Bug 222379

Summary: [GPU Process] Stroke and fill StateChangeFlags should be set exclusively
Product: WebKit Reporter: Said Abou-Hallawa <sabouhallawa>
Component: CanvasAssignee: Said Abou-Hallawa <sabouhallawa>
Status: RESOLVED FIXED    
Severity: Normal CC: dino, simon.fraser, thorton, webkit-bug-importer, wenson_hsieh
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch none

Description Said Abou-Hallawa 2021-02-24 13:05:44 PST 
The stroke and the fill in GraphicsContextState can be set exclusively to color, pattern or gradient. The corresponding flag in StateChangeFlags is set once the GraphicsContext function is called. The problem is we do not clear the old flags. And this is why in StateState::encode() and StateState::decode(), we were expecting the flags might be set but the pointers of the pattern and the gradient are null. This has been an area of mistakes and confusion and can lead to this crash with GPUP enabled when GraphicsContext::setFillColor is called after GraphicsContext::setFillGradient() is called:

frame #1: 0x000000011d9870bb WebCore`WTFCrashWithInfo((null)=82, (null)="/Volumes/Data/Development/system/webkit/OpenSource/WebKitBuild/Debug/usr/local/include/wtf/RefPtr.h", (null)="T &WTF::RefPtr<WebCore::Gradient, WTF::RawPtrTraits<WebCore::Gradient>, WTF::DefaultRefDerefTraits<WebCore::Gradient> >::operator*() const [T = WebCore::Gradient, _PtrTraits = WTF::RawPtrTraits<WebCore::Gradient>, _RefDerefTraits = WTF::DefaultRefDerefTraits<WebCore::Gradient>]", (null)=23) at Assertions.h:671:5
frame #2: 0x000000012184a3f8 WebCore`WTF::RefPtr<WebCore::Gradient, WTF::RawPtrTraits<WebCore::Gradient>, WTF::DefaultRefDerefTraits<WebCore::Gradient> >::operator*(this=0x0000700005297cc0) const at RefPtr.h:82:28
frame #3: 0x0000000121849d0e WebCore`WebCore::GraphicsContextStateChange::apply(this=0x0000700005297cb0, context=0x000000010b0cf1b0) const at GraphicsContext.cpp:220:33
frame #4: 0x00000001219f38cd WebCore`WebCore::DisplayList::SetState::apply(this=0x0000700005297cb0, context=0x000000010b0cf1b0) const at DisplayListItems.cpp:223:13
frame #5: 0x00000001219f3088 WebCore`WebCore::DisplayList::ItemHandle::apply(this=0x0000700005297918, context=0x000000010b0cf1b0) at DisplayListItemBuffer.cpp:92:25
frame #6: 0x0000000121a0426d WebCore`WebCore::DisplayList::Replayer::applyItem(this=0x0000700005297e70, item=(data = "\v")) at DisplayListReplayer.cpp:120:10
frame #7: 0x00000001219f21da WebCore`WebCore::DisplayList::Replayer::replay(this=0x0000700005297e70, initialClip={ x = 0.0, y = 0.0, width = 0.0, height = 0.0 }, trackReplayList=false) at DisplayListReplayer.cpp:158:73

The crash happens in this following statement in GraphicsContextStateChange::apply()

    if (m_changeFlags.contains(GraphicsContextState::FillGradientChange))
        context.setFillGradient(*m_state.fillGradient, m_state.fillGradientSpaceTransform);
Comment 1 Said Abou-Hallawa 2021-02-24 13:10:01 PST 
Created attachment 421448 [details]
Patch
Comment 2 Said Abou-Hallawa 2021-02-24 13:10:47 PST 
Created attachment 421449 [details]
Patch
Comment 3 Said Abou-Hallawa 2021-02-24 13:11:20 PST 
<rdar://problem/73610005>
Comment 4 Simon Fraser (smfr) 2021-02-24 13:40:31 PST 
Comment on attachment 421449 [details]
Patch

Does this fix any test crashes? Should we add a new test?
Comment 5 Said Abou-Hallawa 2021-02-25 09:09:50 PST 
Created attachment 421530 [details]
Patch
Comment 6 Said Abou-Hallawa 2021-02-25 09:11:59 PST 
A new test was added. Without this patch, it crashes if GPUProcess for canvas rendering is enabled.
Comment 7 EWS 2021-02-25 10:24:26 PST 
Committed r273493: <https://commits.webkit.org/r273493>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 421530 [details].
Comment 8 Said Abou-Hallawa 2021-03-01 21:36:55 PST 
<rdar://problem/72783926>