Bug 202551

Summary:

[GTK] Crash in WebChromeClient::createDisplayRefreshMonitor

Product:

WebKit

Reporter:

Michael Catanzaro <mcatanzaro>

Component:

WebKitGTK

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

bugs-noreply, cgarcia, cmarcelo, ews-watchlist, gyuyoung.kim, luiz, magomez, noam, ryuan.choi, sergio, zan, zeno

Priority:

Version:

WebKit Nightly Build

Hardware:

OS:

Linux

Attachments:

Description	Flags
Patch	none
Updated patch	zan: review+

Michael Catanzaro

Reported 2019-10-03 17:12:57 PDT

I just hit this random crash twice in 15 minutes. #0 0x00007f46b15b1cd5 in WebKit::WebChromeClient::createDisplayRefreshMonitor(unsigned int) const (this=<optimized out>, displayID=0) at /usr/include/c++/9.2.0/bits/unique_ptr.h:352 #1 0x00007f46b2632f35 in WebCore::RenderingUpdateScheduler::createDisplayRefreshMonitor(unsigned int) const (this=<optimized out>, displayID=0) at ../Source/WebCore/page/RenderingUpdateScheduler.cpp:91 monitor = {static isRefPtr = <error reading variable: Missing ELF symbol "WTF::RefPtr<WebCore::DisplayRefreshMonitor, WTF::DumbPtrTraits<WebCore::DisplayRefreshMonitor> >::isRefPtr".>, m_ptr = 0x55c7b3eb63b0} #2 0x00007f46b26f4863 in WebCore::DisplayRefreshMonitor::create(WebCore::DisplayRefreshMonitorClient&) (client=...) at DerivedSources/ForwardingHeaders/wtf/Optional.h:538 #3 0x00007f46b2701ebd in WebCore::DisplayRefreshMonitorManager::createMonitorForClient(WebCore::DisplayRefreshMonitorClient&) (client=..., this=0x7f46b3a90400 <WebCore::DisplayRefreshMonitorManager::sharedManager()::manager>) at ../Source/WebCore/platform/graphics/DisplayRefreshMonitorManager.cpp:53 monitor = {static isRefPtr = <error reading variable: Missing ELF symbol "WTF::RefPtr<WebCore::DisplayRefreshMonitor, WTF::DumbPtrTraits<WebCore::DisplayRefreshMonitor> >::isRefPtr".>, m_ptr = 0x7f445fa45800} result = <optimized out> clientDisplayID = <optimized out> #4 0x00007f46b2701ebd in WebCore::DisplayRefreshMonitorManager::createMonitorForClient(WebCore::DisplayRefreshMonitorClient&) (this=0x7f46b3a90400 <WebCore::DisplayRefreshMonitorManager::sharedManager()::manager>, client=...) at ../Source/WebCore/platform/graphics/DisplayRefreshMonitorManager.cpp:45 clientDisplayID = <optimized out> #5 0x00007f46b2701ff9 in WebCore::DisplayRefreshMonitorManager::scheduleAnimation(WebCore::DisplayRefreshMonitorClient&) (client=..., this=<optimized out>) at ../Source/WebCore/platform/graphics/DisplayRefreshMonitorManager.cpp:93 monitor = <optimized out> #6 0x00007f46b2701ff9 in WebCore::DisplayRefreshMonitorManager::scheduleAnimation(WebCore::DisplayRefreshMonitorClient&) (this=<optimized out>, client=...) at ../Source/WebCore/platform/graphics/DisplayRefreshMonitorManager.cpp:88 #7 0x00007f46b263419e in WebCore::RenderingUpdateScheduler::scheduleTimedRenderingUpdate() (this=0x7f447c0a45d0) at ../Source/WebCore/page/RenderingUpdateScheduler.cpp:59 #8 0x00007f46b263419e in WebCore::RenderingUpdateScheduler::scheduleTimedRenderingUpdate() (this=0x7f447c0a45d0) at ../Source/WebCore/page/RenderingUpdateScheduler.cpp:45 #9 0x00007f46b162157e in WebKit::CompositingCoordinator::purgeBackingStores() (this=0x7f45d8643050) at ../Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/CompositingCoordinator.cpp:313 registeredLayer = @0x7f44550b2038: 0x7f445f82e000 purgingToggle = {m_scopedVariable = @0x7f45d86430e9, m_originalValue = false} #10 0x00007f46b1621ec6 in WebKit::LayerTreeHost::invalidate() (this=0x7f45d8643000) at ../Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/LayerTreeHost.cpp:175 #11 0x00007f46b1621f25 in WebKit::DrawingAreaCoordinatedGraphics::discardPreviousLayerTreeHost() (this=this@entry=0x7f46a886fa00) at ../Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/DrawingAreaCoordinatedGraphics.cpp:501 #12 0x00007f46b1621f6e in WebKit::DrawingAreaCoordinatedGraphics::~DrawingAreaCoordinatedGraphics() (this=0x7f46a886fa00, __in_chrg=<optimized out>) at ../Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/DrawingAreaCoordinatedGraphics.cpp:74 #13 0x00007f46b162200d in WebKit::DrawingAreaCoordinatedGraphics::~DrawingAreaCoordinatedGraphics() (this=0x7f46a886fa00, __in_chrg=<optimized out>) at ../Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/DrawingAreaCoordinatedGraphics.cpp:72 #14 0x00007f46b15f70fc in std::default_delete<WebKit::DrawingArea>::operator()(WebKit::DrawingArea*) const (this=0x7f46a82de6d8, __ptr=<optimized out>) at /usr/include/c++/9.2.0/bits/unique_ptr.h:75 sessionID = <optimized out> isRunningModal = <optimized out> webProcess = <optimized out> #15 0x00007f46b15f70fc in std::unique_ptr<WebKit::DrawingArea, std::default_delete<WebKit::DrawingArea> >::reset(WebKit::DrawingArea*) (__p=<optimized out>, this=0x7f46a82de6d8) at /usr/include/c++/9.2.0/bits/unique_ptr.h:394 sessionID = <optimized out> isRunningModal = <optimized out> webProcess = <optimized out> #16 0x00007f46b15f70fc in std::unique_ptr<WebKit::DrawingArea, std::default_delete<WebKit::DrawingArea> >::operator=(decltype(nullptr)) (this=0x7f46a82de6d8) at /usr/include/c++/9.2.0/bits/unique_ptr.h:328 sessionID = <optimized out> isRunningModal = <optimized out> webProcess = <optimized out> #17 0x00007f46b15f70fc in WebKit::WebPage::close() (this=0x7f46a82de680) at ../Source/WebKit/WebProcess/WebPage/WebPage.cpp:1423 sessionID = <optimized out> isRunningModal = <optimized out> webProcess = <optimized out> #18 0x00007f46b15f70fc in WebKit::WebPage::close() (this=this@entry=0x7f46a82de680) at ../Source/WebKit/WebProcess/WebPage/WebPage.cpp:1334 #19 0x00007f46b115394f in IPC::callMemberFunctionImpl<WebKit::WebPage, void (WebKit::WebPage::*)(), std::tuple<>>(WebKit::WebPage*, void (WebKit::WebPage::*)(), std::tuple<>&&, std::integer_sequence<unsigned long>) (args=<synthetic pointer>, function=<optimized out>, object=0x7f46a82de680) at ../Source/WebKit/Platform/IPC/HandleMessage.h:45 #20 0x00007f46b115394f in IPC::callMemberFunction<WebKit::WebPage, void (WebKit::WebPage::*)(), std::tuple<>, std::integer_sequence<unsigned long> >(std::tuple<>&&, WebKit::WebPage*, void (WebKit::WebPage::*)()) (args=<synthetic pointer>, function=<optimized out>, object=0x7f46a82de680) at ../Source/WebKit/Platform/IPC/HandleMessage.h:47 #21 0x00007f46b115394f in IPC::handleMessage<Messages::WebPage::Close, WebKit::WebPage, void (WebKit::WebPage::*)()>(IPC::Decoder&, WebKit::WebPage*, void (WebKit::WebPage::*)()) (decoder=..., function=<optimized out>, object=0x7f46a82de680) at ../Source/WebKit/Platform/IPC/HandleMessage.h:120 #22 0x00007f46b115394f in WebKit::WebPage::didReceiveWebPageMessage(IPC::Connection&, IPC::Decoder&) (this=0x7f46a82de680, connection=..., decoder=...) at DerivedSources/WebKit/WebPageMessageReceiver.cpp:1298 #23 0x00007f46b123ac63 in IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) (this=this@entry=0x7f46a86fe068, connection=..., decoder=...) at ../Source/WebKit/Platform/IPC/MessageReceiverMap.cpp:123 messageReceiver = <optimized out> #24 0x00007f46b148a7bb in WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (this=0x7f46a86fe000, connection=..., decoder=...) at ../Source/WebKit/Shared/AuxiliaryProcess.h:88 #25 0x00007f46b1234834 in IPC::Connection::dispatchMessage(IPC::Decoder&) (this=0x7f46a88e6000, decoder=...) at ../Source/WebKit/Platform/IPC/Connection.cpp:939 #26 0x00007f46b1235aad in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) (this=0x7f46a88e6000, message=std::unique_ptr<IPC::Decoder> = {...}) at /usr/include/c++/9.2.0/bits/unique_ptr.h:352 isDispatchingMessageWhileWaitingForSyncReply = <optimized out> oldDidReceiveInvalidMessage = false #27 0x00007f46b1236b7f in IPC::Connection::dispatchOneIncomingMessage() (this=0x7f46a88e6000) at /usr/include/c++/9.2.0/bits/move.h:74 message = std::unique_ptr<IPC::Decoder> = {get() = 0x0} #28 0x00007f46af19f1bc in WTF::Function<void ()>::operator()() const (this=<synthetic pointer>) at ../Source/WTF/wtf/Function.h:76 function = {m_callableWrapper = std::unique_ptr<WTF::Detail::CallableWrapperBase<void>> = {get() = 0x7f46006c0b70}} functionsHandled = 4 functionsToHandle = 5 #29 0x00007f46af19f1bc in WTF::RunLoop::performWork() (this=0x7f46a88f9000) at ../Source/WTF/wtf/RunLoop.cpp:124 function = {m_callableWrapper = std::unique_ptr<WTF::Detail::CallableWrapperBase<void>> = {get() = 0x7f46006c0b70}} functionsHandled = 4 functionsToHandle = 5 #30 0x00007f46af1ebd5d in WTF::RunLoop::<lambda(gpointer)>::operator() (__closure=0x0, userData=<optimized out>) at ../Source/WTF/wtf/glib/RunLoopGLib.cpp:68 #31 0x00007f46af1ebd5d in WTF::RunLoop::<lambda(gpointer)>::_FUN(gpointer) () at ../Source/WTF/wtf/glib/RunLoopGLib.cpp:70 #32 0x00007f46af8414ae in g_main_dispatch (context=0x55c7b22a7d90) at ../glib/gmain.c:3180 dispatch = 0x7f46af1ebd70 <WTF::<lambda(GSource*, GSourceFunc, gpointer)>::_FUN(GSource *, GSourceFunc, gpointer)> prev_source = 0x0 was_in_call = 0 user_data = 0x7f46a88f9000 callback = 0x7f46af1ebd50 <WTF::RunLoop::<lambda(gpointer)>::_FUN(gpointer)> cb_funcs = 0x7f46af916280 <g_source_callback_funcs> cb_data = 0x55c7b24a0a80 need_destroy = <optimized out> source = 0x55c7b2426600 current = 0x55c7b22b0840 i = 0 __FUNCTION__ = "g_main_dispatch" #33 0x00007f46af8414ae in g_main_context_dispatch (context=context@entry=0x55c7b22a7d90) at ../glib/gmain.c:3845 #34 0x00007f46af841860 in g_main_context_iterate (context=0x55c7b22a7d90, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:3918 max_priority = 2147483647 timeout = 17 some_ready = 1 nfds = <optimized out> allocated_nfds = <optimized out> fds = 0x55c7b3cad240 #35 0x00007f46af841b53 in g_main_loop_run (loop=0x55c7b23465e0) at ../glib/gmain.c:4112 __FUNCTION__ = "g_main_loop_run" #36 0x00007f46af1ec7d0 in WTF::RunLoop::run() () at ../Source/WTF/wtf/glib/RunLoopGLib.cpp:96 runLoop = @0x7f46a88f9000: {<WTF::FunctionDispatcher> = {<WTF::ThreadSafeRefCounted<WTF::FunctionDispatcher, (WTF::DestructionThread)0>> = {<WTF::ThreadSafeRefCountedBase> = {m_refCount = {<std::__atomic_base<unsigned int>> = {static _S_alignment = 4, _M_i = 112}, static is_always_lock_free = true}}, <No data fields>}, _vptr.FunctionDispatcher = 0x7f46af4c04c8 <vtable for WTF::RunLoop+16>}, m_functionQueueLock = {static isHeldBit = 1 '\001', static hasParkedBit = 2 '\002', m_byte = {value = {<std::__atomic_base<unsigned char>> = {static _S_alignment = 1, _M_i = 0 '\000'}, static is_always_lock_free = true}}}, m_functionQueue = {m_start = 102, m_end = 2, m_buffer = {<WTF::VectorBufferBase<WTF::Function<void()> >> = {m_buffer = 0x7f4454c5c000, m_capacity = 108, m_size = 0}, <No data fields>}}, m_mainContext = {m_ptr = 0x55c7b22a7d90}, m_mainLoops = {<WTF::VectorBuffer<WTF::GRefPtr<_GMainLoop>, 0>> = {<WTF::VectorBufferBase<WTF::GRefPtr<_GMainLoop> >> = {m_buffer = 0x7f46a88fc100, m_capacity = 16, m_size = 1}, <No data fields>}, <No data fields>}, m_source = {m_ptr = 0x55c7b2426600}} mainContext = 0x55c7b22a7d90 innermostLoop = 0x55c7b23465e0 nestedMainLoop = <optimized out> #37 0x00007f46b162fcaa in WebKit::AuxiliaryProcessMain<WebKit::WebProcess, WebKit::WebProcessMain>(int, char**) (argc=3, argv=<optimized out>) at ../Source/WebKit/Shared/unix/AuxiliaryProcessMain.h:47 auxiliaryMain = {<WebKit::AuxiliaryProcessMainBase> = {_vptr.AuxiliaryProcessMainBase = 0x7f46b389fca8 <vtable for WebKit::WebProcessMain+16>, m_parameters = {uiProcessName = {static MaxLength = 2147483647, m_impl = {static isRefPtr = <error reading variable: Missing ELF symbol "WTF::RefPtr<WTF::StringImpl, WTF::DumbPtrTraits<WTF::StringImpl> >::isRefPtr".>, m_ptr = 0x0}}, clientIdentifier = {static MaxLength = 2147483647, m_impl = {static isRefPtr = <error reading variable: Missing ELF symbol "WTF::RefPtr<WTF::StringImpl, WTF::DumbPtrTraits<WTF::StringImpl> >::isRefPtr".>, m_ptr = 0x0}}, processIdentifier = {<WTF::constexpr_Optional_base<WTF::ObjectIdentifier<WebCore::ProcessIdentifierType> >> = {init_ = true, storage_ = {dummy_ = 79 'O', value_ = {<WTF::ObjectIdentifierBase> = {<No data fields>}, m_identifier = 79}}}, <No data fields>}, connectionIdentifier = 37, extraInitializationData = {m_impl = {static m_maxLoad = 2, static m_minLoad = 6, m_table = 0x0, m_tableSize = 0, m_tableSizeMask = 0, m_keyCount = 0, m_deletedCount = 0}}, processType = WebKit::AuxiliaryProcess::ProcessType::WebContent}}, <No data fields>} #38 0x00007f46b078f173 in __libc_start_main (main=0x55c7b1427780 <main(int, char**)>, argc=3, argv=0x7ffedaa06088, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffedaa06078) at ../csu/libc-start.c:308 result = <optimized out> unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, -1403244204849031093, 94316160776144, 140732566364288, 0, 0, -5119331564106737589, -5078742471025420213}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x7ffedaa060a8, 0x7f46b3ad7130}, data = {prev = 0x0, cleanup = 0x0, canceltype = -627023704}}} not_first_call = <optimized out> #39 0x000055c7b14277fe in _start () at ../sysdeps/x86_64/start.S:120 Oddly, one of the crashes took down about 10 different browser tabs that were *not* related. It's the third time I've noticed this oddity that I've never seen until recently. That must be a separate bug.

Attachments
Patch (16.02 KB, patch) 2019-10-04 02:41 PDT, Carlos Garcia Campos	no flags	Details Formatted Diff Diff
Updated patch (16.02 KB, patch) 2019-10-04 04:24 PDT, Carlos Garcia Campos	zan: review+	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Carlos Garcia Campos

Comment 1 2019-10-04 02:41:09 PDT

Created attachment 380206 [details] Patch

Miguel Gomez

Comment 2 2019-10-04 03:17:06 PDT

Comment on attachment 380206 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=380206&action=review > Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/CompositingCoordinator.cpp:213 > + if (!m_rootLayer && !isFlushingLayerChanges()) wouldn't this be if (m_rootLayer && !isFlushingLayerChanges())? As the should only notify if the root layer is still alive.

Zan Dobersek

Comment 3 2019-10-04 03:22:40 PDT

Comment on attachment 380206 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=380206&action=review > Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/CompositingCoordinator.cpp:71 > + ASSERT(!m_rootLayer); Where does this get nulled out now, in a way that it would make the assertion succeed?

Carlos Garcia Campos

Comment 4 2019-10-04 03:38:30 PDT

Comment on attachment 380206 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=380206&action=review >> Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/CompositingCoordinator.cpp:71 >> + ASSERT(!m_rootLayer); > > Where does this get nulled out now, in a way that it would make the assertion succeed? In invalidate(). >> Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/CompositingCoordinator.cpp:213 >> + if (!m_rootLayer && !isFlushingLayerChanges()) > > wouldn't this be if (m_rootLayer && !isFlushingLayerChanges())? As the should only notify if the root layer is still alive. Oops, indeed, good catch!

Carlos Garcia Campos

Comment 5 2019-10-04 04:24:42 PDT

Created attachment 380210 [details] Updated patch

Zan Dobersek

Comment 6 2019-10-04 05:20:07 PDT

Comment on attachment 380210 [details] Updated patch Didn't see CompositingCoordinator::invalidate() before.

Carlos Garcia Campos

Comment 7 2019-10-04 06:39:27 PDT

Committed r250717: <https://trac.webkit.org/changeset/250717>

Note You need to log in before you can comment on or make changes to this bug.