Bug 222379

Summary:

[GPU Process] Stroke and fill StateChangeFlags should be set exclusively

Product:

WebKit

Reporter:

Said Abou-Hallawa <sabouhallawa>

Component:

Canvas

Assignee:

Said Abou-Hallawa <sabouhallawa>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

dino, simon.fraser, thorton, webkit-bug-importer, wenson_hsieh

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	none
Patch	none
Patch	none

Said Abou-Hallawa

Reported 2021-02-24 13:05:44 PST

The stroke and the fill in GraphicsContextState can be set exclusively to color, pattern or gradient. The corresponding flag in StateChangeFlags is set once the GraphicsContext function is called. The problem is we do not clear the old flags. And this is why in StateState::encode() and StateState::decode(), we were expecting the flags might be set but the pointers of the pattern and the gradient are null. This has been an area of mistakes and confusion and can lead to this crash with GPUP enabled when GraphicsContext::setFillColor is called after GraphicsContext::setFillGradient() is called: frame #1: 0x000000011d9870bb WebCore`WTFCrashWithInfo((null)=82, (null)="/Volumes/Data/Development/system/webkit/OpenSource/WebKitBuild/Debug/usr/local/include/wtf/RefPtr.h", (null)="T &WTF::RefPtr<WebCore::Gradient, WTF::RawPtrTraits<WebCore::Gradient>, WTF::DefaultRefDerefTraits<WebCore::Gradient> >::operator*() const [T = WebCore::Gradient, _PtrTraits = WTF::RawPtrTraits<WebCore::Gradient>, _RefDerefTraits = WTF::DefaultRefDerefTraits<WebCore::Gradient>]", (null)=23) at Assertions.h:671:5 frame #2: 0x000000012184a3f8 WebCore`WTF::RefPtr<WebCore::Gradient, WTF::RawPtrTraits<WebCore::Gradient>, WTF::DefaultRefDerefTraits<WebCore::Gradient> >::operator*(this=0x0000700005297cc0) const at RefPtr.h:82:28 frame #3: 0x0000000121849d0e WebCore`WebCore::GraphicsContextStateChange::apply(this=0x0000700005297cb0, context=0x000000010b0cf1b0) const at GraphicsContext.cpp:220:33 frame #4: 0x00000001219f38cd WebCore`WebCore::DisplayList::SetState::apply(this=0x0000700005297cb0, context=0x000000010b0cf1b0) const at DisplayListItems.cpp:223:13 frame #5: 0x00000001219f3088 WebCore`WebCore::DisplayList::ItemHandle::apply(this=0x0000700005297918, context=0x000000010b0cf1b0) at DisplayListItemBuffer.cpp:92:25 frame #6: 0x0000000121a0426d WebCore`WebCore::DisplayList::Replayer::applyItem(this=0x0000700005297e70, item=(data = "\v")) at DisplayListReplayer.cpp:120:10 frame #7: 0x00000001219f21da WebCore`WebCore::DisplayList::Replayer::replay(this=0x0000700005297e70, initialClip={ x = 0.0, y = 0.0, width = 0.0, height = 0.0 }, trackReplayList=false) at DisplayListReplayer.cpp:158:73 The crash happens in this following statement in GraphicsContextStateChange::apply() if (m_changeFlags.contains(GraphicsContextState::FillGradientChange)) context.setFillGradient(*m_state.fillGradient, m_state.fillGradientSpaceTransform);

Attachments
Patch (8.62 KB, patch) 2021-02-24 13:10 PST, Said Abou-Hallawa	no flags	Details Formatted Diff Diff
Patch (8.65 KB, patch) 2021-02-24 13:10 PST, Said Abou-Hallawa	no flags	Details Formatted Diff Diff
Patch (11.10 KB, patch) 2021-02-25 09:09 PST, Said Abou-Hallawa	no flags	Details Formatted Diff Diff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.