Bug 219568

Summary: REGRESSION(r270458): Crash loading https://browserbench.org/JetStream/
Product: WebKit Reporter: Simon Fraser (smfr) <simon.fraser>
Component: Layout and RenderingAssignee: Said Abou-Hallawa <sabouhallawa>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, sabouhallawa, simon.fraser, thorton, webkit-bug-importer, zalan
Priority: P2 Keywords: InRadar
Version: Safari Technology Preview   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=219007
Attachments:
Description Flags
Patch
none
Patch none

Description Simon Fraser (smfr) 2020-12-05 12:40:22 PST 
Load in https://browserbench.org/JetStream/ in TOT (r270474).

Crashes because ImageBufferIOSurfaceBackend has a null IOSurface.

(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x8)
  * frame #0: 0x000000054015701c WebCore`WebCore::IOSurface::size(this=0x0000000000000000) const at IOSurface.h:141:35
    frame #1: 0x000000054254e0f6 WebCore`WebCore::ImageBufferIOSurfaceBackend::backendSize(this=0x00000005687bb470) const at ImageBufferIOSurfaceBackend.cpp:125:23
    frame #2: 0x000000054254e317 WebCore`WebCore::ImageBufferIOSurfaceBackend::drawConsuming(this=0x00000005687bb470, destContext=0x00007ffee5253a30, destRect={ x = 0.0, y = 0.0, width = 890.0, height = 48.0 }, srcRect={ x = 0.0, y = 0.0, width = 1780.0, height = 96.0 }, options=0x00007ffee5251e60) at ImageBufferIOSurfaceBackend.cpp:159:45
    frame #3: 0x0000000542467b55 WebCore`WebCore::ConcreteImageBuffer<WebCore::ImageBufferIOSurfaceBackend>::drawConsuming(this=0x00000005688c8c00, destContext=0x00007ffee5253a30, destRect={ x = 0.0, y = 0.0, width = 890.0, height = 48.0 }, srcRect={ x = 0.0, y = 0.0, width = 1780.0, height = 96.0 }, options=0x00007ffee5251e60) at ConcreteImageBuffer.h:180:22
    frame #4: 0x0000000542462df1 WebCore`WebCore::ImageBuffer::drawConsuming(imageBuffer=<unavailable>, context=0x00007ffee5253a30, destRect={ x = 0.0, y = 0.0, width = 890.0, height = 48.0 }, srcRect={ x = 0.0, y = 0.0, width = 1780.0, height = 96.0 }, options=0x00007ffee5251e60) at ImageBuffer.cpp:203:18
    frame #5: 0x000000054243cea0 WebCore`WebCore::GraphicsContext::drawConsumingImageBuffer(this=0x00007ffee5253a30, image=RefPtr<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer>, WTF::DefaultRefDerefTraits<WebCore::ImageBuffer> > @ 0x00007ffee5251c18, destination={ x = 0.0, y = 0.0, width = 890.0, height = 48.0 }, source={ x = 0.0, y = 0.0, width = 1780.0, height = 96.0 }, options=0x00007ffee5251e60) at GraphicsContext.cpp:842:5
    frame #6: 0x000000054243cf70 WebCore`WebCore::GraphicsContext::drawConsumingImageBuffer(this=0x00007ffee5253a30, image=RefPtr<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer>, WTF::DefaultRefDerefTraits<WebCore::ImageBuffer> > @ 0x00007ffee5251e80, destination={ x = 0.0, y = 0.0, width = 890.0, height = 48.0 }, imagePaintingOptions=0x00007ffee5251e60) at GraphicsContext.cpp:828:5
    frame #7: 0x0000000542945317 WebCore`WebCore::RenderBoxModelObject::paintFillLayerExtended(this=0x00000005687c0240, paintInfo=0x00007ffee5252ce8, color={ rgba(0, 0, 0, 0.00) }, bgLayer=0x0000000568890e80, rect={ x = 0px (0), y = 0.078125px (5), width = 890px (56960), height = 48px (3072) }, bleedAvoidance=BackgroundBleedNone, box=0x0000000000000000, boxSize={ width = 0px (0), height = 0px (0) }, op=SourceOver, backgroundObject=0x0000000000000000, baseBgColorUsage=BaseBackgroundColorUse) at RenderBoxModelObject.cpp:981:17
    frame #8: 0x00000005428edd6e WebCore`WebCore::RenderBox::paintFillLayer(this=0x00000005687c0240, paintInfo=0x00007ffee5252ce8, c={ rgba(0, 0, 0, 0.00) }, fillLayer=0x0000000568890e80, rect={ x = 0px (0), y = 0.078125px (5), width = 890px (56960), height = 48px (3072) }, bleedAvoidance=BackgroundBleedNone, op=SourceOver, backgroundObject=0x0000000000000000, baseBgColorUsage=BaseBackgroundColorUse) at RenderBox.cpp:1726:5
    frame #9: 0x00000005428ebf20 WebCore`WebCore::RenderBox::paintFillLayers(this=0x00000005687c0240, paintInfo=0x00007ffee5252ce8, color={ rgba(0, 0, 0, 0.00) }, fillLayer=0x0000000568890e80, rect={ x = 0px (0), y = 0.078125px (5), width = 890px (56960), height = 48px (3072) }, bleedAvoidance=BackgroundBleedNone, op=SourceOver, backgroundObject=0x0000000000000000) at RenderBox.cpp:1717:9
    frame #10: 0x00000005428ec9da WebCore`WebCore::RenderBox::paintBackground(this=0x00000005687c0240, paintInfo=0x00007ffee5252ce8, paintRect={ x = 0px (0), y = 0.078125px (5), width = 890px (56960), height = 48px (3072) }, bleedAvoidance=BackgroundBleedNone) at RenderBox.cpp:1441:5
    frame #11: 0x00000005428ec5fe WebCore`WebCore::RenderBox::paintBoxDecorations(this=0x00000005687c0240, paintInfo=0x00007ffee5252ce8, paintOffset={ x = 0px (0), y = 0.078125px (5) }) at RenderBox.cpp:1396:9
    frame #12: 0x00000005428bb87d WebCore`WebCore::RenderBlock::paintObject(this=0x00000005687c0240, paintInfo=0x00007ffee5252ce8, paintOffset={ x = 0px (0), y = 0.078125px (5) }) at RenderBlock.cpp:1231:13
    frame #13: 0x00000005428ba4d3 WebCore`WebCore::RenderBlock::paint(this=0x00000005687c0240, paintInfo=0x00007ffee5252ce8, paintOffset={ x = 0px (0), y = -454px (-29056) }) at RenderBlock.cpp:1108:5
    frame #14: 0x0000000542a0b0f8 WebCore`WebCore::RenderLayer::paintBackgroundForFragments(this=0x0000000568961170, layerFragments={ size = 1, capacity = 1 }, context=0x00007ffee5253a30, contextForTransparencyLayer=0x00007ffee5253a30, transparencyPaintDirtyRect={ x = 0px (0), y = 0px (0), width = 890px (56960), height = 48px (3072) }, haveTransparency=false, localPaintingInfo=0x00007ffee5253048, paintBehavior={ size = 0 }, subtreePaintRootForRenderer=0x0000000000000000) at RenderLayer.cpp:5090:20
    frame #15: 0x0000000542a0724c WebCore`WebCore::RenderLayer::paintLayerContents(this=0x0000000568961170, context=0x00007ffee5253a30, paintingInfo=0x00007ffee52532d0, paintFlags={ size = 2 }) at RenderLayer.cpp:4736:17
    frame #16: 0x0000000542a2b92d WebCore`WebCore::RenderLayerBacking::paintIntoLayer(this=0x00007ffee52533b8, layer=0x0000000568961170, paintFlags={ size = 2 })::$_25::operator()(WebCore::RenderLayer&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) const at RenderLayerBacking.cpp:3133:19
    frame #17: 0x0000000542a2b245 WebCore`WebCore::RenderLayerBacking::paintIntoLayer(this=0x0000000568862a50, graphicsLayer=0x0000000564fd6000, context=0x00007ffee5253a30, paintDirtyRect={ x = 0, y = 0, width = 890, height = 48 }, paintBehavior={ size = 1 }, eventRegionContext=0x0000000000000000) at RenderLayerBacking.cpp:3150:5
    frame #18: 0x0000000542a2c651 WebCore`WebCore::RenderLayerBacking::paintContents(this=0x0000000568862a50, graphicsLayer=0x0000000564fd6000, context=0x00007ffee5253a30, clip={ x = 0.0, y = 0.0, width = 890.0, height = 49.0 }, layerPaintBehavior=2) at RenderLayerBacking.cpp:3414:9
    frame #19: 0x000000054244d4a0 WebCore`WebCore::GraphicsLayer::paintGraphicsLayerContents(this=0x0000000564fd6000, context=0x00007ffee5253a30, clip={ x = 0.0, y = 0.0, width = 890.0, height = 49.0 }, layerPaintBehavior=2) at GraphicsLayer.cpp:527:14
    frame #20: 0x00000005424eae25 WebCore`WebCore::GraphicsLayerCA::platformCALayerPaintContents(this=0x0000000564fd6000, (null)=0x000000056894c498, context=0x00007ffee5253a30, clip={ x = 0.0, y = 0.0, width = 890.0, height = 49.0 }, layerPaintBehavior=2) at GraphicsLayerCA.cpp:1703:5
    frame #21: 0x000000054013da4c WebCore`WebCore::PlatformCALayer::drawLayerContents(graphicsContext=0x00007ffee5253a30, platformCALayer=0x000000056894c498, dirtyRects={ size = 1, capacity = 5 }, layerPaintBehavior=2) at PlatformCALayerCocoa.mm:1198:32
    frame #22: 0x000000054028b4cd WebCore`-[WebLayer drawInContext:](self=0x00006000007a4640, _cmd="drawInContext:", context=0x00006000032f8480) at WebLayer.mm:56:9
    frame #23: 0x00007fff3addf86d QuartzCore`CABackingStoreUpdate_ + 595
    frame #24: 0x00007fff3ae3f4ad QuartzCore`___ZN2CA5Layer8display_Ev_block_invoke + 53
    frame #25: 0x00007fff3added86 QuartzCore`-[CALayer _display] + 2103
    frame #26: 0x000000054028bc5b WebCore`-[WebSimpleLayer display](self=0x00006000007a4640, _cmd="display") at WebLayer.mm:116:5
    frame #27: 0x00007fff3addde09 QuartzCore`CA::Layer::display_if_needed(CA::Transaction*) + 757
    frame #28: 0x00007fff3adbc106 QuartzCore`CA::Context::commit_transaction(CA::Transaction*, double) + 334
    frame #29: 0x00007fff3adbacf0 QuartzCore`CA::Transaction::commit() + 644
    frame #30: 0x00007fff3adf7151 QuartzCore`CA::Transaction::observer_callback(__CFRunLoopObserver*, unsigned long, void*) + 69
    frame #31: 0x00007fff2f2ec335 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ + 23
    frame #32: 0x00007fff2f2ec267 CoreFoundation`__CFRunLoopDoObservers + 457
    frame #33: 0x00007fff2f2eae79 CoreFoundation`CFRunLoopRunSpecific + 521
    frame #34: 0x00007fff319861c8 Foundation`-[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 212
    frame #35: 0x00007fff31a38c6f Foundation`-[NSRunLoop(NSRunLoop) run] + 76
    frame #36: 0x00007fff695ce4ea libxpc.dylib`_xpc_objc_main.cold.4 + 49
    frame #37: 0x00007fff695ce430 libxpc.dylib`_xpc_objc_main + 559
    frame #38: 0x00007fff695cdf63 libxpc.dylib`xpc_main + 377
    frame #39: 0x0000000530acb433 WebKit`WebKit::XPCServiceMain(argc=1, argv=0x00007ffee5255640) at XPCServiceMain.mm:208:5
    frame #40: 0x0000000531eda5cb WebKit`WKXPCServiceMain(argc=1, argv=0x00007ffee5255640) at WKMain.mm:33:12
    frame #41: 0x000000010a9aae92 com.apple.WebKit.WebContent.Development`main(argc=1, argv=0x00007ffee5255640) at AuxiliaryProcessMain.cpp:30:12
    frame #42: 0x00007fff69380cc9 libdyld.dylib`start + 1
(lldb)
Comment 1 Radar WebKit Bug Importer 2020-12-05 12:40:47 PST 
<rdar://problem/72011846>
Comment 2 Said Abou-Hallawa 2020-12-05 14:33:31 PST 
Created attachment 415500 [details]
Patch
Comment 3 Said Abou-Hallawa 2020-12-05 14:39:55 PST 
Created attachment 415501 [details]
Patch
Comment 4 Said Abou-Hallawa 2020-12-05 14:44:45 PST 
This is caused by r270458 where the backendSize is calculated from the backend data (IOSurface if it is accelerated CG backend).

I reviewed all the places which call sinkIntoNativeImage() and I found only two places which call backendSize after sinking the backend into a NativeImage. These places are:

ImageBufferIOSurfaceBackend::drawConsuming()
ImageBufferCGBackend::sinkIntoImage()

The one in ImageBufferCGBackend::sinkIntoImage() is already fixed the same way in r270458 because it was caught by the layout tests.
Comment 5 EWS 2020-12-05 16:22:35 PST 
Committed r270479: <https://trac.webkit.org/changeset/270479>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 415501 [details].