Bug 210151

Summary: WebContent process crashes in com.apple.WebCore: rx::IOSurfaceSurfaceCGL::releaseTexImage
Product: WebKit Reporter: Dean Jackson <dino>
Component: WebGLAssignee: Kenneth Russell <kbr>
Status: RESOLVED FIXED    
Severity: Normal CC: dino, justin_fan, kbr, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 210153, 210213    
Attachments:
Description Flags
Patch none

Description Dean Jackson 2020-04-07 13:51:43 PDT 
1. Navigate to https://store.na.square-enix-games.com/en_US/product/562671/final-fantasy-vii-remake-1st-class-edition-ps4
2. Click “You Edition” drop down and select “Standard Edition”
3. Use Back keyboard command (⌘[)
* CRASH DETAILS
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x7fff3d1d1ad5 rx::IOSurfaceSurfaceCGL::releaseTexImage(gl::Context const*, int) + 9 (/AppleInternal/BuildRoot/Applications/Xcode.app/Contents/Developer/Toolchains/OSX10.16.xctoolchain/usr/bin/../include/c++/v1/memory:2624)
1   com.apple.WebCore             	0x7fff3d24b327 egl::Surface::releaseTexImage(gl::Context const*, int) + 35 (/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/ANGLE/ANGLE-7610.1.7.6/src/libANGLE/Surface.cpp:472)
2   com.apple.WebCore             	0x7fff3d111959 EGL_ReleaseTexImage + 139 (/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/ANGLE/ANGLE-7610.1.7.6/src/libGLESv2/entry_points_egl.cpp:672)
3   com.apple.WebCore             	0x7fff3bd6da29 -[WebGLLayer display] + 169 (/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/WebCore/WebCore-7610.1.7.6/./platform/graphics/cocoa/WebGLLayer.mm:167)
Comment 1 Dean Jackson 2020-04-07 13:52:04 PDT 
rdar://61367219
Comment 2 Kenneth Russell 2020-04-07 14:31:41 PDT 
Has this been reproducible in any smaller test environment than Safari with WebKit2? I seem to be able to reproduce it in that environment, but not with MiniBrowser, neither with WebKit1 or WebKit2.

In Safari's Preferences when launched with the run-safari script, "Show Develop menu in menu bar" is grayed out, making it impossible to switch to WK1 for easier debugging.
Comment 3 Kenneth Russell 2020-04-07 14:45:15 PDT 
Can catch this in the debugger by attaching to the WebContent process after loading the initial web page, before selecting "Standard Edition" and navigating back. Here's the more complete stack trace from lldb:

(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x2dc0)
  * frame #0: 0x0000000622075ae5 WebCore`std::__1::unique_ptr<rx::ContextImpl, std::__1::default_delete<rx::ContextImpl> >::get(this=0x0000000000002dc0) const at memory:2624:19
    frame #1: 0x000000062207397e WebCore`gl::Context::getImplementation(this=0x0000000000000000) const at Context.h:482:73
    frame #2: 0x0000000622241e45 WebCore`rx::ContextGL* rx::GetImplAs<rx::ContextGL, gl::Context const>(src=0x0000000000000000) at angletypes.h:572:30
    frame #3: 0x0000000622241e05 WebCore`rx::GetFunctionsGL(context=0x0000000000000000) at renderergl_utils.cpp:1908:12
    frame #4: 0x00000006220ebf4a WebCore`rx::IOSurfaceSurfaceCGL::releaseTexImage(this=0x00007fe8eec1eff0, context=0x0000000000000000, buffer=12420) at IOSurfaceSurfaceCGL.cpp:181:36
    frame #5: 0x000000062230373e WebCore`egl::Surface::releaseTexImage(this=0x00007fe8ea9fbe30, context=0x0000000000000000, buffer=12420) at Surface.cpp:472:5
    frame #6: 0x0000000621f5c91c WebCore`::EGL_ReleaseTexImage(dpy=0x00007fe8eedf2c90, surface=0x00007fe8ea9fbe30, buffer=12420) at entry_points_egl.cpp:672:9
    frame #7: 0x000000061eb87796 WebCore`-[WebGLLayer display](self=0x00007fe8ea93e5f0, _cmd="display") at WebGLLayer.mm:167:18
    frame #8: 0x00007fff40988469 QuartzCore`CA::Layer::display_if_needed(CA::Transaction*) + 757
    frame #9: 0x00007fff40966716 QuartzCore`CA::Context::commit_transaction(CA::Transaction*, double) + 334
    frame #10: 0x00007fff40965304 QuartzCore`CA::Transaction::commit() + 644

Will investigate why this is happening.
Comment 4 Kenneth Russell 2020-04-07 14:59:31 PDT 
It looks like eglReleaseTexImage is supposed to be called with a current context, though the docs don't state that explicitly.
Comment 5 Kenneth Russell 2020-04-07 17:43:06 PDT 
Created attachment 395763 [details]
Patch
Comment 6 Kenneth Russell 2020-04-07 17:44:43 PDT 
A context was supposed to be current when eglReleaseTexImage was called, but there's no return code from GraphicsContextGLOpenGL::prepareTexture indicating failure to make the context current.
Comment 7 EWS 2020-04-08 11:50:50 PDT 
Committed r259737: <https://trac.webkit.org/changeset/259737>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 395763 [details].