298599 2025-09-09 07:39:33 -0700 [WPE] gboolean wpe_view_render_buffer(WPEView*, WPEBuffer*, const WPERectangle*, guint, GError**): assertion 'WPE_IS_BUFFER(buffer)' failed 2025-09-22 04:23:48 -0700 1 1 1 Unclassified WebKit WPE WebKit WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED DoNotImportToRadar P2 Normal --- 1 fujii webkit-unassigned bugs-noreply oldest_to_newest 2141872 0 fujii 2025-09-09 07:39:33 -0700 I'm testing with 299745@main. 1. Build WPE ./Tools/Scripts/build-webkit --wpe --release 2. Create a HTML file echo '<a href="https://webkit.org">WebKit</a>' > a.html 3. Start WPE MiniBrowse ./Tools/Scripts/run-minibrowser --wpe --release a.html 4. Click the link 5. Repeat typing Alt+Left (Go back) and Alt+Right (Go forward) 6. MiniBrowser crashes > ** (MiniBrowser:190744): CRITICAL **: 23:35:59.702: gboolean wpe_view_render_buffer(WPEView*, WPEBuffer*, const WPERectangle*, guint, GError**): assertion 'WPE_IS_BUFFER(buffer)' failed 2141873 1 fujii 2025-09-09 07:42:24 -0700 This is reproducible with WPE Debug builds. But, the reproduction rate is lower. Needs to repeat typing Alt+Left and Alt+Right 10-30 times. fujii@fedora $ ./Tools/Scripts/run-minibrowser --wpe --debug a.html Using default MiniBrowser ERROR: Failed to make thread real time: GDBus.Error:org.freedesktop.DBus.Error.Failed: No such file or directory /home/fujii/webkit/wd/Source/WTF/wtf/linux/RealTimeThreads.cpp(224) : void WTF::RealTimeThreads::realTimeKitMakeThreadRealTime(uint64_t, uint64_t, uint32_t) ** (MiniBrowser:191220): CRITICAL **: 23:40:24.158: gboolean wpe_view_render_buffer(WPEView*, WPEBuffer*, const WPERectangle*, guint, GError**): assertion 'WPE_IS_BUFFER(buffer)' failed ASSERTION FAILED: m_ptr /home/fujii/webkit/wd/WebKitBuild/WPE/Debug/WTF/Headers/wtf/glib/GUniquePtr.h(114) : T* WTF::GUniqueOutPtr<T>::operator->() const [with T = _GError] 1 0x7fcfc744105a WTF::GUniqueOutPtr<_GError>::operator->() const 2 0x7fcfc9132b4a WebKit::AcceleratedBackingStore::renderPendingBuffer() 3 0x7fcfc9131a73 operator() 4 0x7fcfc9144706 call 5 0x7fcfc74817fd WTF::Function<void ()>::operator()() const 6 0x7fcfc9121174 operator() 7 0x7fcfc9121198 _FUN 8 0x7fcfc91210e4 operator() 9 0x7fcfc9121118 _FUN 10 0x7fcfc1ceb863 g_main_context_dispatch_unlocked.lto_priv.0 11 0x7fcfc1cf47a8 g_main_context_iterate_unlocked.isra.0 12 0x7fcfc1cf4953 g_main_context_iteration 13 0x7fcfc3ae38bd g_application_run 14 0x403eb1 main 15 0x7fcfc1811575 __libc_start_call_main 16 0x7fcfc1811628 __libc_start_main 17 0x4018f5 _start 2142011 2 fujii 2025-09-09 17:37:07 -0700 With the following debug logging patch, I got this log. AcceleratedBackingStore::updateSurfaceID was called after AcceleratedBackingStore::frame and before AcceleratedBackingStore::renderPendingBuffer. That's the reason why m_pendingBuffer is null. > (...) > renderPendingBuffer > frame > renderPendingBuffer > frame > updateSurfaceID > renderPendingBuffer > > ** (MiniBrowser:20977): CRITICAL **: 09:32:09.919: gboolean wpe_view_render_buffer(WPEView*, WPEBuffer*, const WPERectangle*, guint, GError**): assertion 'WPE_IS_BUFFER(buffer)' failed diff --git a/Source/WebKit/UIProcess/wpe/AcceleratedBackingStore.cpp b/Source/WebKit/UIProcess/wpe/AcceleratedBackingStore.cpp index c3e15cade960..0e4847c9116d 100644 --- a/Source/WebKit/UIProcess/wpe/AcceleratedBackingStore.cpp +++ b/Source/WebKit/UIProcess/wpe/AcceleratedBackingStore.cpp @@ -84,6 +84,7 @@ void AcceleratedBackingStore::updateSurfaceID(uint64_t surfaceID) frameDone(); m_pendingBuffer = nullptr; m_pendingDamageRects = { }; + ALWAYS_LOG_WITH_STREAM(stream << "updateSurfaceID"); } m_buffers.clear(); m_bufferIDs.clear(); @@ -150,10 +151,13 @@ void AcceleratedBackingStore::frame(uint64_t bufferID, Rects&& damageRects, WTF: renderPendingBuffer(); } else m_fenceMonitor.addFileDescriptor(WTFMove(renderingFenceFD)); + ALWAYS_LOG_WITH_STREAM(stream << "frame"); } void AcceleratedBackingStore::renderPendingBuffer() { + ALWAYS_LOG_WITH_STREAM(stream << "renderPendingBuffer"); + // Rely on the layout of IntRect matching that of WPERectangle // to pass directly a pointer below instead of using copies. static_assert(sizeof(WebCore::IntRect) == sizeof(WPERectangle)); 2142013 3 fujii 2025-09-09 17:47:22 -0700 diff --git a/Source/WebKit/UIProcess/wpe/AcceleratedBackingStore.cpp b/Source/WebKit/UIProcess/wpe/AcceleratedBackingStore.cpp index c3e15cade960..ee5e9587654e 100644 --- a/Source/WebKit/UIProcess/wpe/AcceleratedBackingStore.cpp +++ b/Source/WebKit/UIProcess/wpe/AcceleratedBackingStore.cpp @@ -158,6 +158,9 @@ void AcceleratedBackingStore::renderPendingBuffer() // to pass directly a pointer below instead of using copies. static_assert(sizeof(WebCore::IntRect) == sizeof(WPERectangle)); + if (!m_pendingBuffer) + return; + ASSERT(m_pendingDamageRects.size() <= std::numeric_limits<guint>::max()); const auto* rects = !m_pendingDamageRects.isEmpty() ? reinterpret_cast<const WPERectangle*>(m_pendingDamageRects.span().data()) : nullptr; With the above patch, the original crash problem has gone. However, I observe another crash with the steps. #0 0x00007fa57243f003 WTFCrash (libWPEWebKit-2.0.so.1 + 0x3f003) #1 0x00007fa5724912ea wpeViewWaylandRenderBuffer(_WPEView*, _WPEBuffer*, _WPERectangle const*, unsigned int, _GError**) (libWPEWebKit-2.0.so.1 + 0x912ea) #2 0x00007fa572ddef20 WTF::Detail::CallableWrapper<WebKit::AcceleratedBackingStore::AcceleratedBackingStore(WebKit::WebPageProxy&, _WPEView*)::{lambda()#1}, void>::call() (libWPEWebKit-2.0.so.1 + 0x9def20) #3 0x00007fa572dd2c9f WebKit::FenceMonitor::ensureSource()::{lambda(void*)#1}::_FUN(void*) (libWPEWebKit-2.0.so.1 + 0x9d2c9f) #4 0x00007fa572dd237d WebKit::FenceSource::{lambda(_GSource*, int (*)(void*), void*)#1}::_FUN(_GSource*, int (*)(void*), void*) (libWPEWebKit-2.0.so.1 + 0x9d237d) #5 0x00007fa56ceeb863 g_main_context_dispatch_unlocked.lto_priv.0 (libglib-2.0.so.0 + 0x40863) #6 0x00007fa56cef47a8 g_main_context_iterate_unlocked.isra.0 (libglib-2.0.so.0 + 0x497a8) #7 0x00007fa56cef4953 g_main_context_iteration (libglib-2.0.so.0 + 0x49953) #8 0x00007fa56ecce8bd g_application_run (libgio-2.0.so.0 + 0xb38bd) #9 0x00000000004046b1 main (/home/fujii/webkit/wd/WebKitBuild/WPE/Release/bin/MiniBrowser + 0x46b1) #10 0x00007fa56ca11575 __libc_start_call_main (libc.so.6 + 0x3575) #11 0x00007fa56ca11628 __libc_start_main@@GLIBC_2.34 (libc.so.6 + 0x3628) #12 0x0000000000404865 _start (/home/fujii/webkit/wd/WebKitBuild/WPE/Release/bin/MiniBrowser + 0x4865) 2142016 4 fujii 2025-09-09 17:51:03 -0700 I tested release builds. So, this RELEASE_ASSERT seems to fail. https://github.com/WebKit/WebKit/blob/902a75fcfd40e6cb45b5e90639ff68779d50dd92/Source/WebKit/WPEPlatform/wpe/wayland/WPEViewWayland.cpp#L595 2144781 5 fujii 2025-09-21 23:12:19 -0700 Pull request: https://github.com/WebKit/WebKit/pull/51097 2144821 6 ews-feeder 2025-09-22 04:23:45 -0700 Committed 300316@main (2b754f0fec28): <https://commits.webkit.org/300316@main> Reviewed commits have been landed. Closing PR #51097 and removing active labels.