 -0700 *** Bug 278101 has been marked as a duplicate of this bug. *** 2052839 17 aperez 2024-08-14 15:27:22 -0700 I have arrived to a smaller workaround/fix: diff --git a/Source/WebCore/rendering/TextDecorationPainter.cpp b/Source/WebCore/rendering/TextDecorationPainter.cpp index 5c4e798d7aef..6c3951145f30 100644 --- a/Source/WebCore/rendering/TextDecorationPainter.cpp +++ b/Source/WebCore/rendering/TextDecorationPainter.cpp @@ -141,7 +141,7 @@ static DashArray translateIntersectionPointsToSkipInkBoundaries(const DashArray& intermediateTuples.append(*i); } } else - intermediateTuples = tuples; + intermediateTuples.swap(tuples); // Step 3: Output the space between the ranges, but only if the space warrants an underline. float previous = 0; What do we think about this? 🤪 2052956 18 aperez 2024-08-15 00:27:30 -0700 (In reply to Adrian Perez from comment #17) > I have arrived to a smaller workaround/fix: > > diff --git a/Source/WebCore/rendering/TextDecorationPainter.cpp > b/Source/WebCore/rendering/TextDecorationPainter.cpp > index 5c4e798d7aef..6c3951145f30 100644 > --- a/Source/WebCore/rendering/TextDecorationPainter.cpp > +++ b/Source/WebCore/rendering/TextDecorationPainter.cpp > @@ -141,7 +141,7 @@ static DashArray > translateIntersectionPointsToSkipInkBoundaries(const DashArray& > intermediateTuples.append(*i); > } > } else > - intermediateTuples = tuples; > + intermediateTuples.swap(tuples); > > // Step 3: Output the space between the ranges, but only if the space > warrants an underline. > float previous = 0; > > What do we think about this? 🤪 I have been dogfooding a build from yesterday with the above one-liner applied and I have had no further crashes. That's good. Now, understanding exactly why the fix works is the tricky part... In bug #278090 we got a different (more complete?) backtrace, and it had the frames at the top following: #0 memcpy () at /usr/include/bits/string_fortified.h:29 #1 uninitializedCopy () at WTF/Headers/wtf/Vector.h:190 #2 uninitializedCopy () at WTF/Headers/wtf/Vector.h:284 #3 operator= () at WTF/Headers/wtf/Vector.h:1044 #4 translateIntersectionPointsToSkipInkBoundaries () at /usr/src/debug/webkit2gtk-4.1/webkitgtk-2.44.3/Source/WebCore/rendering/TextDecorationPainter.cpp:144 Looking at the code, frame 4 is exactly at the line with the assignment changed in my suggested change. The calls into uninitializedCopy() made me think that there might be some issue with the initialization of either “tuples” or “intermediateTuples”, and that going through the assignment operator if one of the objects is in an odd state, in particular in regard to the values returned by Vector::size() or the Vector buffer base pointer (both used a number of times inside the assignment operator code), that could explain an OOB read or write in the call to “memcpy()” where the crash ultimately happens. Or something gets corrupted (?) during the process--I am not sure yet. Noticing that “tuples” is not ever used in the rest of the function, and that some print-debugging showed that it was in a consistent state, and “intermediateTuples” as well, it seemed reasonable to use WTFMove() to replace the internal state of one Vector with the other. Well, that did't work, but using Vector::swap() directly did! IIUC the Vector::swap() function is used internally by the move assignment operator so the change above is effectively doing the same but using a lower level call... which puts less work on the compiler's inlining logic --which definitely interacts with LTO!-- making it “easier” to either avoid triggering what I still think is a compiler bug. 2052981 19 aperez 2024-08-15 03:47:10 -0700 Pull request: https://github.com/WebKit/WebKit/pull/32240 2053097 20 ews-feeder 2024-08-15 13:16:28 -0700 Committed 282306@main (96fb0b0c6c46): <https://commits.webkit.org/282306@main> Reviewed commits have been landed. Closing PR #32240 and removing active labels. 2053098 21 webkit-bug-importer 2024-08-15 13:17:15 -0700 <rdar://problem/133975304> 2053268 22 aperez 2024-08-16 03:46:12 -0700 *** Bug 277333 has been marked as a duplicate of this bug. *** 471541 2024-05-29 07:19:23 -0700 2024-05-29 07:19:23 -0700 test -fno-lto for TextDecorationPainter.cpp webkit-test.patch text/plain 995 yaneti ZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJDb3JlL0NNYWtlTGlzdHMudHh0IGIvU291cmNlL1dlYkNv cmUvQ01ha2VMaXN0cy50eHQKaW5kZXggNDczNjRmMmM3NWQzLi5lNzQ2YTIyMjgxZGYgMTAwNjQ0 Ci0tLSBhL1NvdXJjZS9XZWJDb3JlL0NNYWtlTGlzdHMudHh0CisrKyBiL1NvdXJjZS9XZWJDb3Jl L0NNYWtlTGlzdHMudHh0CkBAIC05LDYgKzksMTAgQEAgbGlzdChBUFBFTkQgV2ViQ29yZV9VTklG SUVEX1NPVVJDRV9MSVNUX0ZJTEVTCiAgICAgIlNvdXJjZXMudHh0IgogKQogCitsaXN0KEFQUEVO RCBXZWJDb3JlX1NPVVJDRVMgcmVuZGVyaW5nL1RleHREZWNvcmF0aW9uUGFpbnRlci5jcHApCitz ZXRfc291cmNlX2ZpbGVzX3Byb3BlcnRpZXMocmVuZGVyaW5nL1RleHREZWNvcmF0aW9uUGFpbnRl ci5jcHAgUFJPUEVSVElFUyBDT01QSUxFX0ZMQUdTIC1mbm8tbHRvKQorCisKIHNldChXZWJDb3Jl X1BSSVZBVEVfSU5DTFVERV9ESVJFQ1RPUklFUwogICAgICIke0NNQUtFX0JJTkFSWV9ESVJ9Igog ICAgICIke1dlYkNvcmVfREVSSVZFRF9TT1VSQ0VTX0RJUn0iCmRpZmYgLS1naXQgYS9Tb3VyY2Uv V2ViQ29yZS9Tb3VyY2VzLnR4dCBiL1NvdXJjZS9XZWJDb3JlL1NvdXJjZXMudHh0CmluZGV4IGYz ZmY3OTg0ZjdmYS4uYmQ5NWQ2ZDg4MjY0IDEwMDY0NAotLS0gYS9Tb3VyY2UvV2ViQ29yZS9Tb3Vy Y2VzLnR4dAorKysgYi9Tb3VyY2UvV2ViQ29yZS9Tb3VyY2VzLnR4dApAQCAtMjc0Myw3ICsyNzQz LDYgQEAgcmVuZGVyaW5nL1JlbmRlcldpZGdldC5jcHAKIHJlbmRlcmluZy9TdHlsZWRNYXJrZWRU ZXh0LmNwcAogcmVuZGVyaW5nL1RhYmxlTGF5b3V0LmNwcAogcmVuZGVyaW5nL1RleHRCb3hQYWlu dGVyLmNwcAotcmVuZGVyaW5nL1RleHREZWNvcmF0aW9uUGFpbnRlci5jcHAKIHJlbmRlcmluZy9U ZXh0UGFpbnRTdHlsZS5jcHAKIHJlbmRlcmluZy9UZXh0UGFpbnRlci5jcHAKIHJlbmRlcmluZy9U cmFuc2Zvcm1PcGVyYXRpb25EYXRhLmNwcAo=