165522 – [GTK] WebkitWebProcess crashes on exit on nvidia if threaded compositing is enabled

Bug 165522 - [GTK] WebkitWebProcess crashes on exit on nvidia if threaded compositing is enabled

Summary: [GTK] WebkitWebProcess crashes on exit on nvidia if threaded compositing is e...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKitGTK (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Miguel Gomez

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-12-07 03:40 PST by Hussam Al-Tayeb
Modified:	2017-02-24 12:46 PST (History)
CC List:	4 users (show)

See Also:	164912

Attachments
Patch (2.51 KB, patch) 2017-02-24 03:28 PST, Miguel Gomez	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hussam Al-Tayeb 2016-12-07 03:40:39 PST

As the summary says WebkitWebProcess crashes on exit on nvidia if threaded composting is enabled.
This is an issue in both 2.14.xx and 2.15.xx

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
Core was generated by `/usr/lib/webkit2gtk-4.0/WebKitWebProcess 18'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f10b5501809 in glBindFramebuffer () from /usr/lib/libGLdispatch.so.0
[Current thread is 1 (Thread 0x7f10c44fb9c0 (LWP 12222))]
(gdb) bt full
#0  0x00007f10b5501809 in glBindFramebuffer () at /usr/lib/libGLdispatch.so.0
#1  0x00007f10c30e062b in WebCore::GLContextGLX::~GLContextGLX() (this=0x7f10af1a1b40, __in_chrg=<optimized out>)
    at /home/hussam/cache/webkit2gtk/src/webkitgtk-2.15.2/Source/WebCore/platform/graphics/glx/GLContextGLX.cpp:189
#2  0x00007f10c30e06a9 in WebCore::GLContextGLX::~GLContextGLX() (this=0x7f10af1a1b40, __in_chrg=<optimized out>)
    at /home/hussam/cache/webkit2gtk/src/webkitgtk-2.15.2/Source/WebCore/platform/graphics/glx/GLContextGLX.cpp:192
#3  0x00007f10c30f2719 in std::default_delete<WebCore::GLContext>::operator()(WebCore::GLContext*) const (this=<optimized out>, __ptr=<optimized out>)
    at /usr/include/c++/6.2.1/bits/unique_ptr.h:76
#4  0x00007f10c30f2719 in std::unique_ptr<WebCore::GLContext, std::default_delete<WebCore::GLContext> >::reset(WebCore::GLContext*) (__p=<optimized out>, this=0x7f10af1fdb50) at /usr/include/c++/6.2.1/bits/unique_ptr.h:347

#5  0x00007f10c30f2719 in std::unique_ptr<WebCore::GLContext, std::default_delete<WebCore::GLContext> >::operator=(decltype(nullptr)) (this=0x7f10af1fdb50)
    at /usr/include/c++/6.2.1/bits/unique_ptr.h:283
#6  0x00007f10c30f2719 in WebCore::PlatformDisplayX11::~PlatformDisplayX11() (this=0x7f10af1fdb40, __in_chrg=<optimized out>)
    at /home/hussam/cache/webkit2gtk/src/webkitgtk-2.15.2/Source/WebCore/platform/graphics/x11/PlatformDisplayX11.cpp:61
#7  0x00007f10c30f2749 in WebCore::PlatformDisplayX11::~PlatformDisplayX11() (th---Type <return> to continue, or q <return> to quit---
is=0x7f10af1fdb40, __in_chrg=<optimized out>)
    at /home/hussam/cache/webkit2gtk/src/webkitgtk-2.15.2/Source/WebCore/platform/graphics/x11/PlatformDisplayX11.cpp:65
#8  0x00007f10b59ea890 in __run_exit_handlers () at /usr/lib/libc.so.6
#9  0x00007f10b59ea8ea in  () at /usr/lib/libc.so.6
#10 0x00007f10c1d77ba3 in IPC::Connection::didFailToSendSyncMessage() (this=this@entry=0x7f10af1ea180)
    at /home/hussam/cache/webkit2gtk/src/webkitgtk-2.15.2/Source/WebKit2/Platform/IPC/Connection.cpp:876
#11 0x00007f10c1d7c67e in IPC::Connection::sendSyncMessage(unsigned long, std::unique_ptr<IPC::Encoder, std::default_delete<IPC::Encoder> >, WTF::Seconds, WTF::OptionSet<IPC::SendSyncOption>) (this=this@entry=0x7f10af1ea180, syncRequestID=8, encoder=std::unique_ptr<IPC::Encoder> containing 0x7f105c68cc80, timeout=..., timeout@entry=..., sendSyncOptions=sendSyncOptions@entry=...)
    at /home/hussam/cache/webkit2gtk/src/webkitgtk-2.15.2/Source/WebKit2/Platform/IPC/Connection.cpp:509
        locker = {m_lockable = 0x7f10af1ea260}
        protect = <optimized out>
        reply = std::unique_ptr<IPC::Decoder> containing 0x1ea8600
#12 0x00007f10c1ec588a in IPC::Connection::sendSync<Messages::WebProcessProxy::ShouldTerminate>(Messages::WebProcessProxy::ShouldTerminate&&, Messages::WebProcessProxy::ShouldTerminate::Reply&&, unsigned long, WTF::Seconds, WTF::OptionSet<IPC::SendSyncOption>) (sendSyncOptions=..., timeout=..., destinationID=0, reply=<---Type <return> to continue, or q <return> to quit---
optimized out>, message=<optimized out>, this=0x7f10af1ea180)
    at /home/hussam/cache/webkit2gtk/src/webkitgtk-2.15.2/Source/WebKit2/Platform/IPC/Connection.h:384
        syncRequestID = 8
        encoder = std::unique_ptr<IPC::Encoder> containing 0x0
        replyDecoder = std::unique_ptr<IPC::Decoder> containing 0x7f10c16222e8 <bmalloc::PerProcess<bmalloc::Heap>::s_mutex>
        shouldTerminate = false
#13 0x00007f10c1ec588a in WebKit::WebProcess::shouldTerminate() (this=<optimized out>)
    at /home/hussam/cache/webkit2gtk/src/webkitgtk-2.15.2/Source/WebKit2/WebProcess/WebProcess.cpp:608
        shouldTerminate = false
#14 0x00007f10c1d88dca in WebKit::ChildProcess::terminationTimerFired() (this=0x1d5b3c0)
    at /home/hussam/cache/webkit2gtk/src/webkitgtk-2.15.2/Source/WebKit2/Shared/ChildProcess.cpp:161
#15 0x00007f10c1f75b05 in WebKit::WebPage::close() (this=this@entry=0x7f10af1ce000)
    at /home/hussam/cache/webkit2gtk/src/webkitgtk-2.15.2/Source/WebKit2/WebProcess/WebPage/WebPage.cpp:1077
        isRunningModal = false
#16 0x00007f10c21a95d5 in IPC::callMemberFunctionImpl<WebKit::WebPage, void (Web---Type <return> to continue, or q <return> to quit---
Kit::WebPage::*)(), std::tuple<>>(WebKit::WebPage*, void (WebKit::WebPage::*)(), std::tuple<>&&, std::integer_sequence<unsigned long>) (args=<optimized out>, function=<optimized out>, object=0x7f10af1ce000)
    at /home/hussam/cache/webkit2gtk/src/webkitgtk-2.15.2/Source/WebKit2/Platform/IPC/HandleMessage.h:40
#17 0x00007f10c21a95d5 in IPC::callMemberFunction<WebKit::WebPage, void (WebKit::WebPage::*)(), std::tuple<>, std::integer_sequence<unsigned long> >(std::tuple<>&&, WebKit::WebPage*, void (WebKit::WebPage::*)()) (args=<optimized out>, function=<optimized out>, object=0x7f10af1ce000)
    at /home/hussam/cache/webkit2gtk/src/webkitgtk-2.15.2/Source/WebKit2/Platform/IPC/HandleMessage.h:46

#18 0x00007f10c21a95d5 in IPC::handleMessage<Messages::WebPage::Close, WebKit::WebPage, void (WebKit::WebPage::*)()>(IPC::Decoder&, WebKit::WebPage*, void (WebKit::WebPage::*)()) (decoder=..., function=<optimized out>, object=0x7f10af1ce000)
    at /home/hussam/cache/webkit2gtk/src/webkitgtk-2.15.2/Source/WebKit2/Platform/IPC/HandleMessage.h:126
#19 0x00007f10c21a95d5 in WebKit::WebPage::didReceiveWebPageMessage(IPC::Connection&, IPC::Decoder&) (this=0x7f10af1ce000, connection=..., decoder=...)
    at /home/hussam/cache/webkit2gtk/src/build/DerivedSources/WebKit2/WebPageMessageReceiver.cpp:701
#20 0x00007f10c1d80a69 in IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) (this=this@entry=0x1d5b428, connection=..., decoder=...)
---Type <return> to continue, or q <return> to quit---
    at /home/hussam/cache/webkit2gtk/src/webkitgtk-2.15.2/Source/WebKit2/Platform/IPC/MessageReceiverMap.cpp:123
        messageReceiver = <optimized out>
#21 0x00007f10c1ecaf76 in WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (this=0x1d5b3c0, connection=..., decoder=...)
    at /home/hussam/cache/webkit2gtk/src/webkitgtk-2.15.2/Source/WebKit2/WebProcess/WebProcess.cpp:641
#22 0x00007f10c1d7be4b in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) (this=this@entry=0x7f10af1ea180, message=std::unique_ptr<IPC::Decoder> containing 0x7f105c68e3c8)
    at /home/hussam/cache/webkit2gtk/src/webkitgtk-2.15.2/Source/WebKit2/Platform/IPC/Connection.cpp:920
        oldDidReceiveInvalidMessage = false




#23 0x00007f10c1d7cb37 in IPC::Connection::dispatchOneMessage() (this=0x7f10af1ea180)
    at /home/hussam/cache/webkit2gtk/src/webkitgtk-2.15.2/Source/WebKit2/Platform/IPC/Connection.cpp:951
        message = std::unique_ptr<IPC::Decoder> containing 0x0

#24 0x00007f10c1388a2f in WTF::Function<void ()>::operator()() const (this=<synthetic pointer>)
    at /home/hussam/cache/webkit2gtk/src/webkitgtk-2.15.2/Source/WTF/wtf/Function.h:50
        function = 
---Type <return> to continue, or q <return> to quit---
          {m_callableWrapper = std::unique_ptr<WTF::Function<void()>::CallableWrapperBase> containing 0x7f10af1e1750}
        functionsToHandle = 1



#25 0x00007f10c1388a2f in WTF::RunLoop::performWork() (this=0x7f10af1f7000)
    at /home/hussam/cache/webkit2gtk/src/webkitgtk-2.15.2/Source/WTF/wtf/RunLoop.cpp:105

        function = 
          {m_callableWrapper = std::unique_ptr<WTF::Function<void()>::CallableWrapperBase> containing 0x7f10af1e1750}
        functionsToHandle = 1
#26 0x00007f10c13af6e9 in WTF::RunLoop::<lambda(gpointer)>::operator() (__closure=0x0, userData=<optimized out>)
    at /home/hussam/cache/webkit2gtk/src/webkitgtk-2.15.2/Source/WTF/wtf/glib/RunLoopGLib.cpp:66
#27 0x00007f10c13af6e9 in WTF::RunLoop::<lambda(gpointer)>::_FUN(gpointer) ()
    at /home/hussam/cache/webkit2gtk/src/webkitgtk-2.15.2/Source/WTF/wtf/glib/RunLoopGLib.cpp:68
#28 0x00007f10ba83f39a in g_main_dispatch (context=0x1d10fd0) at gmain.c:3203
        dispatch = 
    0x7f10c13af700 <WTF::<lambda(GSource*, GSourceFunc, gpointer)>::_FUN(GSource *, GSourceFunc, gpointer)>
        prev_source = 0x0
        was_in_call = 0
---Type <return> to continue, or q <return> to quit---
        user_data = 0x7f10af1f7000
        callback = 0x7f10c13af6e0 <WTF::RunLoop::<lambda(gpointer)>::_FUN(gpointer)>
        cb_funcs = <optimized out>
        cb_data = 0x1d87d20
        need_destroy = <optimized out>

        source = 0x1d5eaa0
        current = 0x1d3b8c0
        i = 0
#29 0x00007f10ba83f39a in g_main_context_dispatch (context=context@entry=0x1d10fd0) at gmain.c:3856
#30 0x00007f10ba83f750 in g_main_context_iterate (context=0x1d10fd0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3929
        max_priority = 2147483647
        timeout = 115
        some_ready = 1
        nfds = 4
        allocated_nfds = 4
        fds = <optimized out>
#31 0x00007f10ba83fa72 in g_main_loop_run (loop=0x1d5ea80) at gmain.c:4125

        __func__ = "g_main_loop_run"
#32 0x00007f10c13b0080 in WTF::RunLoop::run() ()
    at /home/hussam/cache/webkit2gtk/src/webkitgtk-2.15.2/Source/WTF/wtf/glib/Ru---Type <return> to continue, or q <return> to quit---
nLoopGLib.cpp:94
        runLoop = 
            @0x7f10af1f7000: {<WTF::FunctionDispatcher> = {<WTF::ThreadSafeRefCounted<WTF::FunctionDispatcher>> = {<WTF::ThreadSafeRefCountedBase> = {m_refCount = {<std::__atomic_base<unsigned int>> = {static _S_alignment = 4, _M_i = 1}, <No data fields>}}, <No data fields>}, _vptr.FunctionDispatcher = 0x7f10c15ef650 <vtable for WTF::RunLoop+16>}, m_functionQueueLock = {m_mutex = {__data = {__lock = 0, __count = 0, __owner = 0, __nusers = 0, __kind = 512, __spins = 0, __elision = 0, __list = {__prev = 0x0, __next = 0x0}}, __size = '\000' <repeats 17 times>, "\002", '\000' <repeats 21 times>, __align = 0}}, m_functionQueue = {m_start = 17, m_end = 19, m_buffer = {<WTF::VectorBufferBase<WTF::Function<void()> >> = {m_buffer = 0x7f10af1d70a8, m_capacity = 21, m_size = 0}, <No data fields>}}, m_mainContext = {m_ptr = 0x1d10fd0}, m_mainLoops = {<WTF::VectorBuffer<WTF::GRefPtr<_GMainLoop>, 0ul>> = {<WTF::VectorBufferBase<WTF::GRefPtr<_GMainLoop> >> = {m_buffer = 0x7f10af1fa180, m_capacity = 16, m_size = 1}, <No data fields>}, <No data fields>}, m_source = {m_ptr = 0x1d5eaa0}}
        nestedMainLoop = <optimized out>
#33 0x00007f10c2143587 in WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain>(int, char**) (argc=<optimized out>, argv=0x7ffc2b5786d8)
    at /home/hussam/cache/webkit2gtk/src/webkitgtk-2.15.2/Source/WebKit2/Shared/unix/ChildProcessMain.h:61
        childMain = 
                  {<WebKit::ChildProcessMainBase> = {_vptr.ChildProcessMainBase ---Type <return> to continue, or q <return> to quit---
= 0x7f10c41f5a98 <vtable for WebKit::WebProcessMain+16>, m_parameters = {uiProcessName = {m_impl = {static isRefPtr = <optimized out>, m_ptr = 0x0}}, clientIdentifier = {m_impl = {static isRefPtr = <optimized out>, m_ptr = 0x0}}, connectionIdentifier = 18, extraInitializationData = {m_impl = {static m_maxLoad = 2, static m_minLoad = 6, m_table = 0x0, m_tableSize = 0, m_tableSizeMask = 0, m_keyCount = 0, m_deletedCount = 0}}}}, <No data fields>}
#34 0x00007f10b59d5291 in __libc_start_main () at /usr/lib/libc.so.6
#35 0x0000000000400b1a in _start ()

Comment 1 Michael Catanzaro 2016-12-07 05:31:08 PST

It's very similar to bug #164912. Problem is, I thought that one was fixed in trunk. Alas.

It's actually possible you're hitting bug #164912 with stable and this bug with trunk, since the fix for bug #164912 was to remove some code that worked around an nvidia driver crash. :)

Comment 2 Miguel Gomez 2017-02-23 02:59:38 PST

My first impression here is that we are calling glBindFramebuffer without checking that the context we are about to destroy is the current one. I haven't debugged the execution, and whether someone might be setting it as current before the destruction (in which case this comment makes no sense), but if no one is taking care of that, we could be calling glBindFramebuffer on a context that has already been destroyed.

Comment 3 Miguel Gomez 2017-02-23 08:34:57 PST

This problem was introduced by r295734 in the 2.14 branch, where an exit handler was set to release the existent GLContexts. But was fixed in 2.14.3, where that exit handler does not exist anymore.

In trunk and 2.15 branch seems that it already got fixed time ago.

If there were crashes on exit on 2.15 they probably had a different stack trace, as this one is nor reproducible there (there's no exit handler set to release glx contexts).

Actually currently the sharing GLContext doesn't seem to be destroyed at all on exit. I've debugging a bit and only the compositor's GLContext is being destroyed. That should probably be handled in another bug.

Also, I think my previous comment is still valid. We need to make the about-to-be-destroyed context current in order to call glBindFramebuffer on it.

Comment 4 Miguel Gomez 2017-02-24 03:28:56 PST

Created attachment 302663 [details]
Patch

Comment 5 Michael Catanzaro 2017-02-24 05:24:10 PST

Comment on attachment 302663 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=302663&action=review

> Source/WebCore/ChangeLog:8
> +        Before destrying a GLContextGLX we need to set the default framebufer to avoid a bug

framebuffer

Comment 6 WebKit Commit Bot 2017-02-24 12:46:30 PST

Comment on attachment 302663 [details]
Patch

Clearing flags on attachment: 302663

Committed r212968: <http://trac.webkit.org/changeset/212968>

Comment 7 WebKit Commit Bot 2017-02-24 12:46:35 PST

All reviewed patches have been landed.  Closing bug.