164913 – Crash in WebCore::Animation::animationsMatch

Bug 164913 - Crash in WebCore::Animation::animationsMatch

Summary: Crash in WebCore::Animation::animationsMatch

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Animations (show other bugs)
Version:	WebKit Nightly Build
Hardware:	PC Linux

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Duplicates (3):	166923 167706 197985 (view as bug list)
Depends on:
Blocks:

Reported:	2016-11-18 04:40 PST by Michael Catanzaro
Modified:	2020-11-12 23:31 PST (History)
CC List:	10 users (show)

See Also:	https://bugzilla.redhat.com/show_bug.cgi?id=1394525 https://bugzilla.redhat.com/show_bug.cgi?id=1408343 https://bugzilla.redhat.com/show_bug.cgi?id=1418443 https://bugzilla.redhat.com/show_bug.cgi?id=1439258 https://bugzilla.redhat.com/show_bug.cgi?id=1545303 https://bugzilla.redhat.com/show_bug.cgi?id=1662138 https://bugzilla.redhat.com/show_bug.cgi?id=1668981 https://bugzilla.redhat.com/show_bug.cgi?id=1680224 https://bugzilla.redhat.com/show_bug.cgi?id=1759735 https://bugzilla.redhat.com/show_bug.cgi?id=1745817

Attachments
HTML of my overview page (6.22 KB, text/html) 2016-11-18 08:34 PST, Michael Catanzaro	no flags	Details
CSS for the page (6.51 KB, text/css) 2016-11-18 08:35 PST, Michael Catanzaro	no flags	Details
Updated backtrace (2019) (123.49 KB, text/plain) 2019-01-25 11:46 PST, Michael Catanzaro	no flags	Details
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Catanzaro 2016-11-18 04:40:58 PST

I hit this crash when loading Epiphany's new tab page yesterday. We have 24 reports of it:

Truncated backtrace:
Thread no. 1 (10 frames)
 #0 WebCore::Animation::animationsMatch at /usr/src/debug/webkitgtk-2.14.1/Source/WebCore/platform/animation/Animation.cpp:138
 #1 WebCore::Animation::operator== at /usr/src/debug/webkitgtk-2.14.1/Source/WebCore/platform/animation/Animation.h:168
 #2 WebCore::Animation::operator!= at /usr/src/debug/webkitgtk-2.14.1/Source/WebCore/platform/animation/Animation.h:169
 #3 WebCore::AnimationList::operator== at /usr/src/debug/webkitgtk-2.14.1/Source/WebCore/platform/animation/AnimationList.cpp:59
 #4 WTF::arePointingToEqualData<std::unique_ptr<WebCore::AnimationList, std::default_delete<WebCore::AnimationList> > > at /usr/src/debug/webkitgtk-2.14.1/Source/WTF/wtf/PointerComparison.h:33
 #5 WebCore::StyleRareNonInheritedData::operator== at /usr/src/debug/webkitgtk-2.14.1/Source/WebCore/rendering/style/StyleRareNonInheritedData.cpp:258
 #6 WebCore::DataRef<WebCore::StyleRareNonInheritedData>::operator== at /usr/src/debug/webkitgtk-2.14.1/Source/WebCore/rendering/style/DataRef.h:51
 #7 WebCore::RenderStyle::operator== at /usr/src/debug/webkitgtk-2.14.1/Source/WebCore/rendering/style/RenderStyle.cpp:305
 #8 WebCore::RenderStyle::operator!= at /usr/src/debug/webkitgtk-2.14.1/Source/WebCore/rendering/style/RenderStyle.h:549
 #9 WebCore::Style::determineChange at /usr/src/debug/webkitgtk-2.14.1/Source/WebCore/style/StyleChange.cpp:63

There is a detailed backtrace attached to comment #1 in the downstream bug.

Comment 1 Michael Catanzaro 2016-11-18 04:42:08 PST

(In reply to comment #0)
> There is a detailed backtrace attached to comment #1 in the downstream bug.

In particular:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007fd56123212b in WebCore::Animation::animationsMatch (this=0x7fd54b2b1d80, other=..., matchPlayStates=matchPlayStates@entry=true) at /usr/src/debug/webkitgtk-2.14.1/Source/WebCore/platform/animation/Animation.cpp:138
138	        && *(m_timingFunction.get()) == *(other.m_timingFunction.get())

Comment 2 Simon Fraser (smfr) 2016-11-18 08:10:32 PST

Can you attach the HTML/CSS that triggers this?

Comment 3 Michael Catanzaro 2016-11-18 08:33:46 PST

(In reply to comment #2)
> Can you attach the HTML/CSS that triggers this?

I can attach the HTML/CSS generated by my overview page (which could be slightly different from what it was yesterday if my top 10 visited sites have changed since yesterday; possible since I've cleared my history recently), but it is some rare race and definitely not a reliable reproducer.

Comment 4 Michael Catanzaro 2016-11-18 08:34:48 PST

Created attachment 295153 [details]
HTML of my overview page

Comment 5 Michael Catanzaro 2016-11-18 08:35:15 PST

Created attachment 295154 [details]
CSS for the page

Comment 6 Simon Fraser (smfr) 2016-11-18 11:57:13 PST

Can you reproduce the crash with this HTML and CSS?

Comment 7 Michael Catanzaro 2016-11-18 12:32:31 PST

(In reply to comment #6)
> Can you reproduce the crash with this HTML and CSS?

No, I do not have a reproducer. I just happen to remember it crashed yesterday displaying about:overview (which does not even contain any animations).

FWIW there is a FIXME in TreeResolver::createAnimatedElementUpdate one line beneath the crash:

        update.change = determineChange(rendererToUpdate->style(), *animatedStyle);
        // If animation forces render tree reconstruction pass the original style. The animation will be applied on renderer construction.
        // FIXME: We should always use the animated style here.
        update.style = update.change == Detach ? WTFMove(newStyle) : WTFMove(animatedStyle);

But that looks probably unrelated.

Comment 8 Michael Catanzaro 2017-02-03 14:06:48 PST

*** Bug 167706 has been marked as a duplicate of this bug. ***

Comment 9 Michael Catanzaro 2017-02-03 14:08:15 PST

This also happens randomly (and rarely) in the middle of playing YouTube videos.

Comment 10 Michael Catanzaro 2017-02-09 15:29:43 PST

Here's a different crash when playing a YouTube video. I presume it's a related issue.

Comment 11 Michael Catanzaro 2019-01-25 11:46:36 PST

Created attachment 360138 [details]
Updated backtrace (2019)

Comment 12 Michael Catanzaro 2019-10-09 08:48:36 PDT

*** Bug 166923 has been marked as a duplicate of this bug. ***

Comment 13 Michael Catanzaro 2019-10-09 08:48:52 PDT

*** Bug 197985 has been marked as a duplicate of this bug. ***

Comment 14 Michael Catanzaro 2019-10-09 08:49:20 PDT

(In reply to Michael Catanzaro from comment #12)
> *** Bug 166923 has been marked as a duplicate of this bug. ***

Zan had a test patch in this bug.

Comment 15 Fujii Hironori 2020-11-12 23:31:09 PST

WebCore::Animation is a RefCounted object that is thread-unsafe.
TextureMapperAnimation was shared between the main thread and
ThreadedCompositor thread. WebCore::Animation object should be
cloned and TextureMapperAnimation should have an isoleted copy of
WebCore::Animation. Zan's patch (Bug 166923 comment 1) was aiming
that.

r248406 (Bug 200533) changed TextureMapperAnimation to have
RefPtr<TimingFunction> instead of RefPtr<WebCore::Animation>, and
call TimingFunction::clone(). I think this crash was fixed by
r248406.