Bug 224744

Summary:

[GPU Process] Closing the GPU Process should clean all the back pointers from ItemBuffer to RemoteRenderingBackendProxy

Product:

WebKit

Reporter:

Kimmo Kinnunen <kkinnunen>

Component:

Canvas

Assignee:

Said Abou-Hallawa <sabouhallawa>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

dino, rniwa, sabouhallawa, simon.fraser, thorton, webkit-bug-importer, wenson_hsieh

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	none
Patch	none

Description Kimmo Kinnunen 2021-04-19 02:42:06 PDT

SHOULD NEVER BE REACHED in void WebKit::RemoteRenderingBackendProxy::didAppendData

WebContent process crashes after GPU process crashes.
First ASSERT is for GPU process crash.
Second ASSERT is for this bug, WebContent process crash.

ASSERTION FAILED: MIMETypeRegistry::isSupportedImageMIMETypeForEncoding(mimeType)
./platform/graphics/cg/ImageBufferCGBackend.cpp(176) : virtual RetainPtr<CFDataRef> WebCore::ImageBufferCGBackend::toCFData(const WTF::String &, Optional<double>, WebCore::PreserveResolution) const
1   0x1274ab0cc WTFCrash
2   0x138616b04 WebCore::JSDOMSelection::createPrototype(JSC::VM&, WebCore::JSDOMGlobalObject&)
3   0x13bd60f28 WebCore::ImageBufferCGBackend::toCFData(WTF::String const&, WTF::Optional<double>, WebCore::PreserveResolution) const
4   0x13bd71a84 WebCore::ImageBufferIOSurfaceBackend::toCFData(WTF::String const&, WTF::Optional<double>, WebCore::PreserveResolution) const
5   0x13bd61afc WebCore::ImageBufferCGBackend::toDataURL(WTF::String const&, WTF::Optional<double>, WebCore::PreserveResolution) const
6   0x110a66a0c WebCore::ConcreteImageBuffer<WebKit::ImageBufferShareableMappedIOSurfaceBackend>::toDataURL(WTF::String const&, WTF::Optional<double>, WebCore::PreserveResolution) const
7   0x110a57910 WebKit::RemoteRenderingBackend::getDataURLForImageBuffer(WTF::String const&, WTF::Optional<double>, WebCore::PreserveResolution, WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::CompletionHandler<void (WTF::String&&)>&&)
8   0x110a1c1a8 void IPC::callMemberFunctionImpl<WebKit::RemoteRenderingBackend, void (WebKit::RemoteRenderingBackend::*)(WTF::String const&, WTF::Optional<double>, WebCore::PreserveResolution, WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::CompletionHandler<void (WTF::String&&)>&&), void (WTF::String const&), std::__1::tuple<WTF::String, WTF::Optional<double>, WebCore::PreserveResolution, WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType> >, 0ul, 1ul, 2ul, 3ul>(WebKit::RemoteRenderingBackend*, void (WebKit::RemoteRenderingBackend::*)(WTF::String const&, WTF::Optional<double>, WebCore::PreserveResolution, WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::CompletionHandler<void (WTF::String&&)>&&), WTF::CompletionHandler<void (WTF::String const&)>&&, std::__1::tuple<WTF::String, WTF::Optional<double>, WebCore::PreserveResolution, WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType> >&&, std::__1::integer_sequence<unsigned long, 0ul, 1ul, 2ul, 3ul>)
9   0x110a19820 void IPC::callMemberFunction<WebKit::RemoteRenderingBackend, void (WebKit::RemoteRenderingBackend::*)(WTF::String const&, WTF::Optional<double>, WebCore::PreserveResolution, WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::CompletionHandler<void (WTF::String&&)>&&), void (WTF::String const&), std::__1::tuple<WTF::String, WTF::Optional<double>, WebCore::PreserveResolution, WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType> >, std::__1::integer_sequence<unsigned long, 0ul, 1ul, 2ul, 3ul> >(std::__1::tuple<WTF::String, WTF::Optional<double>, WebCore::PreserveResolution, WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType> >&&, WTF::CompletionHandler<void (WTF::String const&)>&&, WebKit::RemoteRenderingBackend*, void (WebKit::RemoteRenderingBackend::*)(WTF::String const&, WTF::Optional<double>, WebCore::PreserveResolution, WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::CompletionHandler<void (WTF::String&&)>&&))
10  0x110a0007c bool IPC::handleMessageSynchronous<Messages::RemoteRenderingBackend::GetDataURLForImageBuffer, WebKit::RemoteRenderingBackend, void (WebKit::RemoteRenderingBackend::*)(WTF::String const&, WTF::Optional<double>, WebCore::PreserveResolution, WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::CompletionHandler<void (WTF::String&&)>&&)>(IPC::Connection&, IPC::Decoder&, WTF::UniqueRef<IPC::Encoder>&, WebKit::RemoteRenderingBackend*, void (WebKit::RemoteRenderingBackend::*)(WTF::String const&, WTF::Optional<double>, WebCore::PreserveResolution, WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::CompletionHandler<void (WTF::String&&)>&&))
11  0x1109ffa44 WebKit::RemoteRenderingBackend::didReceiveSyncMessage(IPC::Connection&, IPC::Decoder&, WTF::UniqueRef<IPC::Encoder>&)
12  0x10ffbb5e8 IPC::Connection::dispatchMessageReceiverMessage(IPC::MessageReceiver&, std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >&&)
13  0x10ffc4014 IPC::WorkQueueMessageReceiverQueue::enqueueMessage(IPC::Connection&, std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >&&)::'lambda'()::operator()()
14  0x10ffc3cec WTF::Detail::CallableWrapper<IPC::WorkQueueMessageReceiverQueue::enqueueMessage(IPC::Connection&, std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >&&)::'lambda'(), void>::call()
15  0x1274cddc4 WTF::Function<void ()>::operator()() const
16  0x1275c7810 WTF::WorkQueue::dispatch(WTF::Function<void ()>&&)::$_0::operator()() const
17  0x1275c7ae0 WTF::BlockPtr<void ()> WTF::BlockPtr<void ()>::fromCallable<WTF::WorkQueue::dispatch(WTF::Function<void ()>&&)::$_0>(WTF::WorkQueue::dispatch(WTF::Function<void ()>&&)::$_0)::'lambda'(void*)::operator()(void*) const
18  0x1275c7ab0 WTF::BlockPtr<void ()> WTF::BlockPtr<void ()>::fromCallable<WTF::WorkQueue::dispatch(WTF::Function<void ()>&&)::$_0>(WTF::WorkQueue::dispatch(WTF::Function<void ()>&&)::$_0)::'lambda'(void*)::__invoke(void*)
19  0x1951f8d70 _dispatch_call_block_and_release
20  0x1951fab74 _dispatch_client_callout
21  0x195202750 _dispatch_lane_serial_drain
22  0x195203354 _dispatch_lane_invoke
23  0x19520e3a8 _dispatch_workloop_worker_thread
24  0x1953b4d48 _pthread_wqthread
25  0x1953b3a5c start_wqthread
2021-04-19 12:38:42.760 com.apple.WebKit.WebContent.Development[40260:4915662] XType: com.apple.fonts is not accessible.
2021-04-19 12:38:42.760 com.apple.WebKit.WebContent.Development[40260:4915662] XType: XTFontStaticRegistry is enabled.
SHOULD NEVER BE REACHED
/Users/kkinnunen/WebKit/OpenSource/Source/WebKit/WebProcess/GPU/graphics/RemoteRenderingBackendProxy.cpp(325) : void WebKit::RemoteRenderingBackendProxy::didAppendData(const DisplayList::ItemBufferHandle &, size_t, DisplayList::DidChangeItemBuffer, WebCore::RenderingResourceIdentifier)
1   0x129bdb0cc WTFCrash
2   0x11286d184 WTF::Optional<JSC::JSValue>::Optional(JSC::JSValue&&)
3   0x114225d68 WebKit::RemoteRenderingBackendProxy::didAppendData(WebCore::DisplayList::ItemBufferHandle const&, unsigned long, WebCore::DisplayList::DidChangeItemBuffer, WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>)
4   0x1142ced44 WebKit::RemoteImageBufferProxy<WebKit::ImageBufferShareableMappedIOSurfaceBackend>::didAppendData(WebCore::DisplayList::ItemBufferHandle const&, unsigned long, WebCore::DisplayList::DidChangeItemBuffer)
5   0x13e524d9c WebCore::DisplayList::ItemBuffer::didAppendData(unsigned long, WebCore::DisplayList::DidChangeItemBuffer)
6   0x13e54acb4 void WebCore::DisplayList::ItemBuffer::uncheckedAppend<WebCore::DisplayList::Save>(WebCore::DisplayList::DidChangeItemBuffer)
7   0x13e54ac4c void WebCore::DisplayList::ItemBuffer::append<WebCore::DisplayList::Save>()
8   0x13e54abf0 void WebCore::DisplayList::DisplayList::append<WebCore::DisplayList::Save>()
9   0x13e52c9f4 void WebCore::DisplayList::Recorder::append<WebCore::DisplayList::Save>()
10  0x13e52c974 WebCore::DisplayList::Recorder::save()
11  0x13e37b644 WebCore::GraphicsContext::save()
12  0x13a94dbd0 WebCore::GraphicsContextStateSaver::GraphicsContextStateSaver(WebCore::GraphicsContext&, bool)
13  0x13a93cba0 WebCore::GraphicsContextStateSaver::GraphicsContextStateSaver(WebCore::GraphicsContext&, bool)
14  0x13e48df74 WebCore::GraphicsContextGLOpenGL::paintToCanvas(WebCore::GraphicsContextGLAttributes const&, WTF::Ref<WebCore::ImageData, WTF::RawPtrTraits<WebCore::ImageData> >&&, WebCore::IntSize const&, WebCore::GraphicsContext&)
15  0x13e591410 WebCore::GraphicsContextGLOpenGL::paintRenderingResultsToCanvas(WebCore::ImageBuffer&)
16  0x13d9161fc WebCore::WebGLRenderingContextBase::paintRenderingResultsToCanvas()
17  0x13d64429c WebCore::CanvasBase::makeRenderingResultsAvailable()
18  0x13d6ac4e4 WebCore::HTMLCanvasElement::toDataURL(WTF::String const&, JSC::JSValue)
19  0x13b0befe4 WebCore::jsHTMLCanvasElementPrototypeFunction_toDataURLBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSHTMLCanvasElement*)
20  0x13b0becc4 long long WebCore::IDLOperation<WebCore::JSHTMLCanvasElement>::call<&(WebCore::jsHTMLCanvasElementPrototypeFunction_toDataURLBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSHTMLCanvasElement*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*)
21  0x13b0bbcec WebCore::jsHTMLCanvasElementPrototypeFunction_toDataURL(JSC::JSGlobalObject*, JSC::CallFrame*)
22  0x280004c04
23  0x280004008
24  0x280004008
25  0x280004008
26  0x280004728
27  0x12b5e90ac JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
28  0x12aeb83a4 JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
29  0x12b210ba4 JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
30  0x12b210c60 JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)
31  0x12b210f7c JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)

Comment 1 Said Abou-Hallawa 2021-04-19 11:53:58 PDT

<rdar://76286963>

Comment 2 Kimmo Kinnunen 2021-04-20 00:31:11 PDT

The rdar link is wrong.
As said:

First ASSERT is for GPU process crash. <rdar://76286963>

Second ASSERT is for this bug, WebContent process crash.

Comment 3 Alexey Proskuryakov 2021-04-23 12:09:35 PDT

Removing InRadar keyword so that this get re-imported.

Comment 4 Radar WebKit Bug Importer 2021-04-23 13:10:35 PDT

<rdar://problem/77083169>

Comment 5 Said Abou-Hallawa 2021-05-06 13:32:04 PDT

<rdar://74592639>

Comment 6 Said Abou-Hallawa 2021-05-06 13:50:16 PDT

Created attachment 427932 [details]
Patch

Comment 7 Tim Horton 2021-05-06 13:53:53 PDT

Comment on attachment 427932 [details]
Patch

Maybe separately these should all be WeakPtr-y things?

Comment 8 Said Abou-Hallawa 2021-05-06 16:41:56 PDT

Comment on attachment 427932 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=427932&action=review

> Source/WebCore/platform/graphics/displaylists/DisplayListImageBuffer.h:95
> +        m_drawingContext.recorder().clearDelegate();
> +
> +        m_drawingContext.displayList().setItemBufferWritingClient(nullptr);
> +        m_drawingContext.displayList().setItemBufferReadingClient(nullptr);

These lines caused the API test GPUProcess.CanvasBasicCrashHandling to fail. They should not be here because the RemoteRenderingBackendProxy will try to recreate the backend of the RemoteImageBufferProxy after it calls clearBackend(). Once it's recreated the DisplayList::Recorder will need the delegate and the DisplayList::DisplayList will need the writing client to create new ItemBufferHandles.

So these pointers should stay as they are since they are always valid. They point to the RemoteRenderingBackendProxy and the RemoteRenderingBackendProxy owns the DisplayList and its Recorder.

Comment 9 Said Abou-Hallawa 2021-05-06 16:43:21 PDT

Created attachment 427957 [details]
Patch

Comment 10 EWS 2021-05-07 00:44:38 PDT

Committed r277162 (237448@main): <https://commits.webkit.org/237448@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 427957 [details].