RESOLVED FIXED 216532
[Flatpak SDK] Cherry-pick Mesa use-after-free fixes 
https://bugs.webkit.org/show_bug.cgi?id=216532
Summary [Flatpak SDK] Cherry-pick Mesa use-after-free fixes
Philippe Normand
Reported 2020-09-15 01:51:31 PDT
https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/5789 Thread 1 (Thread 0x7f2833fff700 (LWP 76699)): #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 #1 0x00007f28c035a855 in __GI_abort () at abort.c:79 #2 0x00007f28c035a729 in __assert_fail_base (fmt=0x7f28c04c80e8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x7f2832294c10 "c != _SIMPLE_MTX_INVALID_VALUE", file=0x7f2832294caf "../src/util/simple_mtx.h", line=89, function=<optimized out>) at assert.c:92 #3 0x00007f28c0369db6 in __GI___assert_fail (assertion=assertion@entry=0x7f2832294c10 "c != _SIMPLE_MTX_INVALID_VALUE", file=file@entry=0x7f2832294caf "../src/util/simple_mtx.h", line=line@entry=89, function=function@entry=0x7f28322a1e90 <__PRETTY_FUNCTION__.11> "simple_mtx_lock") at assert.c:101 #4 0x00007f2831473a35 in simple_mtx_lock (mtx=0x7f0f780eb9a0) at ../src/util/simple_mtx.h:83 #5 0x00007f28314742fe in simple_mtx_lock (mtx=0x7f0f780eb9a0) at ../src/util/simple_mtx.h:94 #6 st_save_zombie_sampler_view (st=0x7f0f780ea130, view=<optimized out>) at ../src/mesa/state_tracker/st_context.c:314 #7 0x00007f28314660bd in st_texture_release_all_sampler_views (st=st@entry=0x7f0f800eb770, stObj=stObj@entry=0x7f0f780f2be0) at ../src/mesa/state_tracker/st_sampler_view.c:233 #8 0x00007f28314667bf in st_texture_release_all_sampler_views (stObj=0x7f0f780f2be0, st=0x7f0f800eb770) at ../src/mesa/state_tracker/st_sampler_view.c:221 #9 st_delete_texture_sampler_views (st=st@entry=0x7f0f800eb770, stObj=stObj@entry=0x7f0f780f2be0) at ../src/mesa/state_tracker/st_sampler_view.c:253 #10 0x00007f28314556be in st_DeleteTextureObject (ctx=0x7f0f802575b0, texObj=0x7f0f780f2be0) at ../src/mesa/state_tracker/st_cb_texture.c:193 #11 0x00007f283161c660 in _mesa_reference_texobj_ (ptr=ptr@entry=0x7f0f8026ab88, tex=tex@entry=0x0) at ../src/mesa/main/texobj.c:607 #12 0x00007f283162792d in _mesa_reference_texobj (tex=0x0, ptr=<optimized out>) at ../src/mesa/main/texobj.h:100 #13 _mesa_free_texture_data (ctx=ctx@entry=0x7f0f802575b0) at ../src/mesa/main/texstate.c:1101 #14 0x00007f283150be50 in _mesa_free_context_data (ctx=ctx@entry=0x7f0f802575b0) at ../src/mesa/main/context.c:1358 #15 0x00007f2831475561 in st_destroy_context (st=0x7f0f800eb770) at ../src/mesa/state_tracker/st_context.c:1107 #16 0x00007f2831451d82 in dri_destroy_context (cPriv=<optimized out>) at ../src/gallium/state_trackers/dri/dri_context.c:247 #17 0x00007f2831983267 in driDestroyContext (pcp=0x7f0f80004920) at ../src/mesa/drivers/dri/common/dri_util.c:528 #18 0x00007f286dfb2343 in drisw_destroy_context (context=0x7f0f80004790) at ../src/glx/drisw_glx.c:376 #19 0x00007f286dfb4789 in glXDestroyContext (ctx=0x7f0f80004790, dpy=0x2256d40) at ../src/glx/glxcmds.c:511 #20 glXDestroyContext (dpy=0x2256d40, ctx=0x7f0f80004790) at ../src/glx/glxcmds.c:492 #21 0x00007f28c9dd1b0b in WebCore::GLContextGLX::~GLContextGLX() () at /app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #22 0x00007f28c9dd1b89 in WebCore::GLContextGLX::~GLContextGLX() () at /app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #23 0x00007f28c85eb1f8 in WTF::Detail::CallableWrapper<WebKit::ThreadedCompositor::invalidate()::$_8, void>::call() () at /app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #24 0x00007f28c85eaf05 in WTF::Detail::CallableWrapper<WebKit::CompositingRunLoop::performTaskSync(WTF::Function<void ()>&&)::$_5, void>::call() () at /app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #25 0x00007f28c5cca086 in WTF::RunLoop::performWork() () at /app/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #26 0x00007f28c5d21f66 in WTF::RunLoop::RunLoop()::$_1::__invoke(void*) () at /app/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #27 0x00007f28c5d2145a in WTF::RunLoop::$_0::__invoke(_GSource*, int (*)(void*), void*) () at /app/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #28 0x00007f28c17ca04f in g_main_dispatch (context=0x7f0f80000b60) at ../glib/gmain.c:3325 #29 g_main_context_dispatch (context=0x7f0f80000b60) at ../glib/gmain.c:4016 #30 0x00007f28c17ca3f8 in g_main_context_iterate (context=0x7f0f80000b60, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:4092 #31 0x00007f28c17ca713 in g_main_loop_run (loop=0x7f0f80003200) at ../glib/gmain.c:4290 #32 0x00007f28c5d219fb in WTF::RunLoop::run() () at /app/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #33 0x00007f28c5ccbe40 in WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) () at /app/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #34 0x00007f28c5d24196 in WTF::wtfThreadEntryPoint(void*) () at /app/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #35 0x00007f28c286e4d2 in start_thread (arg=<optimized out>) at pthread_create.c:477 #36 0x00007f28c04364d3 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Attachments
Patch (14.71 KB, patch)
2020-09-15 01:54 PDT, Philippe Normand 		zan: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Philippe Normand
Comment 1 2020-09-15 01:54:57 PDT
Created attachment 408804 [details] Patch
Philippe Normand
Comment 2 2020-09-15 01:56:18 PDT
In GTK this happens on 3 tests at least: css-dark-mode/color-scheme-css-parse.html fast/spatial-navigation/snav-z-index.html imported/w3c/web-platform-tests/css/css-transitions/animations/text-shadow-composition.html
Philippe Normand
Comment 3 2020-09-16 00:19:19 PDT
Committed r267140: <https://trac.webkit.org/changeset/267140>
Radar WebKit Bug Importer
Comment 4 2020-09-16 00:20:17 PDT
<rdar://problem/68970664>
Note You need to log in before you can comment on or make changes to this bug.