167772 – [EFL][CoordinatedGraphics] Layer animations involving calc cause a crash in UI process at WebCore::Length::ref()

Bug 167772 - [EFL][CoordinatedGraphics] Layer animations involving calc cause a crash in UI process at WebCore::Length::ref()

Summary: [EFL][CoordinatedGraphics] Layer animations involving calc cause a crash in U...

Status:	RESOLVED WONTFIX

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKit EFL (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-02-02 18:37 PST by Fujii Hironori
Modified:	2017-03-11 10:33 PST (History)
CC List:	3 users (show)

See Also:

Attachments
test content of layer animation with calc (380 bytes, text/html) 2017-02-02 18:37 PST, Fujii Hironori	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Fujii Hironori 2017-02-02 18:37:16 PST

Created attachment 300482 [details]
test content of layer animation with calc

[EFL][CoordinatedGraphics] Layer animations involving calc cause a crash in UI process at WebCore::Length::ref()

This bug happens only in multiprocess CoordinatedGraphics which is used only in EFL port.

> Program terminated with signal SIGSEGV, Segmentation fault.
> #0  0x00007fa6e3215373 in WebCore::Length::ref() const () from /home/fujii/work/webkit/gb/WebKitBuild/Release/lib/libewebkit2.so.1
> [Current thread is 1 (Thread 0x7fa6e4b2dac0 (LWP 52089))]
> (gdb) bt
> #0  0x00007fa6e3215373 in WebCore::Length::ref() const () from /home/fujii/work/webkit/gb/WebKitBuild/Release/lib/libewebkit2.so.1
> #1  0x00007fa6e2b2eadf in IPC::ArgumentCoder<WebCore::TransformOperations>::decode(IPC::Decoder&, WebCore::TransformOperations&) ()
>    from /home/fujii/work/webkit/gb/WebKitBuild/Release/lib/libewebkit2.so.1
> #2  0x00007fa6e2b2efcd in IPC::ArgumentCoder<WebCore::TextureMapperAnimation>::decode(IPC::Decoder&, WebCore::TextureMapperAnimation&) ()
>    from /home/fujii/work/webkit/gb/WebKitBuild/Release/lib/libewebkit2.so.1
> #3  0x00007fa6e2b2f4bf in IPC::ArgumentCoder<WebCore::TextureMapperAnimations>::decode(IPC::Decoder&, WebCore::TextureMapperAnimations&) ()
>    from /home/fujii/work/webkit/gb/WebKitBuild/Release/lib/libewebkit2.so.1
> #4  0x00007fa6e2b30bcd in IPC::ArgumentCoder<WebCore::CoordinatedGraphicsLayerState>::decode(IPC::Decoder&, WebCore::CoordinatedGraphicsLayerState&) ()
>    from /home/fujii/work/webkit/gb/WebKitBuild/Release/lib/libewebkit2.so.1
> #5  0x00007fa6e2b325cd in IPC::VectorArgumentCoder<false, std::pair<unsigned int, WebCore::CoordinatedGraphicsLayerState>, 0ul>::decode(IPC::Decoder&, WTF::Vector<std::pair<unsigned int, WebCore::CoordinatedGraphicsLayerState>, 0ul, WTF::CrashOnOverflow, 16ul>&) ()
>    from /home/fujii/work/webkit/gb/WebKitBuild/Release/lib/libewebkit2.so.1
> #6  0x00007fa6e2b35947 in IPC::ArgumentCoder<WebCore::CoordinatedGraphicsState>::decode(IPC::Decoder&, WebCore::CoordinatedGraphicsState&) ()
>    from /home/fujii/work/webkit/gb/WebKitBuild/Release/lib/libewebkit2.so.1
> #7  0x00007fa6e2bf858b in WebKit::CoordinatedLayerTreeHostProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&) ()
>    from /home/fujii/work/webkit/gb/WebKitBuild/Release/lib/libewebkit2.so.1
> #8  0x00007fa6e28d4689 in IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) ()
>    from /home/fujii/work/webkit/gb/WebKitBuild/Release/lib/libewebkit2.so.1
> #9  0x00007fa6e2999192 in WebKit::WebProcessProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&) ()
>    from /home/fujii/work/webkit/gb/WebKitBuild/Release/lib/libewebkit2.so.1
> #10 0x00007fa6e28d1e2b in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) ()
>    from /home/fujii/work/webkit/gb/WebKitBuild/Release/lib/libewebkit2.so.1
> #11 0x00007fa6e28d2be8 in IPC::Connection::dispatchOneMessage() () from /home/fujii/work/webkit/gb/WebKitBuild/Release/lib/libewebkit2.so.1
> #12 0x00007fa6e3b09e51 in WTF::RunLoop::performWork() () from /home/fujii/work/webkit/gb/WebKitBuild/Release/lib/libewebkit2.so.1
> #13 0x00007fa6e164db2e in _ecore_pipe_handler_call (p=p@entry=0x1190d40, buf=0x236d0f0 "W\b7\002", len=<optimized out>)
>     at /home/fujii/work/webkit/gb/WebKitBuild/DependenciesEFL/Source/efl-1.18.4/src/lib/ecore/ecore_pipe.c:511
> #14 0x00007fa6e164e1e9 in _ecore_pipe_read (data=0x1190d40, fd_handler=<optimized out>)
>     at /home/fujii/work/webkit/gb/WebKitBuild/DependenciesEFL/Source/efl-1.18.4/src/lib/ecore/ecore_pipe.c:637
> #15 0x00007fa6e164bb82 in _ecore_call_fd_cb (fd_handler=0x1186da0, data=<optimized out>, func=<optimized out>)
>     at /home/fujii/work/webkit/gb/WebKitBuild/DependenciesEFL/Source/efl-1.18.4/src/lib/ecore/ecore_private.h:333
> #16 _ecore_main_fd_handlers_call () at /home/fujii/work/webkit/gb/WebKitBuild/DependenciesEFL/Source/efl-1.18.4/src/lib/ecore/ecore_main.c:1974
> #17 _ecore_main_loop_iterate_internal (once_only=once_only@entry=0)
>     at /home/fujii/work/webkit/gb/WebKitBuild/DependenciesEFL/Source/efl-1.18.4/src/lib/ecore/ecore_main.c:2339
> #18 0x00007fa6e164bf67 in ecore_main_loop_begin () at /home/fujii/work/webkit/gb/WebKitBuild/DependenciesEFL/Source/efl-1.18.4/src/lib/ecore/ecore_main.c:1286
> #19 0x000000000040c9c1 in elm_main ()
> #20 0x00000000004066ec in main ()

Comment 1 Fujii Hironori 2017-02-02 18:39:58 PST

An assertion failed in the debug build.

> ASSERTION FAILED: m_map.contains(handle)
> ../../Source/WebCore/platform/Length.cpp(220) : void WebCore::CalculationValueMap::ref(unsigned int)
> 1   0x7fd7ca6d39ca WTFCrash
> 2   0x7fd7c992cd59 WebCore::CalculationValueMap::ref(unsigned int)
> 3   0x7fd7c992bb65 WebCore::Length::ref() const
> 4   0x7fd7c8ce350a WebCore::Length::Length(WebCore::Length const&)
> 5   0x7fd7c8ce5d2c WebCore::TranslateTransformOperation::TranslateTransformOperation(WebCore::Length const&, WebCore::Length const&, WebCore::Length const&, WebCore::TransformOperation::OperationType)
> 6   0x7fd7c8ce5c07 WebCore::TranslateTransformOperation::create(WebCore::Length const&, WebCore::Length const&, WebCore::Length const&, WebCore::TransformOperation::OperationType)
> 7   0x7fd7c8cdf5a6 IPC::ArgumentCoder<WebCore::TransformOperations>::decode(IPC::Decoder&, WebCore::TransformOperations&)
> 8   0x7fd7c8ce9a1f std::enable_if<!std::is_enum<WebCore::TransformOperations>::value, bool>::type IPC::Decoder::decode<WebCore::TransformOperations>(WebCore::TransformOperations&)
> 9   0x7fd7c8ce0b46 IPC::ArgumentCoder<WebCore::TextureMapperAnimation>::decode(IPC::Decoder&, WebCore::TextureMapperAnimation&)
> 10  0x7fd7c8ceffc5 std::enable_if<!std::is_enum<WebCore::TextureMapperAnimation>::value, bool>::type IPC::Decoder::decode<WebCore::TextureMapperAnimation>(WebCore::TextureMapperAnimation&)
> 11  0x7fd7c8cedd20 IPC::VectorArgumentCoder<false, WebCore::TextureMapperAnimation, 0ul>::decode(IPC::Decoder&, WTF::Vector<WebCore::TextureMapperAnimation, 0ul, WTF::CrashOnOverflow, 16ul>&)
> 12  0x7fd7c8cea027 std::enable_if<!std::is_enum<WTF::Vector<WebCore::TextureMapperAnimation, 0ul, WTF::CrashOnOverflow, 16ul> >::value, bool>::type IPC::Decoder::decode<WTF::Vector<WebCore::TextureMapperAnimation, 0ul, WTF::CrashOnOverflow, 16ul> >(WTF::Vector<WebCore::TextureMapperAnimation, 0ul, WTF::CrashOnOverflow, 16ul>&)
> 13  0x7fd7c8ce0fc2 IPC::ArgumentCoder<WebCore::TextureMapperAnimations>::decode(IPC::Decoder&, WebCore::TextureMapperAnimations&)
> 14  0x7fd7c8cea2bf std::enable_if<!std::is_enum<WebCore::TextureMapperAnimations>::value, bool>::type IPC::Decoder::decode<WebCore::TextureMapperAnimations>(WebCore::TextureMapperAnimations&)
> 15  0x7fd7c8ce18fd IPC::ArgumentCoder<WebCore::CoordinatedGraphicsLayerState>::decode(IPC::Decoder&, WebCore::CoordinatedGraphicsLayerState&)
> 16  0x7fd7c8cf4461 std::enable_if<!std::is_enum<WebCore::CoordinatedGraphicsLayerState>::value, bool>::type IPC::Decoder::decode<WebCore::CoordinatedGraphicsLayerState>(WebCore::CoordinatedGraphicsLayerState&)
> 17  0x7fd7c8cf2769 IPC::ArgumentCoder<std::pair<unsigned int, WebCore::CoordinatedGraphicsLayerState> >::decode(IPC::Decoder&, std::pair<unsigned int, WebCore::CoordinatedGraphicsLayerState>&)
> 18  0x7fd7c8cf0917 std::enable_if<!std::is_enum<std::pair<unsigned int, WebCore::CoordinatedGraphicsLayerState> >::value, bool>::type IPC::Decoder::decode<std::pair<unsigned int, WebCore::CoordinatedGraphicsLayerState> >(std::pair<unsigned int, WebCore::CoordinatedGraphicsLayerState>&)
> 19  0x7fd7c8cee6e4 IPC::VectorArgumentCoder<false, std::pair<unsigned int, WebCore::CoordinatedGraphicsLayerState>, 0ul>::decode(IPC::Decoder&, WTF::Vector<std::pair<unsigned int, WebCore::CoordinatedGraphicsLayerState>, 0ul, WTF::CrashOnOverflow, 16ul>&)
> 20  0x7fd7c8cea673 std::enable_if<!std::is_enum<WTF::Vector<std::pair<unsigned int, WebCore::CoordinatedGraphicsLayerState>, 0ul, WTF::CrashOnOverflow, 16ul> >::value, bool>::type IPC::Decoder::decode<WTF::Vector<std::pair<unsigned int, WebCore::CoordinatedGraphicsLayerState>, 0ul, WTF::CrashOnOverflow, 16ul> >(WTF::Vector<std::pair<unsigned int, WebCore::CoordinatedGraphicsLayerState>, 0ul, WTF::CrashOnOverflow, 16ul>&)
> 21  0x7fd7c8ce2275 IPC::ArgumentCoder<WebCore::CoordinatedGraphicsState>::decode(IPC::Decoder&, WebCore::CoordinatedGraphicsState&)
> 22  0x7fd7c8ea1939 std::enable_if<!std::is_enum<WebCore::CoordinatedGraphicsState>::value, bool>::type IPC::Decoder::decode<WebCore::CoordinatedGraphicsState>(WebCore::CoordinatedGraphicsState&)
> 23  0x7fd7c8ea18f3 IPC::TupleCoder<1ul, WebCore::CoordinatedGraphicsState>::decode(IPC::Decoder&, std::tuple<WebCore::CoordinatedGraphicsState>&)
> 24  0x7fd7c8ea17af IPC::ArgumentCoder<std::tuple<WebCore::CoordinatedGraphicsState> >::decode(IPC::Decoder&, std::tuple<WebCore::CoordinatedGraphicsState>&)
> 25  0x7fd7c8ea170d std::enable_if<!std::is_enum<std::tuple<WebCore::CoordinatedGraphicsState> >::value, bool>::type IPC::Decoder::decode<std::tuple<WebCore::CoordinatedGraphicsState> >(std::tuple<WebCore::CoordinatedGraphicsState>&)
> 26  0x7fd7c8ea161a void IPC::handleMessage<Messages::CoordinatedLayerTreeHostProxy::CommitCoordinatedGraphicsState, WebKit::CoordinatedLayerTreeHostProxy, void (WebKit::CoordinatedLayerTreeHostProxy::*)(WebCore::CoordinatedGraphicsState const&)>(IPC::Decoder&, WebKit::CoordinatedLayerTreeHostProxy*, void (WebKit::CoordinatedLayerTreeHostProxy::*)(WebCore::CoordinatedGraphicsState const&))
> 27  0x7fd7c8ea146f WebKit::CoordinatedLayerTreeHostProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&)
> 28  0x7fd7c87ba086 IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&)
> 29  0x7fd7c8883ee1 WebKit::ChildProcessProxy::dispatchMessage(IPC::Connection&, IPC::Decoder&)
> 30  0x7fd7c8966a8a WebKit::WebProcessProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&)
> 31  0x7fd7c879d366 IPC::Connection::dispatchMessage(IPC::Decoder&)

Comment 2 Michael Catanzaro 2017-03-11 10:33:55 PST

Closing this bug because the EFL port has been removed from trunk.

If you feel this bug applies to a different upstream WebKit port and was closed in error, please either update the title and reopen the bug, or leave a comment to request this.