Bug 210153

Summary: Crash in StoreKitUIService: WebCore: gl::FramebufferManager::getFramebuffer const
Product: WebKit Reporter: Dean Jackson <dino>
Component: WebGLAssignee: Dean Jackson <dino>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: dino, esprehn+autocc, ews-watchlist, glenn, graouts, kbr, kondapallykalyan, mmaxfield, noam, pdr, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 210151, 210213, 210222, 212461    
Bug Blocks:    
Attachments:
Description Flags
WIP none

Dean Jackson
Reported 2020-04-07 13:54:58 PDT
Unfortunately this one is on an internal iOS build and doesn't have reproduction steps. Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Subtype: KERN_INVALID_ADDRESS at 0x0000000000000068 VM Region Info: 0x68 is not in any region. Bytes before following region: 4337565592 REGION TYPE START - END [ VSIZE] PRT/MAX SHRMOD REGION DETAIL UNUSED SPACE AT START ---> __TEXT 00000001028a0000-00000001028d0000 [ 192K] r-x/r-x SM=COW ...eKitUIService Termination Signal: Segmentation fault: 11 Termination Reason: Namespace SIGNAL, Code 0xb Terminating Process: exc handler [2021] Triggered by Thread: 4 Thread 4 name: WebThread Thread 4 Crashed: 0 WebCore 0x000000019c8cdb3c gl::FramebufferManager::getFramebuffer(gl::FramebufferID) const + 16 (ResourceMap.h:29) 1 WebCore 0x000000019c774fc0 gl::Context::unsetDefaultFramebuffer() + 36 (Context.cpp:8505) 2 WebCore 0x000000019c774fc0 gl::Context::unsetDefaultFramebuffer() + 36 (Context.cpp:8505) 3 WebCore 0x000000019c773db4 gl::Context::unMakeCurrent(egl::Display const*) + 36 (Context.cpp:705) 4 WebCore 0x000000019c7b9b50 egl::Display::makeCurrent(egl::Thread const*, egl::Surface*, egl::Surface*, gl::Context*) + 68 (Display.cpp:1066) 5 WebCore 0x000000019c7c34ec EGL_MakeCurrent + 208 (entry_points_egl.cpp:448) 6 WebCore 0x000000019b2ea26c WebCore::GraphicsContextGLOpenGL::GraphicsContextGLOpenGL(WebCore::GraphicsContextGLAttributes, WebCore::HostWindow*, WebCore::GraphicsContextGL::Destination, WebCore::GraphicsContextGLOpenGL*) + 1404 (GraphicsContextGLOpenGLCocoa.mm:366) 7 WebCore 0x000000019b2e988c WebCore::GraphicsContextGLOpenGL::create(WebCore::GraphicsContextGLAttributes, WebCore::HostWindow*, WebCore::GraphicsContextGL::Destination) + 472 (GraphicsContextGLOpenGLCocoa.mm:188) 8 WebCore 0x000000019bc77990 WebCore::WebGLRenderingContextBase::create(WebCore::CanvasBase&, WebCore::GraphicsContextGLAttributes&, WTF::String const&) + 1036 (WebGLRenderingContextBase.cpp:580) 9 WebCore 0x000000019bb21e80 WebCore::HTMLCanvasElement::getContext(JSC::JSGlobalObject&, WTF::String const&, WTF::Vector<JSC::Strong<JSC::Unknown, (JSC::ShouldStrongDestructorGrabLock)0>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&&) + 852 (HTMLCanvasElement.cpp:413) 10 WebCore 0x000000019ad21cf0 WebCore::jsHTMLCanvasElementPrototypeFunctionGetContext(JSC::JSGlobalObject*, JSC::CallFrame*) + 504 (JSHTMLCanvasElement.cpp:310) 11 ??? 0x0000000dd37b01fc 0 + 59382628860
Attachments
WIP (21.01 KB, patch)
2020-05-02 02:22 PDT, Myles C. Maxfield 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Dean Jackson
Comment 1 2020-04-07 13:55:23 PDT
rdar://60470428
Kenneth Russell
Comment 2 2020-04-07 13:59:16 PDT
Is any multithreaded usage of OpenGL ES / EGL occurring in this service?
Dean Jackson
Comment 3 2020-04-08 11:37:41 PDT
Older radar is: rdar://60106363
Kenneth Russell
Comment 4 2020-04-20 13:41:12 PDT
Any possibility of re-testing this now that the fixes for Bug 210151 and Bug 210222 have landed? They should have improved correctness in this general area.
Myles C. Maxfield
Comment 5 2020-05-02 01:01:13 PDT
This still occurs. It looks like we're deleting the context on the web thread, but it's still current on the main thread. Then, when the main thread tries to make a new context current, it tries to unMakeCurrent() whatever is already current, which is a context that has been deleted.
Myles C. Maxfield
Comment 6 2020-05-02 01:05:05 PDT
<rdar://problem/60733185>
Myles C. Maxfield
Comment 7 2020-05-02 01:12:34 PDT
Off the top of my head, there are (at least) 3 ways to fix this: 1. Make EGLContexts have an internal reference count, and have EGL_DestroyContext() only decrement the reference count. Making a context current would increment the reference count 2. When one thread wants to destroy a EGLContext, send a synchronous message to any other threads which might be using it. The synchronous message would make the context un-current 3. Don't have GraphicsContextGLOpenGL::~GraphicsContextGLOpenGL() call EGL_DestroyContext() directly. Instead, defer the destruction of the context using some threadsafe global manager object. This would effectively be the same as option 1, but implemented in WebKit. I'd lean toward option 1.
Myles C. Maxfield
Comment 8 2020-05-02 01:13:26 PDT
(In reply to Myles C. Maxfield from comment #7) > Off the top of my head, there are (at least) 3 ways to fix this: > > 1. Make EGLContexts have an internal reference count, and have > EGL_DestroyContext() only decrement the reference count. Making a context > current would increment the reference count > 2. When one thread wants to destroy a EGLContext, send a synchronous message > to any other threads which might be using it. The synchronous message would > make the context un-current > 3. Don't have GraphicsContextGLOpenGL::~GraphicsContextGLOpenGL() call > EGL_DestroyContext() directly. Instead, defer the destruction of the context > using some threadsafe global manager object. This would effectively be the > same as option 1, but implemented in WebKit. > > I'd lean toward option 1. ****typo. I'd actually lean toward option 3
Myles C. Maxfield
Comment 9 2020-05-02 02:22:51 PDT
Created attachment 398284 [details] WIP
Dean Jackson
Comment 10 2020-05-02 14:10:05 PDT
I'd go for option 3 too. I have a couple of questions though. How did the main thread make a context current? I mean, how did it get to use WebGL at all? Could we dispatch whatever the main thread is doing to the web thread?
Myles C. Maxfield
Comment 11 2020-05-04 11:08:28 PDT
(In reply to Dean Jackson from comment #10) > How did the main thread make a context current? I mean, how did it get to use WebGL at all? Here’s the stack where it gets deleted on the Web thread: #0 0x000000011b60f5fc in gl::ResourceManagerBase<gl::HandleAllocator>::release(gl::Context const*) at /Users/mmaxfield/src/WebKit/OpenSource/Source/ThirdParty/ANGLE/src/libANGLE/ResourceManager.cpp:59 #1 0x000000011b299538 in gl::Context::onDestroy(egl::Display const*) at /Users/mmaxfield/src/WebKit/OpenSource/Source/ThirdParty/ANGLE/src/libANGLE/Context.cpp:566 #2 0x000000011b34fa8c in egl::Display::destroyContext(egl::Thread const*, gl::Context*) at /Users/mmaxfield/src/WebKit/OpenSource/Source/ThirdParty/ANGLE/src/libANGLE/Display.cpp:1211 #3 0x000000011b37aa68 in ::EGL_DestroyContext(EGLDisplay, EGLContext) at /Users/mmaxfield/src/WebKit/OpenSource/Source/ThirdParty/ANGLE/src/libGLESv2/entry_points_egl.cpp:408 #4 0x0000000118131b90 in WebCore::GraphicsContextGLOpenGL::~GraphicsContextGLOpenGL() at /Users/mmaxfield/src/WebKit/OpenSource/Source/WebCore/platform/graphics/cocoa/GraphicsContextGLOpenGLCocoa.mm:594 #5 0x0000000118131ca4 in WebCore::GraphicsContextGLOpenGL::~GraphicsContextGLOpenGL() at /Users/mmaxfield/src/WebKit/OpenSource/Source/WebCore/platform/graphics/cocoa/GraphicsContextGLOpenGLCocoa.mm:542 #6 0x0000000118131cdc in WebCore::GraphicsContextGLOpenGL::~GraphicsContextGLOpenGL() at /Users/mmaxfield/src/WebKit/OpenSource/Source/WebCore/platform/graphics/cocoa/GraphicsContextGLOpenGLCocoa.mm:542 #7 0x0000000116c5b91c in std::__1::default_delete<WebCore::GraphicsContextGL>::operator()(WebCore::GraphicsContextGL*) const at /Applications/Xcode.app/Contents/Developer/Toolchains/iOS14.0.xctoolchain/usr/include/c++/v1/memory:2338 #8 0x0000000116c5b8b4 in WTF::RefCounted<WebCore::GraphicsContextGL, std::__1::default_delete<WebCore::GraphicsContextGL> >::deref() const at /Users/mmaxfield/Build/Products/Debug-iphoneos/usr/local/include/wtf/RefCounted.h:190 #9 0x000000011813d990 in void WTF::derefIfNotNull<WebCore::GraphicsContextGLOpenGL>(WebCore::GraphicsContextGLOpenGL*) at /Users/mmaxfield/Build/Products/Debug-iphoneos/usr/local/include/wtf/RefPtr.h:44 #10 0x000000011989d04c in WTF::RefPtr<WebCore::GraphicsContextGLOpenGL, WTF::DumbPtrTraits<WebCore::GraphicsContextGLOpenGL> >::operator=(std::nullptr_t) at /Users/mmaxfield/Build/Products/Debug-iphoneos/usr/local/include/wtf/RefPtr.h:156 #11 0x000000011989cc98 in WebCore::WebGLRenderingContextBase::destroyGraphicsContextGL() at /Users/mmaxfield/src/WebKit/OpenSource/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp:916 #12 0x00000001198adb44 in WebCore::WebGLRenderingContextBase::stop() at /Users/mmaxfield/src/WebKit/OpenSource/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp:5630 #13 0x00000001193ab0f0 in auto WebCore::ScriptExecutionContext::stopActiveDOMObjects()::$_9::operator()<WebCore::ActiveDOMObject>(WebCore::ActiveDOMObject&) const at /Users/mmaxfield/src/WebKit/OpenSource/Source/WebCore/dom/ScriptExecutionContext.cpp:299 #14 0x00000001193ab05c in WTF::Detail::CallableWrapper<WebCore::ScriptExecutionContext::stopActiveDOMObjects()::$_9, WebCore::ScriptExecutionContext::ShouldContinue, WebCore::ActiveDOMObject&>::call(WebCore::ActiveDOMObject&) at /Users/mmaxfield/Build/Products/Debug-iphoneos/usr/local/include/wtf/Function.h:52 #15 0x00000001193862f8 in WTF::Function<WebCore::ScriptExecutionContext::ShouldContinue (WebCore::ActiveDOMObject&)>::operator()(WebCore::ActiveDOMObject&) const at /Users/mmaxfield/Build/Products/Debug-iphoneos/usr/local/include/wtf/Function.h:84 #16 0x0000000119386118 in WebCore::ScriptExecutionContext::forEachActiveDOMObject(WTF::Function<WebCore::ScriptExecutionContext::ShouldContinue (WebCore::ActiveDOMObject&)> const&) const at /Users/mmaxfield/src/WebKit/OpenSource/Source/WebCore/dom/ScriptExecutionContext.cpp:244 #17 0x00000001193865d0 in WebCore::ScriptExecutionContext::stopActiveDOMObjects() at /Users/mmaxfield/src/WebKit/OpenSource/Source/WebCore/dom/ScriptExecutionContext.cpp:298 #18 0x0000000119184e50 in WebCore::Document::stopActiveDOMObjects() at /Users/mmaxfield/src/WebKit/OpenSource/Source/WebCore/dom/Document.cpp:2699 #19 0x0000000119184c58 in WebCore::Document::commonTeardown() at /Users/mmaxfield/src/WebKit/OpenSource/Source/WebCore/dom/Document.cpp:790 #20 0x0000000119190850 in WebCore::Document::willBeRemovedFromFrame() at /Users/mmaxfield/src/WebKit/OpenSource/Source/WebCore/dom/Document.cpp:2572 #21 0x0000000119ee2714 in WebCore::Frame::setView(WTF::RefPtr<WebCore::FrameView, WTF::DumbPtrTraits<WebCore::FrameView> >&&) at /Users/mmaxfield/src/WebKit/OpenSource/Source/WebCore/page/Frame.cpp:235 #22 0x0000000119cf957c in WebCore::FrameLoader::detachFromParent() at /Users/mmaxfield/src/WebKit/OpenSource/Source/WebCore/loader/FrameLoader.cpp:2861 #23 0x000000010f12d774 in __29-[WebView(WebPrivate) _close]_block_invoke at /Users/mmaxfield/src/WebKit/OpenSource/Source/WebKitLegacy/mac/WebView/WebView.mm:2366 #24 0x000000011a49625c in (anonymous namespace)::WebThreadBlock::operator()() const at /Users/mmaxfield/src/WebKit/OpenSource/Source/WebCore/platform/ios/wak/WebCoreThreadRun.cpp:98 #25 0x000000011a493d84 in HandleRunSource(void*) at /Users/mmaxfield/src/WebKit/OpenSource/Source/WebCore/platform/ios/wak/WebCoreThreadRun.cpp:133 But it’s used again here on the main thread: #0 0x000000011b615280 in gl::ResourceMap<gl::Framebuffer, gl::FramebufferID>::query(gl::FramebufferID) const [inlined] at /Users/mmaxfield/src/WebKit/OpenSource/Source/ThirdParty/ANGLE/src/libANGLE/ResourceMap.h:29 #1 0x000000011b615260 in gl::FramebufferManager::getFramebuffer(gl::FramebufferID) const at /Users/mmaxfield/src/WebKit/OpenSource/Source/ThirdParty/ANGLE/src/libANGLE/ResourceManager.cpp:374 #2 0x000000011b29b3a4 in gl::Context::unsetDefaultFramebuffer() at /Users/mmaxfield/src/WebKit/OpenSource/Source/ThirdParty/ANGLE/src/libANGLE/Context.cpp:8182 #3 0x000000011b2996bc in gl::Context::unMakeCurrent(egl::Display const*) at /Users/mmaxfield/src/WebKit/OpenSource/Source/ThirdParty/ANGLE/src/libANGLE/Context.cpp:646 #4 0x000000011b34fc9c in egl::Display::makeCurrent(egl::Thread const*, egl::Surface*, egl::Surface*, gl::Context*) at /Users/mmaxfield/src/WebKit/OpenSource/Source/ThirdParty/ANGLE/src/libANGLE/Display.cpp:1099 #5 0x000000011b37acb4 in ::EGL_MakeCurrent(EGLDisplay, EGLSurface, EGLSurface, EGLContext) at /Users/mmaxfield/src/WebKit/OpenSource/Source/ThirdParty/ANGLE/src/libGLESv2/entry_points_egl.cpp:448 #6 0x0000000118131d58 in WebCore::GraphicsContextGLOpenGL::makeContextCurrent() at /Users/mmaxfield/src/WebKit/OpenSource/Source/WebCore/platform/graphics/cocoa/GraphicsContextGLOpenGLCocoa.mm:632 #7 0x0000000118175f34 in -[WebGLLayer display] at /Users/mmaxfield/src/WebKit/OpenSource/Source/WebCore/platform/graphics/cocoa/WebGLLayer.mm:161 #8 0x00000001b538c984 in CA::Layer::layout_and_display_if_needed(CA::Transaction*) () #9 0x00000001b52d7acc in CA::Context::commit_transaction(CA::Transaction*, double, double*) () #10 0x00000001b5302594 in CA::Transaction::commit() () > Could we dispatch whatever the main thread is doing to the web thread? I don't think we can (easily) move the CA transaction to run on a different thread.
Kenneth Russell
Comment 12 2020-05-06 16:23:09 PDT
Is there any possibility that the Web thread could be told to do the EGL work in WebGLLayer's display method, so that the WebGLLayer would only be interacting with the resulting IOSurface? Would there be a good point in the browser's composition lifecycle to do that?
Dean Jackson
Comment 13 2020-05-07 06:06:38 PDT
I'm going to take this bug. I have a prototype of doing the EGL work (and more) on the Web thread before display happens.
Dean Jackson
Comment 14 2020-05-29 17:27:23 PDT
Marking this as a duplicate, although it should be the other way around. *** This bug has been marked as a duplicate of bug 212461 ***
Note You need to log in before you can comment on or make changes to this bug.