89113 2012-06-14 11:38:15 -0700 [Texmap] SIGSEV in WebCore::TextureMapperGL::drawTexture 2012-06-16 15:23:00 -0700 1 1 1 Unclassified WebKit Layout and Rendering 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED http://www.satine.org/research/webkit/snowleopard/snowstack.html P2 Critical --- 1 svillar webkit-unassigned dongseong.hwang noam svillar webkit.review.bot oldest_to_newest 649344 0 svillar 2012-06-14 11:38:15 -0700 Steps to reproduce: 1- go to the URL mentioned above (needs accelerated compositing turned on) 2- click and hold the left arrow key to move to the right 3- WK crashes This is the backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff47c55f6 in WebCore::TextureMapperGL::drawTexture (this=0xbafe10, texture=..., targetRect=..., matrix=..., opacity=1, mask=0x0) at ../../Source/WebCore/platform/graphics/texmap/TextureMapperGL.cpp:363 363 if (!texture.isValid()) (gdb) bt #0 0x00007ffff47c55f6 in WebCore::TextureMapperGL::drawTexture (this=0xbafe10, texture=..., targetRect=..., matrix=..., opacity=1, mask=0x0) at ../../Source/WebCore/platform/graphics/texmap/TextureMapperGL.cpp:363 #1 0x00007ffff47d7435 in WebCore::TextureMapperTile::paint (this=0x1d33280, textureMapper=0xbafe10, transform=..., opacity=1, mask=0x0) at ../../Source/WebCore/platform/graphics/texmap/TextureMapperBackingStore.cpp:92 #2 0x00007ffff47d7668 in WebCore::TextureMapperTiledBackingStore::paintToTextureMapper (this=0x1b2f360, textureMapper=0xbafe10, targetRect=..., transform=..., opacity=1, mask=0x0) at ../../Source/WebCore/platform/graphics/texmap/TextureMapperBackingStore.cpp:115 #3 0x00007ffff47db38b in WebCore::TextureMapperLayer::paintSelf (this=0x1ab72a0, options=...) at ../../Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:167 #4 0x00007ffff47db505 in WebCore::TextureMapperLayer::paintSelfAndChildren (this=0x1ab72a0, options=...) at ../../Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:187 #5 0x00007ffff47dbe22 in WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica (this=0x1ab72a0, options=...) at ../../Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:309 #6 0x00007ffff47dbf83 in WebCore::TextureMapperLayer::paintRecursive (this=0x1ab72a0, options=...) at ../../Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:355 #7 0x00007ffff47db688 in WebCore::TextureMapperLayer::paintSelfAndChildren (this=0x1b2ce90, options=...) at ../../Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:197 #8 0x00007ffff47dbe22 in WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica (this=0x1b2ce90, options=...) at ../../Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:309 #9 0x00007ffff47dbf83 in WebCore::TextureMapperLayer::paintRecursive (this=0x1b2ce90, options=...) at ../../Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:355 #10 0x00007ffff47db688 in WebCore::TextureMapperLayer::paintSelfAndChildren (this=0xb80560, options=...) at ../../Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:197 #11 0x00007ffff47dbe22 in WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica (this=0xb80560, options=...) at ../../Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:309 #12 0x00007ffff47dbf83 in WebCore::TextureMapperLayer::paintRecursive (this=0xb80560, options=...) at ../../Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:355 #13 0x00007ffff47db688 in WebCore::TextureMapperLayer::paintSelfAndChildren (this=0xb7bcb0, options=...) at ../../Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:197 #14 0x00007ffff47dbe22 in WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica (this=0xb7bcb0, options=...) at ../../Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:309 #15 0x00007ffff47dbf83 in WebCore::TextureMapperLayer::paintRecursive (this=0xb7bcb0, options=...) at ../../Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:355 #16 0x00007ffff47db688 in WebCore::TextureMapperLayer::paintSelfAndChildren (this=0x1b18560, options=...) at ../../Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:197 #17 0x00007ffff47dbe22 in WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica (this=0x1b18560, options=...) at ../../Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:309 #18 0x00007ffff47dbf83 in WebCore::TextureMapperLayer::paintRecursive (this=0x1b18560, options=...) at ../../Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:355 #19 0x00007ffff47db688 in WebCore::TextureMapperLayer::paintSelfAndChildren (this=0xd4b6f0, options=...) at ../../Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:197 #20 0x00007ffff47dbe22 in WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica (this=0xd4b6f0, options=...) at ../../Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:309 #21 0x00007ffff47dbf83 in WebCore::TextureMapperLayer::paintRecursive (this=0xd4b6f0, options=...) at ../../Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:355 #22 0x00007ffff47db688 in WebCore::TextureMapperLayer::paintSelfAndChildren (this=0xaed5a0, options=...) at ../../Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:197 #23 0x00007ffff47dbe22 in WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica (this=0xaed5a0, options=...) at ../../Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:309 #24 0x00007ffff47dbf83 in WebCore::TextureMapperLayer::paintRecursive (this=0xaed5a0, options=...) at ../../Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:355 #25 0x00007ffff47db688 in WebCore::TextureMapperLayer::paintSelfAndChildren (this=0xdf00a0, options=...) at ../../Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:197 #26 0x00007ffff47dbe22 in WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica (this=0xdf00a0, options=...) at ../../Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:309 #27 0x00007ffff47dbf83 in WebCore::TextureMapperLayer::paintRecursive (this=0xdf00a0, options=...) at ../../Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:355 #28 0x00007ffff47db688 in WebCore::TextureMapperLayer::paintSelfAndChildren (this=0xdf9780, options=...) at ../../Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:197 #29 0x00007ffff47dbe22 in WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica (this=0xdf9780, options=...) at ../../Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:309 #30 0x00007ffff47dbf83 in WebCore::TextureMapperLayer::paintRecursive (this=0xdf9780, options=...) at ../../Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:355 #31 0x00007ffff47db688 in WebCore::TextureMapperLayer::paintSelfAndChildren (this=0xdf90e0, options=...) at ../../Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:197 #32 0x00007ffff47dbe22 in WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica (this=0xdf90e0, options=...) at ../../Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:309 #33 0x00007ffff47dbf83 in WebCore::TextureMapperLayer::paintRecursive (this=0xdf90e0, options=...) at ../../Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:355 #34 0x00007ffff47db688 in WebCore::TextureMapperLayer::paintSelfAndChildren (this=0xdf0740, options=...) at ../../Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:197 #35 0x00007ffff47dbe22 in WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica (this=0xdf0740, options=...) at ../../Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:309 #36 0x00007ffff47dbf83 in WebCore::TextureMapperLayer::paintRecursive (this=0xdf0740, options=...) at ../../Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:355 #37 0x00007ffff47db688 in WebCore::TextureMapperLayer::paintSelfAndChildren (this=0xdf9e20, options=...) at ../../Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:197 #38 0x00007ffff47dbe22 in WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica (this=0xdf9e20, options=...) at ../../Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:309 #39 0x00007ffff47dbf83 in WebCore::TextureMapperLayer::paintRecursive (this=0xdf9e20, options=...) at ../../Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:355 #40 0x00007ffff47db1a3 in WebCore::TextureMapperLayer::paint (this=0xdf9e20) at ../../Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:152 #41 0x00007ffff38d65d9 in WebKit::AcceleratedCompositingContext::renderLayersToWindow (this=0x5e0df0, clipRect=...) at ../../Source/WebKit/gtk/WebCoreSupport/AcceleratedCompositingContextGL.cpp:100 #42 0x00007ffff38d6b54 in WebKit::AcceleratedCompositingContext::syncLayersTimeout (this=0x5e0df0) at ../../Source/WebKit/gtk/WebCoreSupport/AcceleratedCompositingContextGL.cpp:192 #43 0x00007ffff38d6a3c in WebKit::syncLayersTimeoutCallback (context=0x5e0df0) at ../../Source/WebKit/gtk/WebCoreSupport/AcceleratedCompositingContextGL.cpp:163 650027 1 svillar 2012-06-15 02:09:00 -0700 The obvious fix for the crash is to add a NULL check for texture() that can be indeed NULL, instead of unconditionally calling paint. After doing that, I can see a log of flickering (not sure if the flickering was there before tough because it was always crashing). Maybe a different bug? 650724 2 147948 dongseong.hwang 2012-06-15 21:20:10 -0700 Created attachment 147948 patch v.1 650726 3 dongseong.hwang 2012-06-15 21:25:04 -0700 Tile's texture is not created if dirty rect is empty in following code. void TextureMapperTile::updateContents(TextureMapper* textureMapper, Image* image, const IntRect& ) { IntRect targetRect = enclosingIntRect(m_rect); targetRect.intersect(dirtyRect); if (targetRect.isEmpty()) return; IntPoint sourceOffset = targetRect.location(); // Normalize sourceRect to the buffer's coordinates. sourceOffset.move(-dirtyRect.x(), -dirtyRect.y()); // Normalize targetRect to the texture's coordinates. targetRect.move(-m_rect.x(), -m_rect.y()); if (!m_texture) { m_texture = textureMapper->createTexture(); m_texture->reset(targetRect.size(), image->currentFrameHasAlpha() ? BitmapTexture::SupportsAlpha : 0); } m_texture->updateContents(image, targetRect, sourceOffset); } targetRect is often empty. For example in http://www.satine.org/research/webkit/snowleopard/snowstack.html m_rect = {m_location = {m_x = 0, m_y = 0}, m_size = {m_width = 187, m_height = 112}} dirtyRect = {m_location = {m_x = -44, m_y = -184}, m_size = {m_width = 4, m_height = 115} I have lack of knowledge why render tree notified a dirty rect out of bound size of layer. 650872 4 147948 webkit.review.bot 2012-06-16 15:22:28 -0700 Comment on attachment 147948 patch v.1 Clearing flags on attachment: 147948 Committed r120533: <http://trac.webkit.org/changeset/120533> 650873 5 webkit.review.bot 2012-06-16 15:23:00 -0700 All reviewed patches have been landed. Closing bug. 147948 2012-06-15 21:20:10 -0700 2012-06-16 15:22:27 -0700 patch v.1 0001-Texmap-SIGSEV-in-WebCore-TextureMapperGL-drawTexture.patch text/plain 2286 dongseong.hwang RnJvbSAyMmExZjllODM1NzQ5ZGIzNTZiZWE0MmMwNzhkNzE2MzVjM2VmZWQxIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBIdWFuZyBEb25nc3VuZyA8bHV4dGVsbGFAY29tcGFueTEwMC5u ZXQ+CkRhdGU6IFNhdCwgMTYgSnVuIDIwMTIgMTM6MTU6MTYgKzA5MDAKU3ViamVjdDogW1BBVENI XSBbVGV4bWFwXSBTSUdTRVYgaW4gV2ViQ29yZTo6VGV4dHVyZU1hcHBlckdMOjpkcmF3VGV4dHVy ZS4KIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD04OTExMwoKVGV4dHVy ZU1hcHBlclRpbGU6Om1fdGV4dHVyZSBpcyBjcmVhdGVkIGxhemlsbHksIHNvIHdlIG5lZWQgbnVs bCBjaGVjayBiZWZvcmUKdXNpbmcgaXQuCi0tLQogU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nICAg ICAgICAgICAgICAgICAgICAgICAgICAgfCAgIDE1ICsrKysrKysrKysrKysrKwogLi4uL2dyYXBo aWNzL3RleG1hcC9UZXh0dXJlTWFwcGVyQmFja2luZ1N0b3JlLmNwcCAgfCAgICAzICsrLQogMiBm aWxlcyBjaGFuZ2VkLCAxNyBpbnNlcnRpb25zKCspLCAxIGRlbGV0aW9uKC0pCgpkaWZmIC0tZ2l0 IGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nIGIvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCmlu ZGV4IDZlYzAzMTguLjk3ZjMyODcgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJDb3JlL0NoYW5nZUxv ZworKysgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKQEAgLTEsNSArMSwyMCBAQAogMjAxMi0w Ni0xNSAgSHVhbmcgRG9uZ3N1bmcgIDxsdXh0ZWxsYUBjb21wYW55MTAwLm5ldD4KIAorICAgICAg ICBbVGV4bWFwXSBTSUdTRVYgaW4gV2ViQ29yZTo6VGV4dHVyZU1hcHBlckdMOjpkcmF3VGV4dHVy ZS4KKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTg5MTEz CisKKyAgICAgICAgVGV4dHVyZU1hcHBlclRpbGU6Om1fdGV4dHVyZSBpcyBjcmVhdGVkIGxhemls bHksIHNvIHdlIG5lZWQgbnVsbCBjaGVjayBiZWZvcmUKKyAgICAgICAgdXNpbmcgaXQuCisKKyAg ICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgTm8gbmV3IHRlc3Rz LiBUaGlzIHBhdGNoIGRvZXNuJ3QgY2hhbmdlIGJlaGF2aW9yLgorCisgICAgICAgICogcGxhdGZv cm0vZ3JhcGhpY3MvdGV4bWFwL1RleHR1cmVNYXBwZXJCYWNraW5nU3RvcmUuY3BwOgorICAgICAg ICAoV2ViQ29yZTo6VGV4dHVyZU1hcHBlclRpbGU6OnBhaW50KToKKworMjAxMi0wNi0xNSAgSHVh bmcgRG9uZ3N1bmcgIDxsdXh0ZWxsYUBjb21wYW55MTAwLm5ldD4KKwogICAgICAgICBbVGV4bWFw XSBUZXh0dXJlTWFwcGVyUGFpbnRPcHRpb25zIHNob3VsZCBrZWVwIGN1cnJlbnQgc3VyZmFjZS4K ICAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTg5MjY2CiAK ZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJDb3JlL3BsYXRmb3JtL2dyYXBoaWNzL3RleG1hcC9UZXh0 dXJlTWFwcGVyQmFja2luZ1N0b3JlLmNwcCBiL1NvdXJjZS9XZWJDb3JlL3BsYXRmb3JtL2dyYXBo aWNzL3RleG1hcC9UZXh0dXJlTWFwcGVyQmFja2luZ1N0b3JlLmNwcAppbmRleCBiMDNiZTBhLi4z ZjRlYzZlIDEwMDY0NAotLS0gYS9Tb3VyY2UvV2ViQ29yZS9wbGF0Zm9ybS9ncmFwaGljcy90ZXht YXAvVGV4dHVyZU1hcHBlckJhY2tpbmdTdG9yZS5jcHAKKysrIGIvU291cmNlL1dlYkNvcmUvcGxh dGZvcm0vZ3JhcGhpY3MvdGV4bWFwL1RleHR1cmVNYXBwZXJCYWNraW5nU3RvcmUuY3BwCkBAIC04 OSw3ICs4OSw4IEBAIHZvaWQgVGV4dHVyZU1hcHBlclRpbGU6OnVwZGF0ZUNvbnRlbnRzKFRleHR1 cmVNYXBwZXIqIHRleHR1cmVNYXBwZXIsIEltYWdlKiBpbWFnCiAKIHZvaWQgVGV4dHVyZU1hcHBl clRpbGU6OnBhaW50KFRleHR1cmVNYXBwZXIqIHRleHR1cmVNYXBwZXIsIGNvbnN0IFRyYW5zZm9y bWF0aW9uTWF0cml4JiB0cmFuc2Zvcm0sIGZsb2F0IG9wYWNpdHksIEJpdG1hcFRleHR1cmUqIG1h c2spCiB7Ci0gICAgdGV4dHVyZU1hcHBlci0+ZHJhd1RleHR1cmUoKnRleHR1cmUoKS5nZXQoKSwg cmVjdCgpLCB0cmFuc2Zvcm0sIG9wYWNpdHksIG1hc2spOworICAgIGlmICh0ZXh0dXJlKCkuZ2V0 KCkpCisgICAgICAgIHRleHR1cmVNYXBwZXItPmRyYXdUZXh0dXJlKCp0ZXh0dXJlKCkuZ2V0KCks IHJlY3QoKSwgdHJhbnNmb3JtLCBvcGFjaXR5LCBtYXNrKTsKIH0KIAogVGV4dHVyZU1hcHBlclRp bGVkQmFja2luZ1N0b3JlOjpUZXh0dXJlTWFwcGVyVGlsZWRCYWNraW5nU3RvcmUoKQotLSAKMS43 LjkuNQoK