Bug 218773 - [GPU Process] Memory corruption when flushing a display list before recording an item into another display list
Summary: [GPU Process] Memory corruption when flushing a display list before recording...
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: Canvas (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2020-11-10 14:09 PST by Said Abou-Hallawa
Modified: 2020-12-10 10:26 PST (History)
4 users (show)

See Also:


Attachments
test case (1.04 KB, text/html)
2020-11-10 14:09 PST, Said Abou-Hallawa
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Said Abou-Hallawa 2020-11-10 14:09:09 PST
Created attachment 413738 [details]
test case

Open the attached test case after enabling GPU rendering for Canvas. Result memory corruption with the following call stack:

Process:               com.apple.WebKit.WebContent.Development [20708]
Path:                  /Volumes/VOLUME/*/com.apple.WebKit.WebContent.Development
Identifier:            com.apple.WebKit.WebContent.Development
Version:               611+ (611.1.5+)
Code Type:             X86-64 (Native)
Parent Process:        ??? [1]
Responsible:           MiniBrowser [20690]
User ID:               501

Date/Time:             2020-11-10 10:35:59.614 -0800
OS Version:            Mac OS X 10.16 (20A2390)
Report Version:        12
Bridge OS Version:     5.0 (18P2405)
Anonymous UUID:        E10D90FF-F0E4-F39B-653E-9A623503F035

Sleep/Wake UUID:       CD8C2CA3-F7AE-4A88-96C8-1290F414D163

Time Awake Since Boot: 430000 seconds
Time Since Wake:       4000 seconds

System Integrity Protection: enabled

Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x00000005913ea074
Exception Note:        EXC_CORPSE_NOTIFY

Termination Signal:    Segmentation fault: 11
Termination Reason:    Namespace SIGNAL, Code 0xb
Terminating Process:   exc handler [20708]

VM Regions Near 0x5913ea074:
    __LINKEDIT                  591386000-591388000    [    8K] rw-/rwx SM=NUL  /System/Library/Extensions/AMDRadeonX5000MTLDriver.bundle/Contents/MacOS/AMDRadeonX5000MTLDriver
--> 
    WebKit Malloc               591400000-591700000    [ 3072K] rw-/rwx SM=PRV  

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x000000056a614fe3 void WebCore::DisplayList::ItemBuffer::uncheckedAppend<WebCore::DisplayList::DrawImageBuffer, WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WebCore::FloatRect const&, WebCore::FloatRect const&, WebCore::ImagePaintingOptions const&>(WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>&&, WebCore::FloatRect const&, WebCore::FloatRect const&, WebCore::ImagePaintingOptions const&) + 51 (DisplayListItemBuffer.h:182)
1   com.apple.WebCore             	0x000000056a614fa1 void WebCore::DisplayList::ItemBuffer::append<WebCore::DisplayList::DrawImageBuffer, WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WebCore::FloatRect const&, WebCore::FloatRect const&, WebCore::ImagePaintingOptions const&>(WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>&&, WebCore::FloatRect const&, WebCore::FloatRect const&, WebCore::ImagePaintingOptions const&) + 129 (DisplayListItemBuffer.h:167)
2   com.apple.WebCore             	0x000000056a614e61 void WebCore::DisplayList::DisplayList::append<WebCore::DisplayList::DrawImageBuffer, WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WebCore::FloatRect const&, WebCore::FloatRect const&, WebCore::ImagePaintingOptions const&>(WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>&&, WebCore::FloatRect const&, WebCore::FloatRect const&, WebCore::ImagePaintingOptions const&) + 113 (DisplayList.h:179)
3   com.apple.WebCore             	0x000000056a5edb39 void WebCore::DisplayList::Recorder::append<WebCore::DisplayList::DrawImageBuffer, WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WebCore::FloatRect const&, WebCore::FloatRect const&, WebCore::ImagePaintingOptions const&>(WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>&&, WebCore::FloatRect const&, WebCore::FloatRect const&, WebCore::ImagePaintingOptions const&) + 169 (DisplayListRecorder.h:154)
4   com.apple.WebCore             	0x000000056a5ed9cc WebCore::DisplayList::Recorder::drawImageBuffer(WebCore::ImageBuffer&, WebCore::FloatRect const&, WebCore::FloatRect const&, WebCore::ImagePaintingOptions const&) + 156 (DisplayListRecorder.cpp:193)
5   com.apple.WebCore             	0x000000056a467d03 WebCore::GraphicsContext::drawImageBuffer(WebCore::ImageBuffer&, WebCore::FloatRect const&, WebCore::FloatRect const&, WebCore::ImagePaintingOptions const&) + 147 (GraphicsContext.cpp:807)
6   com.apple.WebCore             	0x0000000569984fb6 WebCore::CanvasRenderingContext2DBase::drawImage(WebCore::CanvasBase&, WebCore::FloatRect const&, WebCore::FloatRect const&) + 1878 (CanvasRenderingContext2DBase.cpp:1608)
7   com.apple.WebCore             	0x000000056999b6b9 WebCore::ExceptionOr<void> WebCore::CanvasRenderingContext2DBase::drawImage(WTF::Variant<WTF::RefPtr<WebCore::HTMLImageElement, WTF::RawPtrTraits<WebCore::HTMLImageElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLImageElement> >, WTF::RefPtr<WebCore::HTMLCanvasElement, WTF::RawPtrTraits<WebCore::HTMLCanvasElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLCanvasElement> >, WTF::RefPtr<WebCore::ImageBitmap, WTF::RawPtrTraits<WebCore::ImageBitmap>, WTF::DefaultRefDerefTraits<WebCore::ImageBitmap> >, WTF::RefPtr<WebCore::TypedOMCSSImageValue, WTF::RawPtrTraits<WebCore::TypedOMCSSImageValue>, WTF::DefaultRefDerefTraits<WebCore::TypedOMCSSImageValue> >, WTF::RefPtr<WebCore::HTMLVideoElement, WTF::RawPtrTraits<WebCore::HTMLVideoElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLVideoElement> > >&&, float, float, float, float)::$_4::operator()<WTF::RefPtr<WebCore::HTMLCanvasElement, WTF::RawPtrTraits<WebCore::HTMLCanvasElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLCanvasElement> > >(WTF::RefPtr<WebCore::HTMLCanvasElement, WTF::RawPtrTraits<WebCore::HTMLCanvasElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLCanvasElement> >&) const + 217 (CanvasRenderingContext2DBase.cpp:1427)
8   com.apple.WebCore             	0x000000056999b3e6 WebCore::ExceptionOr<void> WTF::__visitor_table<WTF::Visitor<WebCore::CanvasRenderingContext2DBase::drawImage(WTF::Variant<WTF::RefPtr<WebCore::HTMLImageElement, WTF::RawPtrTraits<WebCore::HTMLImageElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLImageElement> >, WTF::RefPtr<WebCore::HTMLCanvasElement, WTF::RawPtrTraits<WebCore::HTMLCanvasElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLCanvasElement> >, WTF::RefPtr<WebCore::ImageBitmap, WTF::RawPtrTraits<WebCore::ImageBitmap>, WTF::DefaultRefDerefTraits<WebCore::ImageBitmap> >, WTF::RefPtr<WebCore::TypedOMCSSImageValue, WTF::RawPtrTraits<WebCore::TypedOMCSSImageValue>, WTF::DefaultRefDerefTraits<WebCore::TypedOMCSSImageValue> >, WTF::RefPtr<WebCore::HTMLVideoElement, WTF::RawPtrTraits<WebCore::HTMLVideoElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLVideoElement> > >&&, float, float, float, float)::$_4>, WTF::RefPtr<WebCore::HTMLImageElement, WTF::RawPtrTraits<WebCore::HTMLImageElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLImageElement> >, WTF::RefPtr<WebCore::HTMLCanvasElement, WTF::RawPtrTraits<WebCore::HTMLCanvasElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLCanvasElement> >, WTF::RefPtr<WebCore::ImageBitmap, WTF::RawPtrTraits<WebCore::ImageBitmap>, WTF::DefaultRefDerefTraits<WebCore::ImageBitmap> >, WTF::RefPtr<WebCore::TypedOMCSSImageValue, WTF::RawPtrTraits<WebCore::TypedOMCSSImageValue>, WTF::DefaultRefDerefTraits<WebCore::TypedOMCSSImageValue> >, WTF::RefPtr<WebCore::HTMLVideoElement, WTF::RawPtrTraits<WebCore::HTMLVideoElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLVideoElement> > >::__trampoline_func<WTF::RefPtr<WebCore::HTMLCanvasElement, WTF::RawPtrTraits<WebCore::HTMLCanvasElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLCanvasElement> > >(WTF::Visitor<WebCore::CanvasRenderingContext2DBase::drawImage(WTF::Variant<WTF::RefPtr<WebCore::HTMLImageElement, WTF::RawPtrTraits<WebCore::HTMLImageElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLImageElement> >, WTF::RefPtr<WebCore::HTMLCanvasElement, WTF::RawPtrTraits<WebCore::HTMLCanvasElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLCanvasElement> >, WTF::RefPtr<WebCore::ImageBitmap, WTF::RawPtrTraits<WebCore::ImageBitmap>, WTF::DefaultRefDerefTraits<WebCore::ImageBitmap> >, WTF::RefPtr<WebCore::TypedOMCSSImageValue, WTF::RawPtrTraits<WebCore::TypedOMCSSImageValue>, WTF::DefaultRefDerefTraits<WebCore::TypedOMCSSImageValue> >, WTF::RefPtr<WebCore::HTMLVideoElement, WTF::RawPtrTraits<WebCore::HTMLVideoElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLVideoElement> > >&&, float, float, float, float)::$_4>&, WTF::Variant<WTF::RefPtr<WebCore::HTMLImageElement, WTF::RawPtrTraits<WebCore::HTMLImageElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLImageElement> >, WTF::RefPtr<WebCore::HTMLCanvasElement, WTF::RawPtrTraits<WebCore::HTMLCanvasElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLCanvasElement> >, WTF::RefPtr<WebCore::ImageBitmap, WTF::RawPtrTraits<WebCore::ImageBitmap>, WTF::DefaultRefDerefTraits<WebCore::ImageBitmap> >, WTF::RefPtr<WebCore::TypedOMCSSImageValue, WTF::RawPtrTraits<WebCore::TypedOMCSSImageValue>, WTF::DefaultRefDerefTraits<WebCore::TypedOMCSSImageValue> >, WTF::RefPtr<WebCore::HTMLVideoElement, WTF::RawPtrTraits<WebCore::HTMLVideoElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLVideoElement> > >&) + 70 (Variant.h:1870)
9   com.apple.WebCore             	0x000000056999b2bd WTF::__visitor_return_type<WTF::Visitor<WebCore::CanvasRenderingContext2DBase::drawImage(WTF::Variant<WTF::RefPtr<WebCore::HTMLImageElement, WTF::RawPtrTraits<WebCore::HTMLImageElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLImageElement> >, WTF::RefPtr<WebCore::HTMLCanvasElement, WTF::RawPtrTraits<WebCore::HTMLCanvasElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLCanvasElement> >, WTF::RefPtr<WebCore::ImageBitmap, WTF::RawPtrTraits<WebCore::ImageBitmap>, WTF::DefaultRefDerefTraits<WebCore::ImageBitmap> >, WTF::RefPtr<WebCore::TypedOMCSSImageValue, WTF::RawPtrTraits<WebCore::TypedOMCSSImageValue>, WTF::DefaultRefDerefTraits<WebCore::TypedOMCSSImageValue> >, WTF::RefPtr<WebCore::HTMLVideoElement, WTF::RawPtrTraits<WebCore::HTMLVideoElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLVideoElement> > >&&, float, float, float, float)::$_4>, WTF::RefPtr<WebCore::HTMLImageElement, WTF::RawPtrTraits<WebCore::HTMLImageElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLImageElement> >, WTF::RefPtr<WebCore::HTMLCanvasElement, WTF::RawPtrTraits<WebCore::HTMLCanvasElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLCanvasElement> >, WTF::RefPtr<WebCore::ImageBitmap, WTF::RawPtrTraits<WebCore::ImageBitmap>, WTF::DefaultRefDerefTraits<WebCore::ImageBitmap> >, WTF::RefPtr<WebCore::TypedOMCSSImageValue, WTF::RawPtrTraits<WebCore::TypedOMCSSImageValue>, WTF::DefaultRefDerefTraits<WebCore::TypedOMCSSImageValue> >, WTF::RefPtr<WebCore::HTMLVideoElement, WTF::RawPtrTraits<WebCore::HTMLVideoElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLVideoElement> > >::__type WTF::visit<WTF::Visitor<WebCore::CanvasRenderingContext2DBase::drawImage(WTF::Variant<WTF::RefPtr<WebCore::HTMLImageElement, WTF::RawPtrTraits<WebCore::HTMLImageElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLImageElement> >, WTF::RefPtr<WebCore::HTMLCanvasElement, WTF::RawPtrTraits<WebCore::HTMLCanvasElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLCanvasElement> >, WTF::RefPtr<WebCore::ImageBitmap, WTF::RawPtrTraits<WebCore::ImageBitmap>, WTF::DefaultRefDerefTraits<WebCore::ImageBitmap> >, WTF::RefPtr<WebCore::TypedOMCSSImageValue, WTF::RawPtrTraits<WebCore::TypedOMCSSImageValue>, WTF::DefaultRefDerefTraits<WebCore::TypedOMCSSImageValue> >, WTF::RefPtr<WebCore::HTMLVideoElement, WTF::RawPtrTraits<WebCore::HTMLVideoElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLVideoElement> > >&&, float, float, float, float)::$_4>, WTF::RefPtr<WebCore::HTMLImageElement, WTF::RawPtrTraits<WebCore::HTMLImageElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLImageElement> >, WTF::RefPtr<WebCore::HTMLCanvasElement, WTF::RawPtrTraits<WebCore::HTMLCanvasElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLCanvasElement> >, WTF::RefPtr<WebCore::ImageBitmap, WTF::RawPtrTraits<WebCore::ImageBitmap>, WTF::DefaultRefDerefTraits<WebCore::ImageBitmap> >, WTF::RefPtr<WebCore::TypedOMCSSImageValue, WTF::RawPtrTraits<WebCore::TypedOMCSSImageValue>, WTF::DefaultRefDerefTraits<WebCore::TypedOMCSSImageValue> >, WTF::RefPtr<WebCore::HTMLVideoElement, WTF::RawPtrTraits<WebCore::HTMLVideoElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLVideoElement> > >(WTF::Visitor<WebCore::CanvasRenderingContext2DBase::drawImage(WTF::Variant<WTF::RefPtr<WebCore::HTMLImageElement, WTF::RawPtrTraits<WebCore::HTMLImageElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLImageElement> >, WTF::RefPtr<WebCore::HTMLCanvasElement, WTF::RawPtrTraits<WebCore::HTMLCanvasElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLCanvasElement> >, WTF::RefPtr<WebCore::ImageBitmap, WTF::RawPtrTraits<WebCore::ImageBitmap>, WTF::DefaultRefDerefTraits<WebCore::ImageBitmap> >, WTF::RefPtr<WebCore::TypedOMCSSImageValue, WTF::RawPtrTraits<WebCore::TypedOMCSSImageValue>, WTF::DefaultRefDerefTraits<WebCore::TypedOMCSSImageValue> >, WTF::RefPtr<WebCore::HTMLVideoElement, WTF::RawPtrTraits<WebCore::HTMLVideoElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLVideoElement> > >&&, float, float, float, float)::$_4>&&, WTF::Variant<WTF::RefPtr<WebCore::HTMLImageElement, WTF::RawPtrTraits<WebCore::HTMLImageElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLImageElement> >, WTF::RefPtr<WebCore::HTMLCanvasElement, WTF::RawPtrTraits<WebCore::HTMLCanvasElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLCanvasElement> >, WTF::RefPtr<WebCore::ImageBitmap, WTF::RawPtrTraits<WebCore::ImageBitmap>, WTF::DefaultRefDerefTraits<WebCore::ImageBitmap> >, WTF::RefPtr<WebCore::TypedOMCSSImageValue, WTF::RawPtrTraits<WebCore::TypedOMCSSImageValue>, WTF::DefaultRefDerefTraits<WebCore::TypedOMCSSImageValue> >, WTF::RefPtr<WebCore::HTMLVideoElement, WTF::RawPtrTraits<WebCore::HTMLVideoElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLVideoElement> > >&) + 109 (Variant.h:1886)
10  com.apple.WebCore             	0x0000000569983041 decltype(WTF::visit(makeVisitor(std::forward<WebCore::CanvasRenderingContext2DBase::drawImage(WTF::Variant<WTF::RefPtr<WebCore::HTMLImageElement, WTF::RawPtrTraits<WebCore::HTMLImageElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLImageElement> >, WTF::RefPtr<WebCore::HTMLCanvasElement, WTF::RawPtrTraits<WebCore::HTMLCanvasElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLCanvasElement> >, WTF::RefPtr<WebCore::ImageBitmap, WTF::RawPtrTraits<WebCore::ImageBitmap>, WTF::DefaultRefDerefTraits<WebCore::ImageBitmap> >, WTF::RefPtr<WebCore::TypedOMCSSImageValue, WTF::RawPtrTraits<WebCore::TypedOMCSSImageValue>, WTF::DefaultRefDerefTraits<WebCore::TypedOMCSSImageValue> >, WTF::RefPtr<WebCore::HTMLVideoElement, WTF::RawPtrTraits<WebCore::HTMLVideoElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLVideoElement> > >&&, float, float, float, float)::$_4>(fp0)), std::forward<WTF::Variant<WTF::RefPtr<WebCore::HTMLImageElement, WTF::RawPtrTraits<WebCore::HTMLImageElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLImageElement> >, WTF::RefPtr<WebCore::HTMLCanvasElement, WTF::RawPtrTraits<WebCore::HTMLCanvasElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLCanvasElement> >, WTF::RefPtr<WebCore::ImageBitmap, WTF::RawPtrTraits<WebCore::ImageBitmap>, WTF::DefaultRefDerefTraits<WebCore::ImageBitmap> >, WTF::RefPtr<WebCore::TypedOMCSSImageValue, WTF::RawPtrTraits<WebCore::TypedOMCSSImageValue>, WTF::DefaultRefDerefTraits<WebCore::TypedOMCSSImageValue> >, WTF::RefPtr<WebCore::HTMLVideoElement, WTF::RawPtrTraits<WebCore::HTMLVideoElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLVideoElement> > >&>(fp))) WTF::switchOn<WTF::Variant<WTF::RefPtr<WebCore::HTMLImageElement, WTF::RawPtrTraits<WebCore::HTMLImageElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLImageElement> >, WTF::RefPtr<WebCore::HTMLCanvasElement, WTF::RawPtrTraits<WebCore::HTMLCanvasElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLCanvasElement> >, WTF::RefPtr<WebCore::ImageBitmap, WTF::RawPtrTraits<WebCore::ImageBitmap>, WTF::DefaultRefDerefTraits<WebCore::ImageBitmap> >, WTF::RefPtr<WebCore::TypedOMCSSImageValue, WTF::RawPtrTraits<WebCore::TypedOMCSSImageValue>, WTF::DefaultRefDerefTraits<WebCore::TypedOMCSSImageValue> >, WTF::RefPtr<WebCore::HTMLVideoElement, WTF::RawPtrTraits<WebCore::HTMLVideoElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLVideoElement> > >&, WebCore::CanvasRenderingContext2DBase::drawImage(WTF::Variant<WTF::RefPtr<WebCore::HTMLImageElement, WTF::RawPtrTraits<WebCore::HTMLImageElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLImageElement> >, WTF::RefPtr<WebCore::HTMLCanvasElement, WTF::RawPtrTraits<WebCore::HTMLCanvasElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLCanvasElement> >, WTF::RefPtr<WebCore::ImageBitmap, WTF::RawPtrTraits<WebCore::ImageBitmap>, WTF::DefaultRefDerefTraits<WebCore::ImageBitmap> >, WTF::RefPtr<WebCore::TypedOMCSSImageValue, WTF::RawPtrTraits<WebCore::TypedOMCSSImageValue>, WTF::DefaultRefDerefTraits<WebCore::TypedOMCSSImageValue> >, WTF::RefPtr<WebCore::HTMLVideoElement, WTF::RawPtrTraits<WebCore::HTMLVideoElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLVideoElement> > >&&, float, float, float, float)::$_4>(WTF::Variant<WTF::RefPtr<WebCore::HTMLImageElement, WTF::RawPtrTraits<WebCore::HTMLImageElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLImageElement> >, WTF::RefPtr<WebCore::HTMLCanvasElement, WTF::RawPtrTraits<WebCore::HTMLCanvasElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLCanvasElement> >, WTF::RefPtr<WebCore::ImageBitmap, WTF::RawPtrTraits<WebCore::ImageBitmap>, WTF::DefaultRefDerefTraits<WebCore::ImageBitmap> >, WTF::RefPtr<WebCore::TypedOMCSSImageValue, WTF::RawPtrTraits<WebCore::TypedOMCSSImageValue>, WTF::DefaultRefDerefTraits<WebCore::TypedOMCSSImageValue> >, WTF::RefPtr<WebCore::HTMLVideoElement, WTF::RawPtrTraits<WebCore::HTMLVideoElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLVideoElement> > >&, WebCore::CanvasRenderingContext2DBase::drawImage(WTF::Variant<WTF::RefPtr<WebCore::HTMLImageElement, WTF::RawPtrTraits<WebCore::HTMLImageElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLImageElement> >, WTF::RefPtr<WebCore::HTMLCanvasElement, WTF::RawPtrTraits<WebCore::HTMLCanvasElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLCanvasElement> >, WTF::RefPtr<WebCore::ImageBitmap, WTF::RawPtrTraits<WebCore::ImageBitmap>, WTF::DefaultRefDerefTraits<WebCore::ImageBitmap> >, WTF::RefPtr<WebCore::TypedOMCSSImageValue, WTF::RawPtrTraits<WebCore::TypedOMCSSImageValue>, WTF::DefaultRefDerefTraits<WebCore::TypedOMCSSImageValue> >, WTF::RefPtr<WebCore::HTMLVideoElement, WTF::RawPtrTraits<WebCore::HTMLVideoElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLVideoElement> > >&&, float, float, float, float)::$_4&&) + 145 (Variant.h:2051)
11  com.apple.WebCore             	0x0000000569982f97 WebCore::CanvasRenderingContext2DBase::drawImage(WTF::Variant<WTF::RefPtr<WebCore::HTMLImageElement, WTF::RawPtrTraits<WebCore::HTMLImageElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLImageElement> >, WTF::RefPtr<WebCore::HTMLCanvasElement, WTF::RawPtrTraits<WebCore::HTMLCanvasElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLCanvasElement> >, WTF::RefPtr<WebCore::ImageBitmap, WTF::RawPtrTraits<WebCore::ImageBitmap>, WTF::DefaultRefDerefTraits<WebCore::ImageBitmap> >, WTF::RefPtr<WebCore::TypedOMCSSImageValue, WTF::RawPtrTraits<WebCore::TypedOMCSSImageValue>, WTF::DefaultRefDerefTraits<WebCore::TypedOMCSSImageValue> >, WTF::RefPtr<WebCore::HTMLVideoElement, WTF::RawPtrTraits<WebCore::HTMLVideoElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLVideoElement> > >&&, float, float, float, float) + 103 (CanvasRenderingContext2DBase.cpp:1424)
12  com.apple.WebCore             	0x0000000566c9fee1 WebCore::jsCanvasRenderingContext2DPrototypeFunction_drawImage2Body(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSCanvasRenderingContext2D*) + 1729 (JSCanvasRenderingContext2D.cpp:1915)
13  com.apple.WebCore             	0x0000000566c9f19b WebCore::jsCanvasRenderingContext2DPrototypeFunction_drawImageOverloadDispatcher(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSCanvasRenderingContext2D*) + 299 (JSCanvasRenderingContext2D.cpp:1971)
14  com.apple.WebCore             	0x0000000566c9f03c long long WebCore::IDLOperation<WebCore::JSCanvasRenderingContext2D>::call<&(WebCore::jsCanvasRenderingContext2DPrototypeFunction_drawImageOverloadDispatcher(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSCanvasRenderingContext2D*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) + 796 (JSDOMOperation.h:53)
15  com.apple.WebCore             	0x0000000566c526e4 WebCore::jsCanvasRenderingContext2DPrototypeFunction_drawImage(JSC::JSGlobalObject*, JSC::CallFrame*) + 36 (JSCanvasRenderingContext2D.cpp:1981)
16  ???                           	0x00003767c2a01178 0 + 60918786429304
17  com.apple.JavaScriptCore      	0x000000058559a82b llint_entry + 136317 (LowLevelInterpreter.asm:1091)
18  com.apple.JavaScriptCore      	0x00000005855790c0 vmEntryToJavaScript + 289 (LowLevelInterpreter64.asm:316)
19  com.apple.JavaScriptCore      	0x00000005863c15fb JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 235 (JITCodeInlines.h:42)
20  com.apple.JavaScriptCore      	0x00000005863c1db7 JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1815 (Interpreter.cpp:905)
21  com.apple.JavaScriptCore      	0x000000058670ec3d JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 221 (CallData.cpp:57)
22  com.apple.JavaScriptCore      	0x000000058670ed1f JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 207 (CallData.cpp:64)
23  com.apple.JavaScriptCore      	0x000000058670f002 JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 130 (CallData.cpp:85)
24  com.apple.WebCore             	0x0000000568d329fe WebCore::JSExecState::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 110 (JSExecState.h:73)
25  com.apple.WebCore             	0x0000000568d32651 WebCore::JSCallbackData::invokeCallback(WebCore::JSDOMGlobalObject&, JSC::JSObject*, JSC::JSValue, JSC::MarkedArgumentBuffer&, WebCore::JSCallbackData::CallbackType, JSC::PropertyName, WTF::NakedPtr<JSC::Exception>&) + 1537 (JSCallbackData.cpp:91)
26  com.apple.WebCore             	0x0000000566b3943d WebCore::JSCallbackDataStrong::invokeCallback(JSC::JSValue, JSC::MarkedArgumentBuffer&, WebCore::JSCallbackData::CallbackType, JSC::PropertyName, WTF::NakedPtr<JSC::Exception>&) + 173 (JSCallbackData.h:90)
27  com.apple.WebCore             	0x000000056782dc17 WebCore::JSRequestAnimationFrameCallback::handleEvent(double) + 423 (JSRequestAnimationFrameCallback.cpp:70)
28  com.apple.WebCore             	0x0000000569517e51 WebCore::ScriptedAnimationController::serviceRequestAnimationFrameCallbacks(WTF::Seconds) + 545 (ScriptedAnimationController.cpp:163)
29  com.apple.WebCore             	0x000000056931d660 WebCore::Document::serviceRequestAnimationFrameCallbacks() + 128 (Document.cpp:6457)
30  com.apple.WebCore             	0x000000056a18c379 WebCore::Page::updateRendering()::$_21::operator()(WebCore::Document&) const + 25 (Page.cpp:1516)
31  com.apple.WebCore             	0x000000056a18c333 WTF::Detail::CallableWrapper<WebCore::Page::updateRendering()::$_21, void, WebCore::Document&>::call(WebCore::Document&) + 51 (Function.h:52)
32  com.apple.WebCore             	0x000000056a15961a WTF::Function<void (WebCore::Document&)>::operator()(WebCore::Document&) const + 154 (Function.h:83)
33  com.apple.WebCore             	0x000000056a14afcc WebCore::Page::forEachDocument(WTF::Function<void (WebCore::Document&)> const&) const + 220 (Page.cpp:3174)
34  com.apple.WebCore             	0x000000056a1524ac WebCore::Page::updateRendering()::$_16::operator()(WebCore::RenderingUpdateStep, WTF::Function<void (WebCore::Document&)> const&) const + 92 (Page.cpp:1491)
35  com.apple.WebCore             	0x000000056a15208d WebCore::Page::updateRendering() + 797 (Page.cpp:1515)
36  com.apple.WebKit              	0x0000000559be8976 WebKit::WebPage::updateRendering() + 38 (WebPage.cpp:3934)
37  com.apple.WebKit              	0x0000000559699bf0 WebKit::TiledCoreAnimationDrawingArea::updateRendering(WebKit::TiledCoreAnimationDrawingArea::UpdateRenderingType) + 96 (TiledCoreAnimationDrawingArea.mm:454)
38  com.apple.WebKit              	0x000000055969ea2d WebKit::TiledCoreAnimationDrawingArea::updateRenderingRunLoopCallback() + 61 (TiledCoreAnimationDrawingArea.mm:937)
39  com.apple.WebKit              	0x00000005596ab548 WebKit::TiledCoreAnimationDrawingArea::TiledCoreAnimationDrawingArea(WebKit::WebPage&, WebKit::WebPageCreationParameters const&)::$_0::operator()() const + 24 (TiledCoreAnimationDrawingArea.mm:87)
40  com.apple.WebKit              	0x00000005596ab4fe WTF::Detail::CallableWrapper<WebKit::TiledCoreAnimationDrawingArea::TiledCoreAnimationDrawingArea(WebKit::WebPage&, WebKit::WebPageCreationParameters const&)::$_0, void>::call() + 30 (Function.h:52)
41  com.apple.WebCore             	0x00000005665f9bc2 WTF::Function<void ()>::operator()() const + 130 (Function.h:83)
42  com.apple.WebCore             	0x000000056a39dfa0 WebCore::RunLoopObserver::runLoopObserverFired() + 144 (RunLoopObserver.cpp:44)
43  com.apple.WebCore             	0x000000056a39df00 WebCore::RunLoopObserver::runLoopObserverFired(__CFRunLoopObserver*, unsigned long, void*) + 32 (RunLoopObserver.cpp:38)
44  com.apple.CoreFoundation      	0x00007fff20451ded __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ + 23
45  com.apple.CoreFoundation      	0x00007fff20451c7d __CFRunLoopDoObservers + 549
46  com.apple.CoreFoundation      	0x00007fff20450786 CFRunLoopRunSpecific + 683
47  com.apple.Foundation          	0x00007fff211d86c1 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 212
48  com.apple.Foundation          	0x00007fff21266ac4 -[NSRunLoop(NSRunLoop) run] + 76
49  libxpc.dylib                  	0x00007fff200a93dd _xpc_objc_main + 825
50  libxpc.dylib                  	0x00007fff200a8e65 xpc_main + 437
51  com.apple.WebKit              	0x0000000558b4b8ec WebKit::XPCServiceMain(int, char const**) + 1020 (XPCServiceMain.mm:208)
52  com.apple.WebKit              	0x0000000559f03cfb WKXPCServiceMain + 27 (WKMain.mm:33)
53  com.apple.WebKit.WebContent   	0x0000000108ba3ea2 main + 34 (AuxiliaryProcessMain.cpp:30)
54  libdyld.dylib                 	0x00007fff20375591 start + 1
Comment 1 Radar WebKit Bug Importer 2020-11-10 19:30:08 PST
<rdar://problem/71266421>
Comment 2 Wenson Hsieh 2020-12-10 09:31:49 PST
Does not appear to reproduce on trunk with the canvas flag enabled, but I only tested against iOS.

Going to try Debug MiniBrowser against macOS next...
Comment 3 Wenson Hsieh 2020-12-10 10:26:40 PST
(In reply to Wenson Hsieh from comment #2)
> Does not appear to reproduce on trunk with the canvas flag enabled, but I
> only tested against iOS.
> 
> Going to try Debug MiniBrowser against macOS next...

This did not reproduce with Debug MiniBrowser against macOS either, with the GPU process canvas flag enabled.

My guess is that one of my display list or Said's image caching changes that landed recently fixed this crash.