Bug 274780

Summary: [WPE][GTK] Crash in WebCore::TextDecorationPainter::paintBackgroundDecorations when compiled with Clang with LTO enabled
Product: WebKit Reporter: Milan Crha <mcrha>
Component: Layout and RenderingAssignee: Adrian Perez <aperez>
Status: RESOLVED FIXED    
Severity: Normal CC: adamw, aperez, bfulgham, bugs-noreply, mcatanzaro, mikhail.v.gavrilov, muziknavi, simon.fraser, webkit-bug-importer, yaneti, zalan
Priority: P2 Keywords: InRadar
Version: Other   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugzilla.redhat.com/show_bug.cgi?id=2281612
Attachments:
Description Flags
test -fno-lto for TextDecorationPainter.cpp none

Milan Crha
Reported 2024-05-28 08:22:18 PDT
Moving this from a downstream bug: https://gitlab.gnome.org/GNOME/evolution/-/issues/2759 Reproducer with MiniBrowser from webkit2gtk4.1-2.45.2-2.fc41.x86_64: a) run from a terminal: /usr/libexec/webkit2gtk-4.1/MiniBrowser https://www.gnome.org b) click on the "Get GNOME" link at the top (or maybe other) The terminal says: ** (MiniBrowser:6350): WARNING **: 17:12:18.205: WebProcess CRASHED After which also the MiniBrowser itself crashes. coredumpctl says: Tue 2024-05-28 17:12:18 CEST 6372 1000 1000 SIGSEGV none /usr/libexec/webkit2gtk-4.1/WebKitWebProcess - Tue 2024-05-28 17:12:21 CEST 6350 1000 1000 SIGSEGV present /usr/libexec/webkit2gtk-4.1/MiniBrowser 5.9M The WebProcess gdb output (the downstream bug contains a different backtrace though): Thread 1 "WebKitWebProces" received signal SIGSEGV, Segmentation fault. 0x00007fa99ee42938 in auto WebCore::TextDecorationPainter::paintBackgroundDecorations(WebCore::RenderStyle const&, WebCore::TextRun const&, WebCore::TextDecorationPainter::BackgroundDecorationGeometry const&, WTF::OptionSet<WebCore::TextDecorationLine>, WebCore::TextDecorationPainter::Styles const&)::$_0::operator()<WebCore::TextDecorationLine, WebCore::TextDecorationStyle, WebCore::Color const, WebCore::FloatRect>(WebCore::TextDecorationLine, WebCore::TextDecorationStyle, WebCore::Color const&, WebCore::FloatRect&) const () from /lib64/libwebkit2gtk-4.1.so.0 (gdb) bt #0 0x00007fa99ee42938 in auto WebCore::TextDecorationPainter::paintBackgroundDecorations(WebCore::RenderStyle const&, WebCore::TextRun const&, WebCore::TextDecorationPainter::BackgroundDecorationGeometry const&, WTF::OptionSet<WebCore::TextDecorationLine>, WebCore::TextDecorationPainter::Styles const&)::$_0::operator()<WebCore::TextDecorationLine, WebCore::TextDecorationStyle, WebCore::Color const, WebCore::FloatRect>(WebCore::TextDecorationLine, WebCore::TextDecorationStyle, WebCore::Color const&, WebCore::FloatRect&) const () at /lib64/libwebkit2gtk-4.1.so.0 #1 0x00007fa99ee37ba0 in WebCore::TextDecorationPainter::paintBackgroundDecorations(WebCore::RenderStyle const&, WebCore::TextRun const&, WebCore::TextDecorationPainter::BackgroundDecorationGeometry const&, WTF::OptionSet<WebCore::TextDecorationLine>, WebCore::TextDecorationPainter::Styles const&) () at /lib64/libwebkit2gtk-4.1.so.0 #2 0x00007fa99ee33811 in WebCore::TextBoxPainter<WebCore::InlineIterator::BoxModernPath>::paintForegroundAndDecorations() () at /lib64/libwebkit2gtk-4.1.so.0 #3 0x00007fa99ee30ab8 in WebCore::TextBoxPainter<WebCore::InlineIterator::BoxModernPath>::paint() () at /lib64/libwebkit2gtk-4.1.so.0 #4 0x00007fa99e6547ed in WebCore::LayoutIntegration::InlineContentPainter::paintDisplayBox(WebCore::InlineDisplay::Box const&) () at /lib64/libwebkit2gtk-4.1.so.0 #5 0x00007fa99e65494b in WebCore::LayoutIntegration::InlineContentPainter::paint() () at /lib64/libwebkit2gtk-4.1.so.0 #6 0x00007fa99e65a913 in WebCore::LayoutIntegration::LineLayout::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::RenderInline const*) () at /lib64/libwebkit2gtk-4.1.so.0 #7 0x00007fa99ec6ef37 in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) () at /lib64/libwebkit2gtk-4.1.so.0 #8 0x00007fa99ec6db9e in WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) () at /lib64/libwebkit2gtk-4.1.so.0 #9 0x00007fa99ec6e523 in WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool, WebCore::RenderBlock::PaintBlockType) () at /lib64/libwebkit2gtk-4.1.so.0 #10 0x00007fa99ec6e31f in WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) () at /lib64/libwebkit2gtk-4.1.so.0 #11 0x00007fa99ec6ef1f in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) () at /lib64/libwebkit2gtk-4.1.so.0 #12 0x00007fa99ec6db9e in WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) () at /lib64/libwebkit2gtk-4.1.so.0 #13 0x00007fa99ecdd7a3 in WebCore::RenderElement::paintAsInlineBlock(WebCore::PaintInfo&, WebCore::LayoutPoint const&) () at /lib64/libwebkit2gtk-4.1.so.0 #14 0x00007fa99ec6e50e in WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool, WebCore::RenderBlock::PaintBlockType) () at /lib64/libwebkit2gtk-4.1.so.0 #15 0x00007fa99ecf31af in WebCore::RenderFlexibleBox::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) () at /lib64/libwebkit2gtk-4.1.so.0 #16 0x00007fa99ec6ef1f in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) () at /lib64/libwebkit2gtk-4.1.so.0 #17 0x00007fa99ec6db9e in WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) () at /lib64/libwebkit2gtk-4.1.so.0 #18 0x00007fa99ec6e523 in WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool, WebCore::RenderBlock::PaintBlockType) () at /lib64/libwebkit2gtk-4.1.so.0 #19 0x00007fa99ec6e31f in WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) () at /lib64/libwebkit2gtk-4.1.so.0 #20 0x00007fa99ec6ef1f in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) () at /lib64/libwebkit2gtk-4.1.so.0 #21 0x00007fa99ec6db9e in WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) () at /lib64/libwebkit2gtk-4.1.so.0 #22 0x00007fa99ec6e523 in WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool, WebCore::RenderBlock::PaintBlockType) () at /lib64/libwebkit2gtk-4.1.so.0 #23 0x00007fa99ec6e31f in WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) () at /lib64/libwebkit2gtk-4.1.so.0 #24 0x00007fa99ec6ef1f in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) () at /lib64/libwebkit2gtk-4.1.so.0 #25 0x00007fa99ec6db9e in WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) () at /lib64/libwebkit2gtk-4.1.so.0 #26 0x00007fa99ec6e523 in WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool, WebCore::RenderBlock::PaintBlockType) () at /lib64/libwebkit2gtk-4.1.so.0 #27 0x00007fa99ec6e31f in WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) () at /lib64/libwebkit2gtk-4.1.so.0 #28 0x00007fa99ec6ef1f in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) () at /lib64/libwebkit2gtk-4.1.so.0 #29 0x00007fa99ec6db9e in WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) () at /lib64/libwebkit2gtk-4.1.so.0 #30 0x00007fa99ec6e523 in WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool, WebCore::RenderBlock::PaintBlockType) () at /lib64/libwebkit2gtk-4.1.so.0 #31 0x00007fa99ec6e31f in WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) () at /lib64/libwebkit2gtk-4.1.so.0 #32 0x00007fa99ec6ef1f in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) () at /lib64/libwebkit2gtk-4.1.so.0 #33 0x00007fa99ec6db9e in WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) () at /lib64/libwebkit2gtk-4.1.so.0 #34 0x00007fa99ed380f9 in WebCore::RenderLayer::paintForegroundForFragmentsWithPhase(WebCore::PaintPhase, WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::PaintBehavior>, WebCore::RenderObject*) () at /lib64/libwebkit2gtk-4.1.so.0 #35 0x00007fa99ed3285b in WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) () at /lib64/libwebkit2gtk-4.1.so.0 #36 0x00007fa99ed332f2 in WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) () at /lib64/libwebkit2gtk-4.1.so.0 #37 0x00007fa99ed332f2 in WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) () at /lib64/libwebkit2gtk-4.1.so.0 #38 0x00007fa99ed535d4 in WebCore::RenderLayerBacking::paintIntoLayer(WebCore::GraphicsLayer const*, WebCore::GraphicsContext&, WebCore::IntRect const&, WTF::OptionSet<WebCore::PaintBehavior>, WebCore::RegionContext*)::$_0::operator()(WebCore::RenderLayer&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) const () at /lib64/libwebkit2gtk-4.1.so.0 #39 0x00007fa99ed53082 in WebCore::RenderLayerBacking::paintIntoLayer(WebCore::GraphicsLayer const*, WebCore::GraphicsContext&, WebCore::IntRect const&, WTF::OptionSet<WebCore::PaintBehavior>, WebCore::RegionContext*) () at /lib64/libwebkit2gtk-4.1.so.0 #40 0x00007fa99ed53e4b in WebCore::RenderLayerBacking::paintContents(WebCore::GraphicsLayer const*, WebCore::GraphicsContext&, WebCore::FloatRect const&, WTF::OptionSet<WebCore::GraphicsLayerPaintBehavior>) () at /lib64/libwebkit2gtk-4.1.so.0 #41 0x00007fa99ce89e99 in WebCore::CoordinatedGraphicsLayer::paintTile(WebCore::IntRect const&, WebCore::IntRect const&, float)::$_1::operator()(WebCore::GraphicsContext&) const () at /lib64/libwebkit2gtk-4.1.so.0 #42 0x00007fa99ce89803 in WebCore::CoordinatedGraphicsLayer::paintTile(WebCore::IntRect const&, WebCore::IntRect const&, float) () at /lib64/libwebkit2gtk-4.1.so.0 #43 0x00007fa99ce859dc in WebCore::CoordinatedGraphicsLayer::updateContentBuffers() () at /lib64/libwebkit2gtk-4.1.so.0 #44 0x00007fa99ce850e6 in WebCore::CoordinatedGraphicsLayer::updateContentBuffersIncludingSubLayers() () at /lib64/libwebkit2gtk-4.1.so.0 #45 0x00007fa99ce8511c in WebCore::CoordinatedGraphicsLayer::updateContentBuffersIncludingSubLayers() () at /lib64/libwebkit2gtk-4.1.so.0 #46 0x00007fa99ce8511c in WebCore::CoordinatedGraphicsLayer::updateContentBuffersIncludingSubLayers() () at /lib64/libwebkit2gtk-4.1.so.0 #47 0x00007fa99ce8511c in WebCore::CoordinatedGraphicsLayer::updateContentBuffersIncludingSubLayers() () at /lib64/libwebkit2gtk-4.1.so.0 #48 0x00007fa99ce8511c in WebCore::CoordinatedGraphicsLayer::updateContentBuffersIncludingSubLayers() () at /lib64/libwebkit2gtk-4.1.so.0 #49 0x00007fa99ce8511c in WebCore::CoordinatedGraphicsLayer::updateContentBuffersIncludingSubLayers() () at /lib64/libwebkit2gtk-4.1.so.0 #50 0x00007fa99cdffbfd in WebKit::CompositingCoordinator::flushPendingLayerChanges(WTF::OptionSet<WebCore::FinalizeRenderingUpdateFlags>) () at /lib64/libwebkit2gtk-4.1.so.0 #51 0x00007fa99ce0ba65 in WebKit::LayerTreeHost::layerFlushTimerFired() () at /lib64/libwebkit2gtk-4.1.so.0 #52 0x00007fa99baaca85 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_0::__invoke(void*) [clone .llvm.2038710169385785088] () at /lib64/libjavascriptcoregtk-4.1.so.0 #53 0x00007fa99baab831 in WTF::RunLoop::$_0::__invoke(_GSource*, int (*)(void*), void*) () at /lib64/libjavascriptcoregtk-4.1.so.0 #54 0x00007fa99820c90c in g_main_context_dispatch_unlocked.lto_priv () at /lib64/libglib-2.0.so.0 #55 0x00007fa99826d978 in g_main_context_iterate_unlocked.isra () at /lib64/libglib-2.0.so.0 #56 0x00007fa9982128c7 in g_main_loop_run () at /lib64/libglib-2.0.so.0 #57 0x00007fa99baabe29 in WTF::RunLoop::run() () at /lib64/libjavascriptcoregtk-4.1.so.0 #58 0x00007fa99ce185ac in WebKit::WebProcessMain(int, char**) () at /lib64/libwebkit2gtk-4.1.so.0 #59 0x00007fa99c23c1c8 in __libc_start_call_main () at /lib64/libc.so.6 #60 0x00007fa99c23c28b in __libc_start_main_impl () at /lib64/libc.so.6 #61 0x0000000000401075 in _start () ======================================================================= The MiniBrowser backtrace: (gdb) bt #0 0x00007f629e092502 in WebKit::WebPageProxy::keyEventHandlingCompleted(std::optional<WebKit::WebEventType>, bool) () at /lib64/libwebkit2gtk-4.1.so.0 #1 0x00007f629e00fb1f in WTF::Detail::CallableWrapper<WebKit::AuxiliaryProcessProxy::sendMessage(WTF::UniqueRef<IPC::Encoder>&&, WTF::OptionSet<IPC::SendOption>, std::optional<IPC::ConnectionAsyncReplyHandler>, WebKit::AuxiliaryProcessProxy::ShouldStartProcessThrottlerActivity)::$_1, void, IPC::Decoder*>::call(IPC::Decoder*) () at /lib64/libwebkit2gtk-4.1.so.0 #2 0x00007f629dfd7d81 in WTF::Detail::CallableWrapper<IPC::Connection::sendMessageWithAsyncReply(WTF::UniqueRef<IPC::Encoder>&&, IPC::ConnectionAsyncReplyHandler, WTF::OptionSet<IPC::SendOption>, std::optional<WTF::Thread::QOS>)::$_0, void>::call() [clone .llvm.15857245043833178621] () at /lib64/libwebkit2gtk-4.1.so.0 #3 0x00007f629ca4430b in WTF::RunLoop::performWork() () at /lib64/libjavascriptcoregtk-4.1.so.0 #4 0x00007f629caac9dd in WTF::RunLoop::RunLoop()::$_0::__invoke(void*) () at /lib64/libjavascriptcoregtk-4.1.so.0 #5 0x00007f629caab831 in WTF::RunLoop::$_0::__invoke(_GSource*, int (*)(void*), void*) () at /lib64/libjavascriptcoregtk-4.1.so.0 #6 0x00007f62a21f290c in g_main_context_dispatch_unlocked.lto_priv () at /lib64/libglib-2.0.so.0 #7 0x00007f62a2253978 in g_main_context_iterate_unlocked.isra () at /lib64/libglib-2.0.so.0 #8 0x00007f62a21f3d83 in g_main_context_iteration () at /lib64/libglib-2.0.so.0 #9 0x00007f629b3135bd in g_application_run () at /lib64/libgio-2.0.so.0 #10 0x00000000004194ed in main () P.S.: the debuginfo for WebKitGTK is too large, I'm sorry
Attachments
test -fno-lto for TextDecorationPainter.cpp (995 bytes, patch)
2024-05-29 07:19 PDT, Yanko Kaneti 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Michael Catanzaro
Comment 1 2024-05-28 08:29:39 PDT Comment hidden (obsolete)
Michael Catanzaro
Comment 2 2024-05-28 08:56:39 PDT Comment hidden (obsolete)
Yanko Kaneti
Comment 3 2024-05-29 07:19:23 PDT
Created attachment 471541 [details] test -fno-lto for TextDecorationPainter.cpp As a learning experiment tried to isolate TextDecorationPainter.cpp from LTO and the result seems to not crash.
Adrian Perez
Comment 4 2024-05-29 07:44:40 PDT
Which version of Clang resulted in the TextDecorationPainter crash? I used to hit this often, but now using Clang 17 the problems seems to be gone. I don't remember which version of Clang I had at the time, but I remembered that I had a workaround in one of my Git stashes that I never got to truly understand why it made things work... I had the intention of reporting the issue to the LLVM/Clang people but never got round to it. Here's the workaround: ---- 8< ---- 8< ---- diff --git a/Source/WebCore/rendering/TextDecorationPainter.cpp b/Source/WebCore/rendering/TextDecorationPainter.cpp index 895c512156da..02d8f00d5aae 100644 --- a/Source/WebCore/rendering/TextDecorationPainter.cpp +++ b/Source/WebCore/rendering/TextDecorationPainter.cpp @@ -128,25 +128,26 @@ static DashArray translateIntersectionPointsToSkipInkBoundaries(const DashArray& // Step 2: Deal with intersecting ranges. Vector<std::pair<float, float>> intermediateTuples; if (tuples.size() >= 2) { - intermediateTuples.append(*tuples.begin()); - for (auto i = tuples.begin() + 1; i != tuples.end(); i++) { + intermediateTuples.append(tuples[0]); + for (size_t i = 1; i < tuples.size(); i++) { float& firstEnd = intermediateTuples.last().second; - float secondStart = i->first; - float secondEnd = i->second; + float secondStart = tuples[i].first; + float secondEnd = tuples[i].second; if (secondStart <= firstEnd && secondEnd <= firstEnd) { // Ignore this range completely } else if (secondStart <= firstEnd) firstEnd = secondEnd; else - intermediateTuples.append(*i); + intermediateTuples.append(tuples[i]); } } else - intermediateTuples = tuples; + intermediateTuples = WTFMove(tuples); // Step 3: Output the space between the ranges, but only if the space warrants an underline. float previous = 0; DashArray result; - for (const auto& tuple : intermediateTuples) { + for (size_t i = 0; i < intermediateTuples.size(); i++) { + const auto& tuple = intermediateTuples[i]; if (tuple.first - previous > dilationAmount) { result.append(previous); result.append(tuple.first);
Yanko Kaneti
Comment 5 2024-05-29 07:48:19 PDT
> Which version of Clang resulted in the TextDecorationPainter crash? I used > to hit this often, but now using Clang 17 the problems seems to be gone. Rawhide is currently on Clang 18.1.6(In reply to Adrian Perez from comment #4)
Adam Williamson
Comment 6 2024-05-29 08:21:31 PDT
The webkitgtk build I'm using was built with 18.1.4-3.fc41 . Other reporters have said a more recent build done with 18.1.6-3.fc41 is also affected.
Michael Catanzaro
Comment 7 2024-05-29 14:51:40 PDT
Well I had started a build that disables LTO, but let's try Adrian's patch instead.
Yanko Kaneti
Comment 8 2024-05-30 01:55:59 PDT
Thanks, webkitgtk-2.45.3-3.fc41 works for me
Michael Catanzaro
Comment 9 2024-05-31 06:16:40 PDT
*** Bug 274956 has been marked as a duplicate of this bug. ***
Yanko Kaneti
Comment 10 2024-06-25 23:59:13 PDT
AFAICS this fix hasn't landed yet. @mcatanzaro now that you've removed it? in rawhide, webkitgtk-2.45.4-1.fc41 is crashing again
Michael Catanzaro
Comment 11 2024-06-26 06:43:24 PDT
Oops, I just assumed we had fixed this. I'll restore the patch in rawhide. I guess we'll just need to land Adrian's patch, even though it makes the code worse. Adrian, do you want to create a pull request? Unfortunately switching from GCC to Clang means it's going to be harder to attract compiler developers to investigate the bug reports, and LTO bugs are by far the hardest to report. It's probably not realistic to expect us to get a useful compiler bug report here.
Michael Catanzaro
Comment 12 2024-06-26 06:44:58 PDT
Or we could land Yanko's patch instead, removing TextDecorationPainter.cpp from the unified build and adding -fno-lto. (In reply to Michael Catanzaro from comment #11) > It's probably not realistic to expect us to > get a useful compiler bug report here. If anybody *does* have time to report a Clang bug, that would be wonderful and ideal. But it won't be easy.
Michael Catanzaro
Comment 13 2024-06-26 13:42:40 PDT
(In reply to Michael Catanzaro from comment #11) > I guess we'll just need to land Adrian's patch, even though it makes the > code worse. Adrian, do you want to create a pull request? We agreed I'll create a pull request for this.
Michael Catanzaro
Comment 14 2024-07-03 13:08:53 PDT
Unfortunately I'm not able to reproduce this crash in my development build. Unassigning myself. I think I'll just turn off LTO in Fedora again. That's easier than carrying a mysterious patch. If it causes crashes here, probably something else is broken somewhere without crashing....
Michael Catanzaro
Comment 15 2024-08-14 08:14:18 PDT
*** Bug 278090 has been marked as a duplicate of this bug. ***
Michael Catanzaro
Comment 16 2024-08-14 09:06:10 PDT
*** Bug 278101 has been marked as a duplicate of this bug. ***
Adrian Perez
Comment 17 2024-08-14 15:27:22 PDT
I have arrived to a smaller workaround/fix: diff --git a/Source/WebCore/rendering/TextDecorationPainter.cpp b/Source/WebCore/rendering/TextDecorationPainter.cpp index 5c4e798d7aef..6c3951145f30 100644 --- a/Source/WebCore/rendering/TextDecorationPainter.cpp +++ b/Source/WebCore/rendering/TextDecorationPainter.cpp @@ -141,7 +141,7 @@ static DashArray translateIntersectionPointsToSkipInkBoundaries(const DashArray& intermediateTuples.append(*i); } } else - intermediateTuples = tuples; + intermediateTuples.swap(tuples); // Step 3: Output the space between the ranges, but only if the space warrants an underline. float previous = 0; What do we think about this? 🤪
Adrian Perez
Comment 18 2024-08-15 00:27:30 PDT
(In reply to Adrian Perez from comment #17) > I have arrived to a smaller workaround/fix: > > diff --git a/Source/WebCore/rendering/TextDecorationPainter.cpp > b/Source/WebCore/rendering/TextDecorationPainter.cpp > index 5c4e798d7aef..6c3951145f30 100644 > --- a/Source/WebCore/rendering/TextDecorationPainter.cpp > +++ b/Source/WebCore/rendering/TextDecorationPainter.cpp > @@ -141,7 +141,7 @@ static DashArray > translateIntersectionPointsToSkipInkBoundaries(const DashArray& > intermediateTuples.append(*i); > } > } else > - intermediateTuples = tuples; > + intermediateTuples.swap(tuples); > > // Step 3: Output the space between the ranges, but only if the space > warrants an underline. > float previous = 0; > > What do we think about this? 🤪 I have been dogfooding a build from yesterday with the above one-liner applied and I have had no further crashes. That's good. Now, understanding exactly why the fix works is the tricky part... In bug #278090 we got a different (more complete?) backtrace, and it had the frames at the top following: #0 memcpy () at /usr/include/bits/string_fortified.h:29 #1 uninitializedCopy () at WTF/Headers/wtf/Vector.h:190 #2 uninitializedCopy () at WTF/Headers/wtf/Vector.h:284 #3 operator= () at WTF/Headers/wtf/Vector.h:1044 #4 translateIntersectionPointsToSkipInkBoundaries () at /usr/src/debug/webkit2gtk-4.1/webkitgtk-2.44.3/Source/WebCore/rendering/TextDecorationPainter.cpp:144 Looking at the code, frame 4 is exactly at the line with the assignment changed in my suggested change. The calls into uninitializedCopy() made me think that there might be some issue with the initialization of either “tuples” or “intermediateTuples”, and that going through the assignment operator if one of the objects is in an odd state, in particular in regard to the values returned by Vector::size() or the Vector buffer base pointer (both used a number of times inside the assignment operator code), that could explain an OOB read or write in the call to “memcpy()” where the crash ultimately happens. Or something gets corrupted (?) during the process--I am not sure yet. Noticing that “tuples” is not ever used in the rest of the function, and that some print-debugging showed that it was in a consistent state, and “intermediateTuples” as well, it seemed reasonable to use WTFMove() to replace the internal state of one Vector with the other. Well, that did't work, but using Vector::swap() directly did! IIUC the Vector::swap() function is used internally by the move assignment operator so the change above is effectively doing the same but using a lower level call... which puts less work on the compiler's inlining logic --which definitely interacts with LTO!-- making it “easier” to either avoid triggering what I still think is a compiler bug.
Adrian Perez
Comment 19 2024-08-15 03:47:10 PDT
Pull request: https://github.com/WebKit/WebKit/pull/32240
EWS
Comment 20 2024-08-15 13:16:28 PDT
Committed 282306@main (96fb0b0c6c46): <https://commits.webkit.org/282306@main> Reviewed commits have been landed. Closing PR #32240 and removing active labels.
Radar WebKit Bug Importer
Comment 21 2024-08-15 13:17:15 PDT
<rdar://problem/133975304>
Adrian Perez
Comment 22 2024-08-16 03:46:12 PDT
*** Bug 277333 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.