Bug 240545

Summary:

Crash under RemoteDisplayListRecorder::restore()

Product:

WebKit

Reporter:

Simon Fraser (smfr) <simon.fraser>

Component:

WebKit Process Model

Assignee:

Kimmo Kinnunen <kkinnunen>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

dino, kkinnunen, sabouhallawa, simon.fraser, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

Safari Technology Preview

Hardware:

Unspecified

OS:

Unspecified

URL:

https://ews-build.s3-us-west-2.amazonaws.com/macOS-BigSur-Release-WK2-Tests-EWS/459507-7519/results.html

Attachments:

Description	Flags
Crash log	none
Patch	none
For landing.	dino: commit-queue+
[fast-cq] Patch for landing	none

Simon Fraser (smfr)

Reported 2022-05-17 15:57:08 PDT

Created attachment 459519 [details] Crash log EWS shows a crash under RemoteDisplayListRecorder::restore(): https://ews-build.s3-us-west-2.amazonaws.com/macOS-BigSur-Release-WK2-Tests-EWS/459507-7519/fast/mediastream/granted-denied-request-management2-crash-log.txt Thread 30 Crashed:: RemoteRenderingBackend work queue 0 com.apple.WebCore 0x000000011482a475 WebCore::Color::operator=(WebCore::Color const&) + 229 1 com.apple.WebCore 0x00000001148a7c62 WebCore::GraphicsContextState::operator=(WebCore::GraphicsContextState const&) + 34 2 com.apple.WebCore 0x00000001148a7b97 WebCore::GraphicsContext::restore() + 55 3 com.apple.WebCore 0x0000000114933e07 WebCore::GraphicsContextCG::restore() + 23 4 com.apple.WebKit 0x000000010f092a5c WebKit::RemoteDisplayListRecorder::restore() + 34 5 com.apple.WebKit 0x000000010f27e5e8 IPC::StreamServerConnection::dispatchStreamMessage(IPC::Decoder&&, IPC::StreamMessageReceiver&) + 32 6 com.apple.WebKit 0x000000010f27d953 IPC::StreamServerConnection::dispatchStreamMessages(unsigned long) + 377 7 com.apple.WebKit 0x000000010f27d6bf IPC::StreamConnectionWorkQueue::processStreams() + 435 8 com.apple.WebKit 0x000000010f27ee3a WTF::Detail::CallableWrapper<IPC::StreamConnectionWorkQueue::startProcessingThread()::$_0, void>::call() + 46 9 com.apple.JavaScriptCore 0x0000000117e7bbdc WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) + 124 10 com.apple.JavaScriptCore 0x0000000117e7e209 WTF::wtfThreadEntryPoint(void*) + 9 11 libsystem_pthread.dylib 0x00007fff2045a8fc _pthread_start + 224 12 libsystem_pthread.dylib 0x00007fff20456443 thread_start + 15 Main thread is in: Thread 0:: Dispatch queue: com.apple.main-thread 0 libsystem_malloc.dylib 0x00007fff202865f0 tiny_free_no_lock + 997 1 libsystem_malloc.dylib 0x00007fff202860c9 free_tiny + 442 2 com.apple.CoreGraphics 0x00007fff24fb0e8d CGGStateRelease + 44 3 com.apple.CoreGraphics 0x00007fff24fbb804 CGGStackReset + 44 4 com.apple.CoreGraphics 0x00007fff24fbb7c9 CGGStackRelease + 19 5 com.apple.CoreGraphics 0x00007fff24fbb755 context_finalize + 67 6 com.apple.CoreFoundation 0x00007fff2061c967 _CFRelease + 244 7 com.apple.WebCore 0x000000011493a6e5 WebCore::IOSurfacePool::willAddSurface(WebCore::IOSurface&, bool) + 85 8 com.apple.WebCore 0x000000011493b208 WebCore::IOSurfacePool::addSurface(std::__1::unique_ptr<WebCore::IOSurface, std::__1::default_delete<WebCore::IOSurface> >&&) + 104 9 com.apple.WebCore 0x0000000114946ee7 WebCore::ImageBufferIOSurfaceBackend::~ImageBufferIOSurfaceBackend() + 71 10 com.apple.WebKit 0x000000010f098fbf std::__1::unique_ptr<WebKit::ImageBufferShareableMappedIOSurfaceBackend, std::__1::default_delete<WebKit::ImageBufferShareableMappedIOSurfaceBackend> >::reset(WebKit::ImageBufferShareableMappedIOSurfaceBackend*) + 25 11 com.apple.WebKit 0x000000010f098ede WebKit::RemoteImageBuffer<WebKit::ImageBufferShareableMappedIOSurfaceBackend>::~RemoteImageBuffer() + 120 12 com.apple.WebKit 0x000000010f098780 WebKit::RemoteImageBuffer<WebKit::ImageBufferShareableMappedIOSurfaceBackend>::~RemoteImageBuffer() + 14 13 com.apple.JavaScriptCore 0x0000000117e617c1 WTF::RunLoop::performWork() + 545 14 com.apple.JavaScriptCore 0x0000000117e62072 WTF::RunLoop::performWork(void*) + 34 15 com.apple.CoreFoundation 0x00007fff205520dc __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 16 com.apple.CoreFoundation 0x00007fff20552044 __CFRunLoopDoSource0 + 180 17 com.apple.CoreFoundation 0x00007fff20551dba __CFRunLoopDoSources0 + 242 18 com.apple.CoreFoundation 0x00007fff205507c8 __CFRunLoopRun + 897 19 com.apple.CoreFoundation 0x00007fff2054fd80 CFRunLoopRunSpecific + 567 20 com.apple.Foundation 0x00007fff2120b607 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 212 21 com.apple.Foundation 0x00007fff212994d1 -[NSRunLoop(NSRunLoop) run] + 76 22 libxpc.dylib 0x00007fff201a938d _xpc_objc_main + 825

Attachments
Crash log (86.12 KB, text/plain) 2022-05-17 15:57 PDT, Simon Fraser (smfr)	no flags	Details
Patch (2.03 KB, patch) 2022-05-18 07:06 PDT, Kimmo Kinnunen	no flags	Details Formatted Diff Diff
For landing. (2.03 KB, patch) 2022-05-24 04:27 PDT, Kimmo Kinnunen	dino: commit-queue+	Details Formatted Diff Diff
[fast-cq] Patch for landing (2.03 KB, patch) 2022-05-30 14:05 PDT, Dean Jackson	no flags	Details Formatted Diff Diff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2022-05-17 15:57:26 PDT

<rdar://problem/93459252>

Simon Fraser (smfr)

Comment 2 2022-05-17 15:59:39 PDT

Another one: https://ews-build.s3-us-west-2.amazonaws.com/macOS-AppleSilicon-Big-Sur-Debug-WK2-Tests-EWS/459507-31028/fast/mediastream/media-stream-video-track-interrupted-from-audio-crash-log.txt

Simon Fraser (smfr)

Comment 3 2022-05-17 16:42:33 PDT

Also here: https://ews-build.s3-us-west-2.amazonaws.com/macOS-AppleSilicon-Big-Sur-Debug-WK2-Tests-EWS/459463-30950/results.html

Kimmo Kinnunen

Comment 4 2022-05-18 07:06:09 PDT

Created attachment 459540 [details] Patch

Kimmo Kinnunen

Comment 5 2022-05-18 07:10:05 PDT

I could not repro the issue, but I didn't have the exact same configuration. The strange thing is that dereferencing a disengaged std::optional should assert if the patch is fixing what it thinks it is fixing. However, I could not make std::optional assert in our builds. However, I seem to remember seeing such an assertion, so I don't know which is wrong -- my try or my recollection.

Kimmo Kinnunen

Comment 6 2022-05-18 08:08:42 PDT

I was in fact thinking of std::optional::value() which throws bad_optional_access. It appears we don't compile with libc++ debug assertions even on debug. From this perspective the patch is still consistent (potentially fixing the issue)

Kimmo Kinnunen

Comment 7 2022-05-24 04:27:06 PDT

Created attachment 459713 [details] For landing.

Dean Jackson

Comment 8 2022-05-27 14:23:56 PDT

Landed in https://github.com/WebKit/WebKit/commit/6576dbdb63c07525a7a864408705aaf879251174

Dean Jackson

Comment 9 2022-05-27 14:39:52 PDT

Ignore that commit. It was landed incorrectly.

Dean Jackson

Comment 10 2022-05-30 13:59:47 PDT

Why isn't the commit-queue picking this up?

Dean Jackson

Comment 11 2022-05-30 14:05:15 PDT

Created attachment 459873 [details] [fast-cq] Patch for landing Trying to poke the cq.

Dean Jackson

Comment 12 2022-05-30 14:34:07 PDT

I guess all cq patches have to go via github now.

Kimmo Kinnunen

Comment 13 2022-05-31 00:21:33 PDT

Somehow commit queue already applied this but never heralded.

Kimmo Kinnunen

Comment 14 2022-05-31 00:21:40 PDT

https://github.com/WebKit/WebKit/commit/14ed9c21095a08133731340ac78c049d26169424

Note You need to log in before you can comment on or make changes to this bug.