211074 – [GTK] Crash in Nicosia::CairoOperationRecorder::drawGlyphs

NEW 211074

[GTK] Crash in Nicosia::CairoOperationRecorder::drawGlyphs

https://bugs.webkit.org/show_bug.cgi?id=211074

Summary [GTK] Crash in Nicosia::CairoOperationRecorder::drawGlyphs

Michael Catanzaro

Reported 2020-04-27 06:41:24 PDT

My Epiphany is in a weird state (reminds me of bug #201507, but different) where the web process crashes when loading target.com. As with bug #201507, the crash is 100% reproducible in my current UI process but not reproducible at all in new processes. Unlike bug #201507, this crash is not triggered by AC mode. It only occurs on target.com, not for poster circle. Note, in particular, frame #12 here, where we have an illegal call to Nicosia::CairoOperationRecorder::drawGlyphs with this=0x0: #12 0x00007f77fdf37958 in Nicosia::CairoOperationRecorder::drawGlyphs(WebCore::Font const&, WebCore::GlyphBuffer const&, unsigned int, unsigned int, WebCore::FloatPoint const&, WebCore::FontSmoothingMode) (this=0x0, font=..., glyphBuffer=..., from=<optimized out>, numGlyphs=<optimized out>, point=..., fontSmoothing=WebCore::FontSmoothingMode::AutoSmoothing) at ../Source/WebCore/platform/graphics/nicosia/cairo/NicosiaCairoOperationRecorder.cpp:529 Program terminated with signal SIGSEGV, Segmentation fault. #0 0x00007f77fdf37958 in std::__exchange<_cairo_scaled_font*, decltype(nullptr)&>(_cairo_scaled_font*&, decltype(nullptr)&) (__new_val=<optimized out>, __obj=@0x7fffcb2dd938: 0x0) at /usr/include/c++/9.2.0/bits/move.h:149 149 __exchange(_Tp& __obj, _Up&& __new_val) #0 0x00007f77fdf37958 in std::__exchange<_cairo_scaled_font*, decltype(nullptr)&>(_cairo_scaled_font*&, decltype(nullptr)&) (__new_val=<optimized out>, __obj=@0x7fffcb2dd938: 0x0) at /usr/include/c++/9.2.0/bits/move.h:149 #1 0x00007f77fdf37958 in std::exchange<_cairo_scaled_font*, decltype(nullptr)&>(_cairo_scaled_font*&, decltype(nullptr)&) (__new_val=<optimized out>, __obj=@0x7fffcb2dd938: 0x0) at /usr/include/c++/9.2.0/utility:287 #2 0x00007f77fdf37958 in WTF::DumbPtrTraits<_cairo_scaled_font>::exchange<decltype(nullptr)>(_cairo_scaled_font*&, decltype(nullptr)&&) (newValue=<optimized out>, ptr=@0x7fffcb2dd938: 0x0) at DerivedSources/ForwardingHeaders/wtf/DumbPtrTraits.h:40 #3 0x00007f77fdf37958 in WTF::RefPtr<_cairo_scaled_font, WTF::DumbPtrTraits<_cairo_scaled_font> >::~RefPtr() (this=0x7fffcb2dd938, __in_chrg=<optimized out>) at DerivedSources/ForwardingHeaders/wtf/RefPtr.h:70 #4 0x00007f77fdf37958 in std::_Head_base<4ul, WTF::RefPtr<_cairo_scaled_font, WTF::DumbPtrTraits<_cairo_scaled_font> >, false>::~_Head_base() (this=0x7fffcb2dd938, __in_chrg=<optimized out>) at /usr/include/c++/9.2.0/tuple:120 #5 0x00007f77fdf37958 in std::_Tuple_impl<4ul, WTF::RefPtr<_cairo_scaled_font, WTF::DumbPtrTraits<_cairo_scaled_font> >, float, WTF::Vector<cairo_glyph_t, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, float, unsigned int, float, WebCore::FloatSize, WebCore::Color, WebCore::FontSmoothingMode>::~_Tuple_impl() (this=0x7fffcb2dd8f8, __in_chrg=<optimized out>) at /usr/include/c++/9.2.0/tuple:185 #6 0x00007f77fdf37958 in std::_Tuple_impl<3ul, WebCore::FloatPoint, WTF::RefPtr<_cairo_scaled_font, WTF::DumbPtrTraits<_cairo_scaled_font> >, float, WTF::Vector<cairo_glyph_t, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, float, unsigned int, float, WebCore::FloatSize, WebCore::Color, WebCore::FontSmoothingMode>::~_Tuple_impl() (this=0x7fffcb2dd8f8, __in_chrg=<optimized out>) at /usr/include/c++/9.2.0/tuple:185 #7 0x00007f77fdf37958 in std::_Tuple_impl<2ul, WebCore::Cairo::ShadowState, WebCore::FloatPoint, WTF::RefPtr<_cairo_scaled_font, WTF::DumbPtrTraits<_cairo_scaled_font> >, float, WTF::Vector<cairo_glyph_t, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, float, unsigned int, float, WebCore::FloatSize, WebCore::Color, WebCore::FontSmoothingMode>::~_Tuple_impl() (this=0x7fffcb2dd8f8, __in_chrg=<optimized out>) at /usr/include/c++/9.2.0/tuple:185 #8 0x00007f77fdf37958 in std::_Tuple_impl<1ul, WebCore::Cairo::StrokeSource, WebCore::Cairo::ShadowState, WebCore::FloatPoint, WTF::RefPtr<_cairo_scaled_font, WTF::DumbPtrTraits<_cairo_scaled_font> >, float, WTF::Vector<cairo_glyph_t, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, float, unsigned int, float, WebCore::FloatSize, WebCore::Color, WebCore::FontSmoothingMode>::~_Tuple_impl() (this=0x7fffcb2dd8f8, __in_chrg=<optimized out>) at /usr/include/c++/9.2.0/tuple:185 #9 0x00007f77fdf37958 in std::_Tuple_impl<0ul, WebCore::Cairo::FillSource, WebCore::Cairo::StrokeSource, WebCore::Cairo::ShadowState, WebCore::FloatPoint, WTF::RefPtr<_cairo_scaled_font, WTF::DumbPtrTraits<_cairo_scaled_font> >, float, WTF::Vector<cairo_glyph_t, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, float, unsigned int, float, WebCore::FloatSize, WebCore::Color, WebCore::FontSmoothingMode>::~_Tuple_impl() (this=0x7fffcb2dd8f8, __in_chrg=<optimized out>) at /usr/include/c++/9.2.0/tuple:185 #10 0x00007f77fdf37958 in std::tuple<WebCore::Cairo::FillSource, WebCore::Cairo::StrokeSource, WebCore::Cairo::ShadowState, WebCore::FloatPoint, WTF::RefPtr<_cairo_scaled_font, WTF::DumbPtrTraits<_cairo_scaled_font> >, float, WTF::Vector<cairo_glyph_t, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, float, unsigned int, float, WebCore::FloatSize, WebCore::Color, WebCore::FontSmoothingMode>::~tuple() (this=0x7fffcb2dd8f8, __in_chrg=<optimized out>) at /usr/include/c++/9.2.0/tuple:523 #11 0x00007f77fdf37958 in Nicosia::createCommand<Nicosia::CairoOperationRecorder::drawGlyphs(const WebCore::Font&, const WebCore::GlyphBuffer&, unsigned int, unsigned int, const WebCore::FloatPoint&, WebCore::FontSmoothingMode)::DrawGlyphs, WebCore::Cairo::FillSource, WebCore::Cairo::StrokeSource, WebCore::Cairo::ShadowState, const WebCore::FloatPoint&, WTF::RefPtr<_cairo_scaled_font, WTF::DumbPtrTraits<_cairo_scaled_font> >, float, WTF::Vector<cairo_glyph_t, 0, WTF::CrashOnOverflow, 16, WTF::FastMalloc>, float&, unsigned int const&, float const&, const WebCore::FloatSize&, const WebCore::Color&, WebCore::FontSmoothingMode&> () at ../Source/WebCore/platform/graphics/nicosia/cairo/NicosiaCairoOperationRecorder.cpp:64 #12 0x00007f77fdf37958 in Nicosia::CairoOperationRecorder::drawGlyphs(WebCore::Font const&, WebCore::GlyphBuffer const&, unsigned int, unsigned int, WebCore::FloatPoint const&, WebCore::FontSmoothingMode) (this=0x0, font=..., glyphBuffer=..., from=<optimized out>, numGlyphs=<optimized out>, point=..., fontSmoothing=WebCore::FontSmoothingMode::AutoSmoothing) at ../Source/WebCore/platform/graphics/nicosia/cairo/NicosiaCairoOperationRecorder.cpp:529 #13 0x0000000101000101 in () #14 0x0001000000000000 in () #15 0x000000003f800000 in () #16 0x00007f77fd483beb in std::__exchange<WebCore::WebGLBuffer*, decltype(nullptr)&>(WebCore::WebGLBuffer*&, decltype(nullptr)&) (__new_val=<optimized out>, __obj=@0x7fffcb2dda70: 0x7f77ed3fbb00) at /usr/include/c++/9.2.0/bits/move.h:149 #17 0x00007f77fd483beb in std::exchange<WebCore::WebGLBuffer*, decltype(nullptr)&>(WebCore::WebGLBuffer*&, decltype(nullptr)&) (__new_val=<optimized out>, __obj=@0x7fffcb2dda70: 0x7f77ed3fbb00) at /usr/include/c++/9.2.0/utility:287 #18 0x00007f77fd483beb in WTF::DumbPtrTraits<WebCore::WebGLBuffer>::exchange<decltype(nullptr)>(WebCore::WebGLBuffer*&, decltype(nullptr)&&) (newValue=<optimized out>, ptr=@0x7fffcb2dda70: 0x7f77ed3fbb00) at DerivedSources/ForwardingHeaders/wtf/DumbPtrTraits.h:40 #19 0x00007f77fd483beb in WTF::RefPtr<WebCore::WebGLBuffer, WTF::DumbPtrTraits<WebCore::WebGLBuffer> >::leakRef() (this=0x7fffcb2dda70) at DerivedSources/ForwardingHeaders/wtf/RefPtr.h:125 #20 0x00007f77fd483beb in WTF::RefPtr<WebCore::WebGLBuffer, WTF::DumbPtrTraits<WebCore::WebGLBuffer> >::RefPtr(WTF::RefPtr<WebCore::WebGLBuffer, WTF::DumbPtrTraits<WebCore::WebGLBuffer> >&&) (o=..., this=<synthetic pointer>) at DerivedSources/ForwardingHeaders/wtf/RefPtr.h:62 #21 0x00007f77fd483beb in WTF::RefPtr<WebCore::WebGLBuffer, WTF::DumbPtrTraits<WebCore::WebGLBuffer> >::operator=(WTF::RefPtr<WebCore::WebGLBuffer, WTF::DumbPtrTraits<WebCore::WebGLBuffer> >&&) (o=..., this=0x7fffcb2ddd00) at DerivedSources/ForwardingHeaders/wtf/RefPtr.h:163 #22 0x00007f77fd483beb in WebCore::WebGLRenderingContextBase::initVertexAttrib0() (this=0x7fffcb2ddb10) at ../Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp:6150 #23 0xdaa039c7f156d100 in () #24 0x00007f77ece00000 in () #25 0x00007f77ec3049d0 in () #26 0x00007f77ec3049d0 in () #27 0x00007fffcb2ddc50 in () #28 0x00007fffcb2ddbb0 in () #29 0x00007f77ed1edc68 in () #30 0x00007fffcb2ddb10 in () #31 0x00007f77fd35ef23 in WebCore::HTMLBodyElement::parseAttribute(WebCore::QualifiedName const&, WTF::AtomString const&) (this=0x7d4aa000, name=..., value=...) at DerivedSources/ForwardingHeaders/wtf/text/AtomString.h:91 #32 0x0001000000000000 in () #33 0x000000003f800000 in () #34 0x0000000000000000 in ()

Attachments
Add attachment proposed patch, testcase, etc.

Michael Catanzaro

Comment 1 2020-04-27 06:42:12 PDT

BTW this is with 2.28.1, since we don't have 2.28.2 in Tech Preview yet.

Carlos Garcia Campos

Comment 2 2020-06-29 02:16:40 PDT

This is weird, AFAIK Nicosia::CairoOperationRecorder is only used for threaded rendering, which can't be enabled in the GTK port. I wonder how you ended up with a recording graphics context. Zan?

Note You need to log in before you can comment on or make changes to this bug.

Status NEW

Resolution

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware PC

OS Linux

Product WebKit

Component WebKitGTK

Assignee

Nobody

Reported

2020-04-27 06:41 PDT

Modified

2020-06-29 02:16 PDT History

CC List

4 users Show

URL

Keywords

Depends on

Blocks