Bug 236501

Summary:

GPUP WebGL: WTF::RefCountedBase::applyRefDerefThreadingCheck() fails due to RemoteGraphicsContextGL::paintPixelBufferToImageBuffer

Product:

WebKit

Reporter:

Kimmo Kinnunen <kkinnunen>

Component:

WebGL

Assignee:

Kimmo Kinnunen <kkinnunen>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

dino, jonlee, kbr, kkinnunen, koivisto, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

Other

Hardware:

Unspecified

OS:

Unspecified

See Also:

https://bugs.webkit.org/show_bug.cgi?id=236382

Bug Depends on:

Bug Blocks:

217211

Attachments:

Description	Flags
Patch	none

Description Kimmo Kinnunen 2022-02-11 06:42:55 PST

GPUP WebGL: WTF::RefCountedBase::applyRefDerefThreadingCheck() fails due to RemoteGraphicsContextGL::paintPixelBufferToImageBuffer


Thread 0 Crashed::  Dispatch queue: com.apple.main-thread
0   JavaScriptCore                	       0x132b265be WTFCrash + 14
1   WebCore                       	       0x14e8544e3 WTF::RefCountedBase::applyRefDerefThreadingCheck() const + 179 (RefCounted.h:114)
2   WebCore                       	       0x14e8542b9 WTF::RefCountedBase::derefBase() const + 25 (RefCounted.h:130)
3   WebCore                       	       0x14e8df579 WTF::RefCounted<JSC::ArrayBufferView, std::__1::default_delete<JSC::ArrayBufferView> >::deref() const + 25 (RefCounted.h:189)
4   WebCore                       	       0x152c9fc15 WebCore::GraphicsContextGL::paintToCanvas(WebCore::GraphicsContextGLAttributes const&, WebCore::PixelBuffer&&, WebCore::IntSize const&, WebCore::GraphicsContext&)::$_15::operator()(void*, void const*, unsigned long) const + 37 (GraphicsContextGLCG.cpp:531)
5   WebCore                       	       0x152c9fbe5 WebCore::GraphicsContextGL::paintToCanvas(WebCore::GraphicsContextGLAttributes const&, WebCore::PixelBuffer&&, WebCore::IntSize const&, WebCore::GraphicsContext&)::$_15::__invoke(void*, void const*, unsigned long) + 37 (GraphicsContextGLCG.cpp:530)
6   CoreGraphics                  	    0x7ff811b68285 data_release_info + 31
7   CoreGraphics                  	    0x7ff811b19c3e data_provider_finalize + 64
8   CoreGraphics                  	    0x7ff811adfa2a data_provider_retain_count + 74
9   CoreFoundation                	    0x7ff80c933d30 _CFRelease + 478
10  CoreGraphics                  	    0x7ff811b454f4 image_finalize + 103
11  CoreFoundation                	    0x7ff80c933c46 _CFRelease + 244
12  WebCore                       	       0x14ebfed19 WTF::RetainPtr<CGImage*>::~RetainPtr() + 57 (RetainPtr.h:178)
13  WebCore                       	       0x14ebcb145 WTF::RetainPtr<CGImage*>::~RetainPtr() + 21 (RetainPtr.h:176)
14  WebCore                       	       0x152baeeba WebCore::NativeImage::~NativeImage() + 186 (NativeImage.cpp:50)
15  WebCore                       	       0x152baf095 WebCore::NativeImage::~NativeImage() + 21 (NativeImage.cpp:47)
16  WebCore                       	       0x14ebf29ca WTF::ThreadSafeRefCounted<WebCore::NativeImage, (WTF::DestructionThread)1>::deref() const::'lambda'()::operator()() const + 42 (ThreadSafeRefCounted.h:117)
17  WebCore                       	       0x14ebf2979 WTF::Detail::CallableWrapper<WTF::ThreadSafeRefCounted<WebCore::NativeImage, (WTF::DestructionThread)1>::deref() const::'lambda'(), void>::call() + 25 (Function.h:53)
18  JavaScriptCore                	       0x132b503b2 WTF::Function<void ()>::operator()() const + 130
19  JavaScriptCore                	       0x132bd719e WTF::RunLoop::performWork() + 318
20  JavaScriptCore                	       0x132bdaa6e WTF::RunLoop::performWork(void*) + 30
21  CoreFoundation                	    0x7ff80c866c1b __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17

Thread 7:: RemoteRenderingBackend work queue
0   libsystem_kernel.dylib        	    0x7ff80c76399a mach_msg_trap + 10
1   libsystem_kernel.dylib        	    0x7ff80c763d08 mach_msg + 56
2   libsystem_kernel.dylib        	    0x7ff80c765f35 vm_copy + 106
3   CoreGraphics                  	    0x7ff811cb92d0 create_protected_copy + 181
4   CoreGraphics                  	    0x7ff811b07274 CGDataProviderCreateWithCopyOfData + 12
5   CoreGraphics                  	    0x7ff811b07254 CGDataProviderCreateTrustedWithCopyOfData + 9
6   CoreGraphics                  	    0x7ff811b070a2 CGBitmapContextCreateImage + 133
7   WebKit                        	       0x1208c31dc WebKit::ShareableBitmap::makeCGImageCopy() + 108 (ShareableBitmapCG.cpp:171)
8   WebKit                        	       0x11fd857f3 WebKit::ShareableBitmap::createPlatformImage() + 35 (ShareableBitmap.h:123)
9   WebKit                        	       0x120facd67 WebKit::ImageBufferShareableBitmapBackend::copyNativeImage(WebCore::BackingStoreCopy) const + 55 (ImageBufferShareableBitmapBackend.cpp:148)
10  WebCore                       	       0x152c90b91 WebCore::ImageBufferCGBackend::draw(WebCore::GraphicsContext&, WebCore::FloatRect const&, WebCore::FloatRect const&, WebCore::ImagePaintingOptions const&) + 161 (ImageBufferCGBackend.cpp:141)
11  WebKit                        	       0x11fd9a2f0 WebCore::ConcreteImageBuffer<WebKit::ImageBufferShareableBitmapBackend>::draw(WebCore::GraphicsContext&, WebCore::FloatRect const&, WebCore::FloatRect const&, WebCore::ImagePaintingOptions const&) + 96 (ConcreteImageBuffer.h:167)
12  WebCore                       	       0x152b5b6da WebCore::GraphicsContext::drawImageBuffer(WebCore::ImageBuffer&, WebCore::FloatRect const&, WebCore::FloatRect const&, WebCore::ImagePaintingOptions const&) + 90 (GraphicsContext.cpp:695)
13  WebCore                       	       0x152d4115b WebCore::DisplayList::DrawImageBuffer::apply(WebCore::GraphicsContext&, WebCore::ImageBuffer&) const + 59 (DisplayListItems.cpp:371)
14  WebKit                        	       0x11fd7e542 void WebKit::RemoteDisplayListRecorder::handleItem<WebCore::DisplayList::DrawImageBuffer, WebCore::ImageBuffer&>(WebCore::DisplayList::DrawImageBuffer&&, WebCore::ImageBuffer&) + 66 (RemoteDisplayListRecorder.h:149)
15  WebKit                        	       0x11fd7e4de WebKit::RemoteDisplayListRecorder::drawImageBufferWithQualifiedIdentifier(WebCore::ProcessQualified<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType> >, WebCore::FloatRect const&, WebCore::FloatRect const&, WebCore::ImagePaintingOptions const&) + 270 (RemoteDisplayListRecorder.cpp:265)
16  WebKit                        	       0x11fd7e3ca WebKit::RemoteDisplayListRecorder::drawImageBuffer(WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WebCore::FloatRect const&, WebCore::FloatRect const&, WebCore::ImagePaintingOptions const&) + 90 (RemoteDisplayListRecorder.cpp:254)
17  WebKit                        	       0x11fb03925 void IPC::callMemberFunctionImpl<WebKit::RemoteDisplayListRecorder, void (WebKit::RemoteDisplayListRecorder::*)(WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WebCore::FloatRect const&, WebCore::FloatRect const&, WebCore::ImagePaintingOptions const&), std::__1::tuple<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WebCore::FloatRect, WebCore::FloatRect, WebCore::ImagePaintingOptions>, 0ul, 1ul, 2ul, 3ul>(WebKit::RemoteDisplayListRecorder*, void (WebKit::RemoteDisplayListRecorder::*)(WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WebCore::FloatRect const&, WebCore::FloatRect const&, WebCore::ImagePaintingOptions const&), std::__1::tuple<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WebCore::FloatRect, WebCore::FloatRect, WebCore::ImagePaintingOptions>&&, std::__1::integer_sequence<unsigned long, 0ul, 1ul, 2ul, 3ul>) + 229 (HandleMessage.h:125)
18  WebKit                        	       0x11fb0182d void IPC::callMemberFunction<WebKit::RemoteDisplayListRecorder, void (WebKit::RemoteDisplayListRecorder::*)(WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WebCore::FloatRect const&, WebCore::FloatRect const&, WebCore::ImagePaintingOptions const&), std::__1::tuple<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WebCore::FloatRect, WebCore::FloatRect, WebCore::ImagePaintingOptions>, std::__1::integer_sequence<unsigned long, 0ul, 1ul, 2ul, 3ul> >(std::__1::tuple<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WebCore::FloatRect, WebCore::FloatRect, WebCore::ImagePaintingOptions>&&, WebKit::RemoteDisplayListRecorder*, void (WebKit::RemoteDisplayListRecorder::*)(WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WebCore::FloatRect const&, WebCore::FloatRect const&, WebCore::ImagePaintingOptions const&)) + 109 (HandleMessage.h:131)
19  WebKit                        	       0x11faca341 void IPC::handleMessage<Messages::RemoteDisplayListRecorder::DrawImageBuffer, WebKit::RemoteDisplayListRecorder, void (WebKit::RemoteDisplayListRecorder::*)(WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WebCore::FloatRect const&, WebCore::FloatRect const&, WebCore::ImagePaintingOptions const&)>(IPC::Connection&, IPC::Decoder&, WebKit::RemoteDisplayListRecorder*, void (WebKit::RemoteDisplayListRecorder::*)(WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WebCore::FloatRect const&, WebCore::FloatRect const&, WebCore::ImagePaintingOptions const&)) + 225 (HandleMessage.h:196)
20  WebKit                        	       0x11fac7abf WebKit::RemoteDisplayListRecorder::didReceiveStreamMessage(IPC::StreamServerConnectionBase&, IPC::Decoder&) + 2639 (RemoteDisplayListRecorderMessageReceiver.cpp:107)
21  WebKit                        	       0x12053abab IPC::StreamServerConnection::dispatchStreamMessage(IPC::Decoder&&, IPC::StreamMessageReceiver&) + 139 (StreamServerConnection.cpp:254)
22  WebKit                        	       0x12053a544 IPC::StreamServerConnection::dispatchStreamMessages(unsigned long) + 964 (StreamServerConnection.cpp:229)
23  WebKit                        	       0x120538f04 IPC::StreamConnectionWorkQueue::processStreams() + 452 (StreamConnectionWorkQueue.cpp:135)
24  WebKit                        	       0x120540bf0 IPC::StreamConnectionWorkQueue::startProcessingThread()::$_0::operator()() + 32 (StreamConnectionWorkQueue.cpp:107)
25  WebKit                        	       0x120540ba9 WTF::Detail::CallableWrapper<IPC::StreamConnectionWorkQueue::startProcessingThread()::$_0, void>::call() + 25 (Function.h:53)
26  JavaScriptCore                	       0x132b503b2 WTF::Function<void ()>::operator()() const + 130
27  JavaScriptCore                	       0x132c152e8 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) + 408


Thread 8:: RemoteGraphicsContextGL work queue
0   libsystem_kernel.dylib        	    0x7ff80c7639d6 semaphore_wait_trap + 10
1   WebKit                        	       0x120588e38 IPC::Semaphore::wait() + 24 (IPCSemaphoreDarwin.cpp:77)
2   WebKit                        	       0x120540c26 IPC::StreamConnectionWorkQueue::startProcessingThread()::$_0::operator()() + 86 (StreamConnectionWorkQueue.cpp:112)
3   WebKit                        	       0x120540ba9 WTF::Detail::CallableWrapper<IPC::StreamConnectionWorkQueue::startProcessingThread()::$_0, void>::call() + 25 (Function.h:53)
4   JavaScriptCore                	       0x132b503b2 WTF::Function<void ()>::operator()() const + 130
5   JavaScriptCore                	       0x132c152e8 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) + 408
6   JavaScriptCore                	       0x132c216d5 WTF::wtfThreadEntryPoint(void*) + 21
7   libsystem_pthread.dylib       	    0x7ff80c7a04bc _pthread_start + 120
8   libsystem_pthread.dylib       	    0x7ff80c79bebf thread_start + 15

Comment 1 Radar WebKit Bug Importer 2022-02-12 19:46:32 PST

<rdar://problem/88862924>

Comment 2 Kimmo Kinnunen 2022-02-15 01:48:32 PST

Created attachment 452003 [details]
Patch

Comment 3 Antti Koivisto 2022-02-15 04:25:06 PST

Comment on attachment 452003 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=452003&action=review

> Source/WebKit/GPUProcess/graphics/RemoteGraphicsContextGL.cpp:261
> +    // FIXME: This should not be needed. Maybe ArrayBufferView should be ThreadSafeRefCounted as it is used in accross multiple threads.
> +    // The call below is synchronous and we transfer the ownership of the `pixelBuffer`.
> +    if (pixelBuffer)
> +        pixelBuffer->data().disableThreadingChecks();
>      m_renderingBackend->dispatch([&, contextAttributes = m_context->contextAttributes()]() mutable {

The ownership transfer here is not super obvious in the code.

Comment 4 EWS 2022-02-15 05:11:49 PST

Committed r289802 (247267@main): <https://commits.webkit.org/247267@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 452003 [details].