Bug 290076
| Summary: | [Fuzz Blocker][CoreIPC][GPU] `RemoteGraphicsContextGL::reshape` makes Metal.framework crashing | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | roberto_rodriguez2 |
| Component: | ANGLE | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | djg, kbr, kkinnunen, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
roberto_rodriguez2
rdar://146463902
(Reported by Jérémie BOUTOILLE)
We are observing the following crash in `Metal.framework` when calling `RemoteGraphicsContextGL::reshape` with a big `width` or `height`:
```
-[MTLTextureDescriptorInternal validateWithDevice:]:1405: failed assertion `Texture Descriptor Validation
MTLTextureDescriptor has width (479902252) greater than the maximum allowed size of 16384.'
```
This results in a GPU process crash, blocking our fuzzers. I think we should validate `width` and `height` at some point.
# Reproduce
Tested on main (75f68af5e660a28446d188bf1c450d524ac594f1)
1. Build WebKit in Debug mode.
2. Run the command: ./WebKitTestRunner --internal-feature IPCTestingAPIEnabled --no-timeout crash.html
3. You should observe the following crash:
```
-[MTLTextureDescriptorInternal validateWithDevice:]:1405: failed assertion `Texture Descriptor Validation
MTLTextureDescriptor has width (134217727) greater than the maximum allowed size of 16384.
'
com.apple.WebKit.GPU.Development terminated (pid 10405) for reason: crash
#CRASHED - com.apple.WebKit.GPU.Development (pid 10405)
```
```
(lldb) bt
* thread #11, name = 'RemoteGraphicsContextGL work queue', stop reason = hit program assert
frame #0: 0x0000000191f2e600 libsystem_kernel.dylib`__pthread_kill + 8
frame #1: 0x0000000191f66f70 libsystem_pthread.dylib`pthread_kill(th=0x000000016e0b3000, sig=6) at pthread.c:1721:12 [opt]
frame #2: 0x0000000191e73908 libsystem_c.dylib`abort at abort.c:122:8 [opt]
frame #3: 0x0000000191e72c1c libsystem_c.dylib`__assert_rtn(func=<unavailable>, file="-[MTLTextureDescriptorInternal validateWithDevice:]", line=1405, failedexpr=<unavailable>) at assert.c:94:2 [opt]
* frame #4: 0x000000019cec9870 Metal`MTLReportFailure.cold.1 at MTLDebug.mm:256:9 [opt]
frame #5: 0x000000019cea5198 Metal`MTLReportFailure(failureType=MTLFailureTypeError, func="-[MTLTextureDescriptorInternal validateWithDevice:]", line=1405, reason_format=<unavailable>) at MTLDebug.mm:256:53 [opt]
frame #6: 0x000000019ce9a670 Metal`_MTLMessageContextEnd(context=<unavailable>) at MTLError.mm:0:9 [opt]
frame #7: 0x000000019cd2c54c Metal`-[MTLTextureDescriptorInternal validateWithDevice:](self=<unavailable>, _cmd=<unavailable>, device=0x000000014b020e00) at MTLTexture.m:1773:5 [opt]
frame #8: 0x0000000102ca9cf8 AGXMetalG15X_M1`-[AGXTexture initWithDevice:desc:iosurface:plane:slice:](self=0x000000015a715240, _cmd=<unavailable>, device=0x000000014b020e00, desc=0x000000015a70f540, iosurface=0x000000015a710860, plane=0, slice=0) at agxa_texture_obj.mm:548:5 [opt]
frame #9: 0x000000010612e3a0 libANGLE-shared.dylib`rx::mtl::ContextDevice::newTextureWithDescriptor(this=0x000000015a8990b8, descriptor=0x000000015a70f540, iosurface=0x000000015a710860, plane=0) const at mtl_context_device.mm:73:32
frame #10: 0x0000000106083e88 libANGLE-shared.dylib`rx::IOSurfaceSurfaceMtl::ensureColorTextureCreated(this=0x000000014a80fc00, context=0x000000015a883600) at IOSurfaceSurfaceMtl.mm:174:70
frame #11: 0x0000000106083d44 libANGLE-shared.dylib`rx::IOSurfaceSurfaceMtl::bindTexImage(this=0x000000014a80fc00, context=0x000000015a883600, texture=0x000000014c29c130, buffer=12420) at IOSurfaceSurfaceMtl.mm:130:5
frame #12: 0x0000000106463630 libANGLE-shared.dylib`egl::Surface::bindTexImage(this=0x000000015a714f40, context=0x000000015a883600, texture=0x000000014c29c130, buffer=12420) at Surface.cpp:572:5
frame #13: 0x0000000105dab664 libANGLE-shared.dylib`egl::BindTexImage(thread=0x000000015a6c7d30, display=0x000000015a881600, surfaceID=(value = 1), buffer=12420) at egl_stubs.cpp:65:9
frame #14: 0x0000000105dda11c libANGLE-shared.dylib`EGL_BindTexImage(dpy=0x000000015a881600, surface=0x0000000000000001, buffer=12420) at entry_points_egl_autogen.cpp:903:27
frame #15: 0x00000003004e1814 WebCore`WebCore::GraphicsContextGLCocoa::bindNextDrawingBuffer(this=0x0000000114048210) at GraphicsContextGLCocoa.mm:458:10
frame #16: 0x00000003004e1304 WebCore`WebCore::GraphicsContextGLCocoa::reshapeDrawingBuffer(this=0x0000000114048210) at GraphicsContextGLCocoa.mm:378:12
frame #17: 0x00000003004c81a4 WebCore`WebCore::GraphicsContextGLANGLE::reshapeFBOs(this=0x0000000114048210, size=0x000000016e0b076c) at GraphicsContextGLANGLE.cpp:333:10
frame #18: 0x00000003004ca3d8 WebCore`WebCore::GraphicsContextGLANGLE::reshape(this=0x0000000114048210, width=134217727, height=1) at GraphicsContextGLANGLE.cpp:715:27
frame #19: 0x0000000117f51518 WebKit`WebKit::RemoteGraphicsContextGL::reshape(this=0x0000000139004530, width=134217727, height=1) at RemoteGraphicsContextGL.cpp:177:29
frame #20: 0x0000000116e65890 WebKit`auto void IPC::callMemberFunction<WebKit::RemoteGraphicsContextGL, WebKit::RemoteGraphicsContextGL, void (int, int), std::__1::tuple<int, int>>(this=0x000000016e0b0900, args=0x000000016e0b09a0, args=0x000000016e0b09a4)(int, int), std::__1::tuple<int, int>&&)::'lambda'(auto&&...)::operator()<int, int>(auto&&...) const at HandleMessage.h:134:47
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
roberto_rodriguez2
Pull request: https://github.com/WebKit/WebKit/pull/42724
EWS
Committed 292805@main (9fc408a07d5f): <https://commits.webkit.org/292805@main>
Reviewed commits have been landed. Closing PR #42724 and removing active labels.