Bug 288620

Summary: REGRESSION(290300@main): SaveAsPDF crashes if site-isolation is enabled
Product: WebKit Reporter: Marta Darbinyan <darbinyan>
Component: WebKit Process ModelAssignee: Said Abou-Hallawa <sabouhallawa>
Status: RESOLVED FIXED    
Severity: Normal CC: mathewwebster99, nham, ryanhaddad, sabouhallawa, webkit-bot-watchers-bugzilla, webkit-bug-importer, y_karimi
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=285726
Attachments:
Description Flags
full backtrace none

Marta Darbinyan
Reported 2025-02-26 10:34:44 PST
ipc/large-vector-allocate-failure-crash.html test is consistently crashing. The test is false-positive failure in EWS. The regression started within the range 291027@main...291032@main. The change 291031@main most likely the culprit based on modified files in RemoteRenderingBackend.cpp. Error logs: stderr: 7 0x3063594b4 WebCore::ImageBufferDisplayListBackend::sinkIntoPDFDocument() 8 0x30634dc84 WebCore::ImageBuffer::sinkIntoPDFDocument() 9 0x119e31db8 WebKit::RemoteRenderingBackend::didDrawRemoteToPDF(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>, WTF::ObjectIdentifierGeneric<WebCore::RenderingResourceIdentifierType, WTF::ObjectIdentifierThreadSafeAccessTraits<unsigned long long>, unsigned long long>, WTF::ObjectIdentifierGeneric<WebCore::SnapshotIdentifierType, WTF::ObjectIdentifierThreadSafeAccessTraits<unsigned long long>, unsigned long long>) 10 0x11948d808 auto void IPC::callMemberFunction<WebKit::RemoteRenderingBackend, WebKit::RemoteRenderingBackend, void (WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>, WTF::ObjectIdentifierGeneric<WebCore::RenderingResourceIdentifierType, WTF::ObjectIdentifierThreadSafeAccessTraits<unsigned long long>, unsigned long long>, WTF::ObjectIdentifierGeneric<WebCore::SnapshotIdentifierType, WTF::ObjectIdentifierThreadSafeAccessTraits<unsigned long long>, unsigned long long>), std::__1::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>, WTF::ObjectIdentifierGeneric<WebCore::RenderingResourceIdentifierType, WTF::ObjectIdentifierThreadSafeAccessTraits<unsigned long long>, unsigned long long>, WTF::ObjectIdentifierGeneric<WebCore::SnapshotIdentifierType, WTF::ObjectIdentifierThreadSafeAccessTraits<unsigned long long>, unsigned long long>>>(WebKit::RemoteRenderingBackend*, void (WebKit::RemoteRenderingBackend::*)(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>, WTF::ObjectIdentifierGeneric<WebCore::RenderingResourceIdentifierType, WTF::ObjectIdentifierThreadSafeAccessTraits<unsigned long long>, unsigned long long>, WTF::ObjectIdentifierGeneric<WebCore::SnapshotIdentifierType, WTF::ObjectIdentifierThreadSafeAccessTraits<unsigned long long>, unsigned long long>), std::__1::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>, WTF::ObjectIdentifierGeneric<WebCore::RenderingResourceIdentifierType, WTF::ObjectIdentifierThreadSafeAccessTraits<unsigned long long>, unsigned long long>, WTF::ObjectIdentifierGeneric<WebCore::SnapshotIdentifierType, WTF::ObjectIdentifierThreadSafeAccessTraits<unsigned long long>, unsigned long long>>&&)::'lambda'(auto&&...)::operator()<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>, WTF::ObjectIdentifierGeneric<WebCore::RenderingResourceIdentifierType, WTF::ObjectIdentifierThreadSafeAccessTraits<unsigned long long>, unsigned long long>, WTF::ObjectIdentifierGeneric<WebCore::SnapshotIdentifierType, WTF::ObjectIdentifierThreadSafeAccessTraits<unsigned long long>, unsigned long long>>(auto&&...) const 11 0x11948d6c8 decltype(std::declval<WebKit::RemoteRenderingBackend>()(std::declval<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, Test results: https://ews-build.s3-us-west-2.amazonaws.com/macOS-Sequoia-Debug-WK2-Tests-EWS/edf72f94-14110/results.html History: https://results.webkit.org/?suite=layout-tests&test=ipc%2Flarge-vector-allocate-failure-crash.html
Attachments
full backtrace (18.45 KB, text/plain)
2025-02-26 14:30 PST, Ryan Haddad 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2025-02-26 10:35:58 PST
<rdar://problem/145673736>
EWS
Comment 2 2025-02-26 11:05:26 PST
Committed 291149@main (6368ce76c929): <https://commits.webkit.org/291149@main> Reviewed commits have been landed. Closing PR #41428 and removing active labels.
Ryan Haddad
Comment 3 2025-02-26 14:29:45 PST
*** Bug 288646 has been marked as a duplicate of this bug. ***
Ryan Haddad
Comment 4 2025-02-26 14:30:44 PST
Created attachment 474360 [details] full backtrace SHOULD NEVER BE REACHED /Volumes/Data/worker/Apple-Sonoma-Debug-Build/build/Source/WebKit/WebProcess/WebPage/IPCTestingAPI.cpp(259) : virtual void WebKit::IPCTestingAPI::JSIPCStreamClientConnection::MessageReceiver::didReceiveMessage(IPC::Connection &, IPC::Decoder &) 1 0x36239d56c WTF::MainThreadAccessTraits::assertAccess() 2 0x3687437bc WTF::NeverDestroyed<WTF::RefPtr<WebCore::ControlFactory, WTF::RawPtrTraits<WebCore::ControlFactory>, WTF::DefaultRefDerefTraits<WebCore::ControlFactory>>, WTF::MainThreadAccessTraits>::NeverDestroyed<WTF::RefPtr<WebCore::ControlFactory, WTF::RawPtrTraits<WebCore::ControlFactory>, WTF::DefaultRefDerefTraits<WebCore::ControlFactory>>>(WTF::RefPtr<WebCore::ControlFactory, WTF::RawPtrTraits<WebCore::ControlFactory>, WTF::DefaultRefDerefTraits<WebCore::ControlFactory>>&&) 3 0x368737d48 WTF::NeverDestroyed<WTF::RefPtr<WebCore::ControlFactory, WTF::RawPtrTraits<WebCore::ControlFactory>, WTF::DefaultRefDerefTraits<WebCore::ControlFactory>>, WTF::MainThreadAccessTraits>::NeverDestroyed<WTF::RefPtr<WebCore::ControlFactory, WTF::RawPtrTraits<WebCore::ControlFactory>, WTF::DefaultRefDerefTraits<WebCore::ControlFactory>>>(WTF::RefPtr<WebCore::ControlFactory, WTF::RawPtrTraits<WebCore::ControlFactory>, WTF::DefaultRefDerefTraits<WebCore::ControlFactory>>&&) 4 0x368737cf0 WebCore::ControlFactory::shared() 5 0x3687c6f00 WebCore::DisplayList::Replayer::Replayer(WebCore::GraphicsContext&, WebCore::DisplayList::DisplayList const&) 6 0x368769704 WebCore::DisplayList::DrawingContext::replayDisplayList(WebCore::GraphicsContext&) 7 0x36850abbc WebCore::ImageBufferDisplayListBackend::sinkIntoPDFDocument() 1 0x1468cbc14 WebKit::IPCTestingAPI::JSIPCStreamClientConnection::MessageReceiver::didReceiveMessage(IPC::Connection&, IPC::Decoder&) 8 0x3684ff398 WebCore::ImageBuffer::sinkIntoPDFDocument()
Ryan Haddad
Comment 5 2025-02-26 14:31:01 PST
I can repro by running these two tests back to back, but not when run individually: ./run-webkit-tests --debug --no-retry ipc/invalid-path-segments-crash.html ipc/large-vector-allocate-failure-crash.html
Said Abou-Hallawa
Comment 6 2025-02-27 12:03:08 PST
The same crash will be hit if we try to Save As PDF any page while `site-isolation` is enabled.
Said Abou-Hallawa
Comment 7 2025-02-27 12:05:24 PST
This is in fact a regression of 290300@main.
EWS
Comment 8 2025-02-27 12:22:56 PST
Test gardening commit 291244@main (0f212d21f83b): <https://commits.webkit.org/291244@main> Reviewed commits have been landed. Closing PR #41534 and removing active labels.
Said Abou-Hallawa
Comment 9 2025-02-27 12:39:32 PST
Pull request: https://github.com/WebKit/WebKit/pull/41536
Marta Darbinyan
Comment 10 2025-02-28 11:01:28 PST
*** Bug 288742 has been marked as a duplicate of this bug. ***
EWS
Comment 11 2025-03-03 13:27:45 PST
Committed 291521@main (24861604232c): <https://commits.webkit.org/291521@main> Reviewed commits have been landed. Closing PR #41536 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.