Bug 214241

Summary: [WinCairo] ANGLE D3D renderer can crash when PlatformDisplayWin is destructed in IPC thread
Product: WebKit Reporter: Fujii Hironori <Hironori.Fujii>
Component: PlatformAssignee: Fujii Hironori <Hironori.Fujii>
Status: RESOLVED FIXED    
Severity: Normal CC: don.olmstead, ross.kirsling, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch don.olmstead: review+

Fujii Hironori
Reported 2020-07-12 14:20:08 PDT
[WinCairo] Crashed while destructing GLContextEGL I observed a crash after browsing some sites and closing the MiniBroser. I don't know how to reproduce this crash. I was using WinCairo WK2 release r263953, Callstack: > atidxx64.dll!00007ffabcddfa03() Unknown > atiuxp64.dll!00007ffabde0c89e() Unknown > d3d11.dll!CResource<ID3D11Buffer>::CLS::FinalRelease() Unknown > d3d11.dll!TCLSWrappers<class CBuffer>::CLSDestroy(struct CBuffer::CLS *,class CContext *) Unknown > d3d11.dll!CLayeredObjectWithCLS<class CBuffer>::~CLayeredObjectWithCLS<class CBuffer>(void) Unknown > d3d11.dll!CLayeredObjectWithCLS<class CBuffer>::Release(void) Unknown > d3d11.dll!NDXGI::CDeviceChild<struct IDXGIResource1,struct IDXGISwapChainInternal>::FinalRelease(void) Unknown > d3d11.dll!CLayeredObject<NDXGI::CResource>::Release() Unknown > d3d11.dll!CUseCountedObject<NOutermost::CDeviceChild>::`scalar deleting destructor'() Unknown > d3d11.dll!CUseCountedObject<class NOutermost::CDeviceChild>::UCDestroy(void) Unknown > d3d11.dll!CUseCountedObject<class NOutermost::CDeviceChild>::Release(void) Unknown > [Inline Frame] libGLESv2.dll!rx::TypedData<ID3D11Buffer>::~TypedData() Line 362 C++ > [Inline Frame] libGLESv2.dll!std::default_delete<rx::TypedData<ID3D11Buffer>>::operator()(rx::TypedData<ID3D11Buffer> * _Ptr) Line 1758 C++ > [Inline Frame] libGLESv2.dll!std::unique_ptr<rx::TypedData<ID3D11Buffer>,std::default_delete<rx::TypedData<ID3D11Buffer>>>::reset(rx::TypedData<ID3D11Buffer> * _Ptr) Line 1908 C++ > libGLESv2.dll!rx::Resource11Base<ID3D11Buffer,UniquePtr,rx::TypedData<ID3D11Buffer>>::~Resource11Base() Line 225 C++ > libGLESv2.dll!rx::Buffer11::NativeStorage::~NativeStorage() Line 1130 C++ > [Inline Frame] libGLESv2.dll!SafeDelete(rx::Buffer11::BufferStorage * & resource) Line 100 C++ > libGLESv2.dll!rx::Buffer11::~Buffer11() Line 360 C++ > libGLESv2.dll!rx::Buffer11::~Buffer11() Line 357 C++ > [Inline Frame] libGLESv2.dll!SafeDelete(rx::BufferImpl * & resource) Line 100 C++ > libGLESv2.dll!gl::Buffer::~Buffer() Line 51 C++ > libGLESv2.dll!gl::Buffer::~Buffer() Line 50 C++ > [Inline Frame] libGLESv2.dll!angle::RefCountObject<gl::Context,angle::Result>::release(const gl::Context * context) Line 46 C++ > [Inline Frame] libGLESv2.dll!gl::ProgramPipelineManager::DeleteObject(const gl::Context * context, gl::ProgramPipeline * pipeline) Line 409 C++ > libGLESv2.dll!gl::TypedResourceManager<gl::ProgramPipeline,gl::HandleAllocator,gl::ProgramPipelineManager,gl::ProgramPipelineID>::reset(const gl::Context * context) Line 74 C++ > libGLESv2.dll!gl::ResourceManagerBase<gl::HandleAllocator>::release(const gl::Context * context) Line 59 C++ > libGLESv2.dll!gl::Context::onDestroy(const egl::Display * display) Line 571 C++ > libGLESv2.dll!egl::Display::destroyContext(const egl::Thread * thread, gl::Context * context) Line 1219 C++ > libGLESv2.dll!EGL_DestroyContext(void * dpy, void * ctx) Line 409 C++ > WebKit2.dll!WebCore::GLContextEGL::~GLContextEGL() Line 359 C++ > WebKit2.dll!WebCore::GLContextEGL::~GLContextEGL() Line 346 C++ > [Inline Frame] WebKit2.dll!std::default_delete<WebCore::GLContext>::operator()(WebCore::GLContext * _Ptr) Line 1758 C++ > [Inline Frame] WebKit2.dll!std::unique_ptr<WebCore::GLContext,std::default_delete<WebCore::GLContext>>::~unique_ptr() Line 1873 C++ > [Inline Frame] WebKit2.dll!WebCore::PlatformDisplay::~PlatformDisplay() Line 166 C++ > WebKit2.dll!WebCore::PlatformDisplayWin::~PlatformDisplayWin() Line 42 C++ > [External Code] > WebKit2.dll!WebKit::AuxiliaryProcess::didClose(IPC::Connection &) Line 60 C++ > WebKit2.dll!IPC::Connection::connectionDidClose() Line 856 C++ > WebKit2.dll!IPC::Connection::readEventHandler() Line 155 C++ > [Inline Frame] WTF.dll!WTF::Function<void ()>::operator()() Line 84 C++ > WTF.dll!WTF::RunLoop::performWork() Line 140 C++ > [Inline Frame] WTF.dll!WTF::RunLoop::wndProc(HWND__ * hWnd, unsigned int message, unsigned __int64 wParam, __int64 lParam) Line 56 C++ > WTF.dll!WTF::RunLoop::RunLoopWndProc(HWND__ * hWnd, unsigned int message, unsigned __int64 wParam, __int64 lParam) Line 39 C++ > [External Code] > WTF.dll!WTF::RunLoop::run() Line 73 C++ > [Inline Frame] WTF.dll!WTF::Function<void ()>::operator()() Line 84 C++ > WTF.dll!WTF::Thread::entryPoint(WTF::Thread::NewThreadContext * newThreadContext) Line 168 C++ > WTF.dll!WTF::wtfThreadEntryPoint(void * data) Line 153 C++ > [External Code]
Attachments
Patch (2.23 KB, patch)
2020-07-27 17:51 PDT, Fujii Hironori 		don.olmstead: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Fujii Hironori
Comment 1 2020-07-26 18:21:57 PDT
ANGLE D3D renderer isn't thread-safe. PlatformDisplay was destructed in IPC thread. This is not expected for WinCairo. WinCairo shouldn't destruct PlatformDisplay because it can cause crash (Bug 170331). PlatformDisplay::sharedDisplay has static variable of std::unique_ptr<PlatformDisplay>. This triggers PlatformDisplay dtor. This is not expected for WinCairo.
Fujii Hironori
Comment 2 2020-07-27 17:51:22 PDT
Created attachment 405333 [details] Patch
Don Olmstead
Comment 3 2020-07-28 12:32:48 PDT
Comment on attachment 405333 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=405333&action=review r=me with nit about name > Source/WebCore/ChangeLog:3 > + [WinCairo] ANGLE D3D renderer rarely crashes while destructing PlatformDisplayWin in IPC thread Maybe a better bug name would be something like this? [WinCairo] ANGLE D3D renderer can crash when PlatformDisplayWin is destructed in IPC thread
Fujii Hironori
Comment 4 2020-07-28 13:22:18 PDT
Committed r265003: <https://trac.webkit.org/changeset/265003>
Radar WebKit Bug Importer
Comment 5 2020-07-28 13:23:16 PDT
<rdar://problem/66234135>
Note You need to log in before you can comment on or make changes to this bug.