Bug 211074
| Summary: | [GTK] Crash in Nicosia::CairoOperationRecorder::drawGlyphs | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Michael Catanzaro <mcatanzaro> |
| Component: | WebKitGTK | Assignee: | Nobody <webkit-unassigned> |
| Status: | NEW | ||
| Severity: | Normal | CC: | bugs-noreply, cgarcia, mcatanzaro, zan |
| Priority: | P2 | ||
| Version: | WebKit Nightly Build | ||
| Hardware: | PC | ||
| OS: | Linux | ||
Michael Catanzaro
My Epiphany is in a weird state (reminds me of bug #201507, but different) where the web process crashes when loading target.com. As with bug #201507, the crash is 100% reproducible in my current UI process but not reproducible at all in new processes. Unlike bug #201507, this crash is not triggered by AC mode. It only occurs on target.com, not for poster circle.
Note, in particular, frame #12 here, where we have an illegal call to Nicosia::CairoOperationRecorder::drawGlyphs with this=0x0:
#12 0x00007f77fdf37958 in Nicosia::CairoOperationRecorder::drawGlyphs(WebCore::Font const&, WebCore::GlyphBuffer const&, unsigned int, unsigned int, WebCore::FloatPoint const&, WebCore::FontSmoothingMode) (this=0x0, font=..., glyphBuffer=..., from=<optimized out>, numGlyphs=<optimized out>, point=..., fontSmoothing=WebCore::FontSmoothingMode::AutoSmoothing) at ../Source/WebCore/platform/graphics/nicosia/cairo/NicosiaCairoOperationRecorder.cpp:529
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00007f77fdf37958 in std::__exchange<_cairo_scaled_font*, decltype(nullptr)&>(_cairo_scaled_font*&, decltype(nullptr)&) (__new_val=<optimized out>,
__obj=@0x7fffcb2dd938: 0x0) at /usr/include/c++/9.2.0/bits/move.h:149
149 __exchange(_Tp& __obj, _Up&& __new_val)
#0 0x00007f77fdf37958 in std::__exchange<_cairo_scaled_font*, decltype(nullptr)&>(_cairo_scaled_font*&, decltype(nullptr)&)
(__new_val=<optimized out>, __obj=@0x7fffcb2dd938: 0x0)
at /usr/include/c++/9.2.0/bits/move.h:149
#1 0x00007f77fdf37958 in std::exchange<_cairo_scaled_font*, decltype(nullptr)&>(_cairo_scaled_font*&, decltype(nullptr)&)
(__new_val=<optimized out>, __obj=@0x7fffcb2dd938: 0x0)
at /usr/include/c++/9.2.0/utility:287
#2 0x00007f77fdf37958 in WTF::DumbPtrTraits<_cairo_scaled_font>::exchange<decltype(nullptr)>(_cairo_scaled_font*&, decltype(nullptr)&&)
(newValue=<optimized out>, ptr=@0x7fffcb2dd938: 0x0)
at DerivedSources/ForwardingHeaders/wtf/DumbPtrTraits.h:40
#3 0x00007f77fdf37958 in WTF::RefPtr<_cairo_scaled_font, WTF::DumbPtrTraits<_cairo_scaled_font> >::~RefPtr() (this=0x7fffcb2dd938, __in_chrg=<optimized out>)
at DerivedSources/ForwardingHeaders/wtf/RefPtr.h:70
#4 0x00007f77fdf37958 in std::_Head_base<4ul, WTF::RefPtr<_cairo_scaled_font, WTF::DumbPtrTraits<_cairo_scaled_font> >, false>::~_Head_base()
(this=0x7fffcb2dd938, __in_chrg=<optimized out>)
at /usr/include/c++/9.2.0/tuple:120
#5 0x00007f77fdf37958 in std::_Tuple_impl<4ul, WTF::RefPtr<_cairo_scaled_font, WTF::DumbPtrTraits<_cairo_scaled_font> >, float, WTF::Vector<cairo_glyph_t, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, float, unsigned int, float, WebCore::FloatSize, WebCore::Color, WebCore::FontSmoothingMode>::~_Tuple_impl()
(this=0x7fffcb2dd8f8, __in_chrg=<optimized out>) at /usr/include/c++/9.2.0/tuple:185
#6 0x00007f77fdf37958 in std::_Tuple_impl<3ul, WebCore::FloatPoint, WTF::RefPtr<_cairo_scaled_font, WTF::DumbPtrTraits<_cairo_scaled_font> >, float, WTF::Vector<cairo_glyph_t, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, float, unsigned int, float, WebCore::FloatSize, WebCore::Color, WebCore::FontSmoothingMode>::~_Tuple_impl() (this=0x7fffcb2dd8f8, __in_chrg=<optimized out>) at /usr/include/c++/9.2.0/tuple:185
#7 0x00007f77fdf37958 in std::_Tuple_impl<2ul, WebCore::Cairo::ShadowState, WebCore::FloatPoint, WTF::RefPtr<_cairo_scaled_font, WTF::DumbPtrTraits<_cairo_scaled_font> >, float, WTF::Vector<cairo_glyph_t, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, float, unsigned int, float, WebCore::FloatSize, WebCore::Color, WebCore::FontSmoothingMode>::~_Tuple_impl() (this=0x7fffcb2dd8f8, __in_chrg=<optimized out>) at /usr/include/c++/9.2.0/tuple:185
#8 0x00007f77fdf37958 in std::_Tuple_impl<1ul, WebCore::Cairo::StrokeSource, WebCore::Cairo::ShadowState, WebCore::FloatPoint, WTF::RefPtr<_cairo_scaled_font, WTF::DumbPtrTraits<_cairo_scaled_font> >, float, WTF::Vector<cairo_glyph_t, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, float, unsigned int, float, WebCore::FloatSize, WebCore::Color, WebCore::FontSmoothingMode>::~_Tuple_impl() (this=0x7fffcb2dd8f8, __in_chrg=<optimized out>) at /usr/include/c++/9.2.0/tuple:185
#9 0x00007f77fdf37958 in std::_Tuple_impl<0ul, WebCore::Cairo::FillSource, WebCore::Cairo::StrokeSource, WebCore::Cairo::ShadowState, WebCore::FloatPoint, WTF::RefPtr<_cairo_scaled_font, WTF::DumbPtrTraits<_cairo_scaled_font> >, float, WTF::Vector<cairo_glyph_t, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, float, unsigned int, float, WebCore::FloatSize, WebCore::Color, WebCore::FontSmoothingMode>::~_Tuple_impl() (this=0x7fffcb2dd8f8, __in_chrg=<optimized out>) at /usr/include/c++/9.2.0/tuple:185
#10 0x00007f77fdf37958 in std::tuple<WebCore::Cairo::FillSource, WebCore::Cairo::StrokeSource, WebCore::Cairo::ShadowState, WebCore::FloatPoint, WTF::RefPtr<_cairo_scaled_font, WTF::DumbPtrTraits<_cairo_scaled_font> >, float, WTF::Vector<cairo_glyph_t, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, float, unsigned int, float, WebCore::FloatSize, WebCore::Color, WebCore::FontSmoothingMode>::~tuple() (this=0x7fffcb2dd8f8, __in_chrg=<optimized out>) at /usr/include/c++/9.2.0/tuple:523
#11 0x00007f77fdf37958 in Nicosia::createCommand<Nicosia::CairoOperationRecorder::drawGlyphs(const WebCore::Font&, const WebCore::GlyphBuffer&, unsigned int, unsigned int, const WebCore::FloatPoint&, WebCore::FontSmoothingMode)::DrawGlyphs, WebCore::Cairo::FillSource, WebCore::Cairo::StrokeSource, WebCore::Cairo::ShadowState, const WebCore::FloatPoint&, WTF::RefPtr<_cairo_scaled_font, WTF::DumbPtrTraits<_cairo_scaled_font> >, float, WTF::Vector<cairo_glyph_t, 0, WTF::CrashOnOverflow, 16, WTF::FastMalloc>, float&, unsigned int const&, float const&, const WebCore::FloatSize&, const WebCore::Color&, WebCore::FontSmoothingMode&> () at ../Source/WebCore/platform/graphics/nicosia/cairo/NicosiaCairoOperationRecorder.cpp:64
#12 0x00007f77fdf37958 in Nicosia::CairoOperationRecorder::drawGlyphs(WebCore::Font const&, WebCore::GlyphBuffer const&, unsigned int, unsigned int, WebCore::FloatPoint const&, WebCore::FontSmoothingMode) (this=0x0, font=..., glyphBuffer=..., from=<optimized out>, numGlyphs=<optimized out>, point=..., fontSmoothing=WebCore::FontSmoothingMode::AutoSmoothing) at ../Source/WebCore/platform/graphics/nicosia/cairo/NicosiaCairoOperationRecorder.cpp:529
#13 0x0000000101000101 in ()
#14 0x0001000000000000 in ()
#15 0x000000003f800000 in ()
#16 0x00007f77fd483beb in std::__exchange<WebCore::WebGLBuffer*, decltype(nullptr)&>(WebCore::WebGLBuffer*&, decltype(nullptr)&) (__new_val=<optimized out>, __obj=@0x7fffcb2dda70: 0x7f77ed3fbb00) at /usr/include/c++/9.2.0/bits/move.h:149
#17 0x00007f77fd483beb in std::exchange<WebCore::WebGLBuffer*, decltype(nullptr)&>(WebCore::WebGLBuffer*&, decltype(nullptr)&) (__new_val=<optimized out>, __obj=@0x7fffcb2dda70: 0x7f77ed3fbb00) at /usr/include/c++/9.2.0/utility:287
#18 0x00007f77fd483beb in WTF::DumbPtrTraits<WebCore::WebGLBuffer>::exchange<decltype(nullptr)>(WebCore::WebGLBuffer*&, decltype(nullptr)&&) (newValue=<optimized out>, ptr=@0x7fffcb2dda70: 0x7f77ed3fbb00) at DerivedSources/ForwardingHeaders/wtf/DumbPtrTraits.h:40
#19 0x00007f77fd483beb in WTF::RefPtr<WebCore::WebGLBuffer, WTF::DumbPtrTraits<WebCore::WebGLBuffer> >::leakRef() (this=0x7fffcb2dda70) at DerivedSources/ForwardingHeaders/wtf/RefPtr.h:125
#20 0x00007f77fd483beb in WTF::RefPtr<WebCore::WebGLBuffer, WTF::DumbPtrTraits<WebCore::WebGLBuffer> >::RefPtr(WTF::RefPtr<WebCore::WebGLBuffer, WTF::DumbPtrTraits<WebCore::WebGLBuffer> >&&) (o=..., this=<synthetic pointer>) at DerivedSources/ForwardingHeaders/wtf/RefPtr.h:62
#21 0x00007f77fd483beb in WTF::RefPtr<WebCore::WebGLBuffer, WTF::DumbPtrTraits<WebCore::WebGLBuffer> >::operator=(WTF::RefPtr<WebCore::WebGLBuffer, WTF::DumbPtrTraits<WebCore::WebGLBuffer> >&&) (o=..., this=0x7fffcb2ddd00) at DerivedSources/ForwardingHeaders/wtf/RefPtr.h:163
#22 0x00007f77fd483beb in WebCore::WebGLRenderingContextBase::initVertexAttrib0() (this=0x7fffcb2ddb10) at ../Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp:6150
#23 0xdaa039c7f156d100 in ()
#24 0x00007f77ece00000 in ()
#25 0x00007f77ec3049d0 in ()
#26 0x00007f77ec3049d0 in ()
#27 0x00007fffcb2ddc50 in ()
#28 0x00007fffcb2ddbb0 in ()
#29 0x00007f77ed1edc68 in ()
#30 0x00007fffcb2ddb10 in ()
#31 0x00007f77fd35ef23 in WebCore::HTMLBodyElement::parseAttribute(WebCore::QualifiedName const&, WTF::AtomString const&) (this=0x7d4aa000, name=..., value=...) at DerivedSources/ForwardingHeaders/wtf/text/AtomString.h:91
#32 0x0001000000000000 in ()
#33 0x000000003f800000 in ()
#34 0x0000000000000000 in ()
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Michael Catanzaro
BTW this is with 2.28.1, since we don't have 2.28.2 in Tech Preview yet.
Carlos Garcia Campos
This is weird, AFAIK Nicosia::CairoOperationRecorder is only used for threaded rendering, which can't be enabled in the GTK port. I wonder how you ended up with a recording graphics context. Zan?