220877 – Crash in readPixels with ANGLE Metal backend

Bug 220877 - Crash in readPixels with ANGLE Metal backend

Summary: Crash in readPixels with ANGLE Metal backend

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebGL (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Dean Jackson

URL:
Keywords:	InRadar

Depends on:
Blocks:	anglemetal
	Show dependency tree / graph

Reported:	2021-01-22 14:57 PST by Dean Jackson
Modified:	2021-02-19 03:54 PST (History)
CC List:	9 users (show)

See Also:

Attachments
Patch (2.47 KB, patch) 2021-01-28 18:57 PST, Kyle Piddington	no flags	Details \| Formatted Diff \| Diff
Patch (2.12 KB, patch) 2021-02-16 17:35 PST, Kyle Piddington	dino: review+	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dean Jackson 2021-01-22 14:57:53 PST

I'm getting the following crash when using the Metal ANGLE backend (as well as some other test failures).

It appears that the ImageIndex of the read framebuffer attachment is an invalid type.

Test: webgl/1.0.3/conformance/renderbuffers/renderbuffer-initialization.html

Process:               com.apple.WebKit.WebContent.Development [32218]
Path:                  /Users/USER/*/com.apple.WebKit.WebContent.Development
Identifier:            com.apple.WebKit.WebContent

Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_INSTRUCTION (SIGILL)
Exception Codes:       0x0000000000000001, 0x0000000000000000
Exception Note:        EXC_CORPSE_NOTIFY

Termination Signal:    Illegal instruction: 4
Termination Reason:    Namespace SIGNAL, Code 0x4
Terminating Process:   exc handler [32218]

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x0000000454b123ae gl::LogMessage::~LogMessage() + 238 (debug.cpp:199)
1   com.apple.WebCore             	0x0000000454b11be5 gl::LogMessage::~LogMessage() + 21 (debug.cpp:175)
2   com.apple.WebCore             	0x0000000454eaa74f rx::mtl::InitializeTextureContents(gl::Context const*, std::__1::shared_ptr<rx::mtl::Texture> const&, rx::mtl::Format const&, rx::mtl::ImageNativeIndex const&) + 1327 (mtl_utils.mm:143)
3   com.apple.WebCore             	0x000000045500818d rx::RenderbufferMtl::initializeContents(gl::Context const*, gl::ImageIndex const&) + 93 (RenderBufferMtl.mm:178)
4   com.apple.WebCore             	0x0000000454d37173 gl::FramebufferAttachmentObject::initializeContents(gl::Context const*, gl::ImageIndex const&) + 595 (FramebufferAttachment.cpp:321)
5   com.apple.WebCore             	0x0000000454d36ebb gl::FramebufferAttachment::initializeContents(gl::Context const*) + 379 (FramebufferAttachment.cpp:275)
6   com.apple.WebCore             	0x0000000454d32b16 gl::(anonymous namespace)::InitAttachment(gl::Context const*, gl::FramebufferAttachment*) + 342 (Framebuffer.cpp:261)
7   com.apple.WebCore             	0x0000000454d32fbb gl::Framebuffer::ensureReadAttachmentsInitialized(gl::Context const*) + 731 (Framebuffer.cpp:2190)
8   com.apple.WebCore             	0x000000045511aa97 gl::State::syncReadAttachments(gl::Context const*, gl::Command) + 631 (State.cpp:3153)
9   com.apple.WebCore             	0x0000000454bd5ce2 gl::State::syncDirtyObjects(gl::Context const*, angle::BitSetT<12ul, unsigned int, unsigned long> const&, gl::Command) + 290 (State.h:1097)
10  com.apple.WebCore             	0x0000000454bd5a47 gl::Context::syncDirtyObjects(angle::BitSetT<12ul, unsigned int, unsigned long> const&, gl::Command) + 55 (Context.inl.h:106)
11  com.apple.WebCore             	0x0000000454a769ef gl::Context::syncState(angle::IterableBitSet<63ul> const&, angle::BitSetT<12ul, unsigned int, unsigned long> const&, gl::Command) + 47 (Context.cpp:3768)
12  com.apple.WebCore             	0x0000000454a78084 gl::Context::syncStateForReadPixels() + 52 (Context.cpp:4941)
13  com.apple.WebCore             	0x0000000454a77dfd gl::Context::readPixels(int, int, int, int, unsigned int, unsigned int, void*) + 93 (Context.cpp:4022)
14  com.apple.WebCore             	0x0000000454a781e1 gl::Context::readnPixelsRobust(int, int, int, int, unsigned int, unsigned int, int, int*, int*, int*, void*) + 129 (Context.cpp:4060)
15  com.apple.WebCore             	0x0000000454be8562 gl::ReadnPixelsRobustANGLE(int, int, int, int, unsigned int, unsigned int, int, int*, int*, int*, void*) + 306 (entry_points_gles_ext_autogen.cpp:2748)
16  com.apple.WebCore             	0x000000044fc75e83 WebCore::GraphicsContextGLOpenGL::readnPixelsImpl(int, int, int, int, unsigned int, unsigned int, int, int*, int*, int*, void*, bool) + 387 (GraphicsContextGLANGLE.cpp:396)
17  com.apple.WebCore             	0x000000044fc75cf5 WebCore::GraphicsContextGLOpenGL::readnPixels(int, int, int, int, unsigned int, unsigned int, GCGLSpan<void, 18446744073709551615ul>) + 149 (GraphicsContextGLANGLE.cpp:372)
18  com.apple.WebCore             	0x0000000452f8cd4b WebCore::WebGLRenderingContextBase::readPixels(int, int, int, int, unsigned int, unsigned int, JSC::ArrayBufferView&) + 523 (WebGLRenderingContextBase.cpp:4410)
19  com.apple.WebCore             	0x00000004512385c7 WebCore::jsWebGLRenderingContextPrototypeFunction_readPixelsBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSWebGLRenderingContext*) + 2343 (JSWebGLRenderingContext.cpp:7246)
20  com.apple.WebCore             	0x0000000451237c6c long long WebCore::IDLOperation<WebCore::JSWebGLRenderingContext>::call<&(WebCore::jsWebGLRenderingContextPrototypeFunction_readPixelsBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSWebGLRenderingContext*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) + 796 (JSDOMOperation.h:53)
21  com.apple.WebCore             	0x0000000451201564 WebCore::jsWebGLRenderingContextPrototypeFunction_readPixels(JSC::JSGlobalObject*, JSC::CallFrame*) + 36 (JSWebGLRenderingContext.cpp:7252)
22  ???                           	0x0000208f5c8011d8 0 + 35800104309208
23  ???                           	0x0000208f9c7ff264 0 + 35801178042980
24  com.apple.JavaScriptCore      	0x000000047002fa42 llint_entry + 136320
25  com.apple.JavaScriptCore      	0x000000047002fa42 llint_entry + 136320
26  com.apple.JavaScriptCore      	0x000000047002fa42 llint_entry + 136320
27  com.apple.JavaScriptCore      	0x000000047000e2d0 vmEntryToJavaScript + 289
28  com.apple.JavaScriptCore      	0x0000000470e7a7ab JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 235 (JITCodeInlines.h:42)
29  com.apple.JavaScriptCore      	0x0000000470e79d02 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*) + 6626 (Interpreter.cpp:837)
30  com.apple.JavaScriptCore      	0x000000047123fec7 JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) + 567 (Completion.cpp:137)
31  com.apple.JavaScriptCore      	0x000000047124001a JSC::profiledEvaluate(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) + 74 (Completion.cpp:152)
32  com.apple.WebCore             	0x000000045233d00c WebCore::JSExecState::profiledEvaluate(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) + 76 (JSExecState.h:79)
33  com.apple.WebCore             	0x000000045233cbee WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&) + 398 (ScriptController.cpp:148)
34  com.apple.WebCore             	0x000000045233ca19 WebCore::ScriptController::evaluateInWorldIgnoringException(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&) + 41 (ScriptController.cpp:121)
35  com.apple.WebCore             	0x000000045233d315 WebCore::ScriptController::evaluateIgnoringException(WebCore::ScriptSourceCode const&) + 53 (ScriptController.cpp:167)
36  com.apple.WebCore             	0x0000000452a61246 WebCore::ScriptElement::executeClassicScript(WebCore::ScriptSourceCode const&) + 1478 (ScriptElement.cpp:400)
37  com.apple.WebCore             	0x0000000452a5f33b WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport) + 2699 (ScriptElement.cpp:270)
38  com.apple.WebCore             	0x0000000452fea286 WebCore::HTMLScriptRunner::runScript(WebCore::ScriptElement&, WTF::TextPosition const&) + 390 (HTMLScriptRunner.cpp:250)
39  com.apple.WebCore             	0x0000000452fea087 WebCore::HTMLScriptRunner::execute(WTF::Ref<WebCore::ScriptElement, WTF::RawPtrTraits<WebCore::ScriptElement> >&&, WTF::TextPosition const&) + 71 (HTMLScriptRunner.cpp:140)
40  com.apple.WebCore             	0x0000000452fc8791 WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() + 897 (HTMLDocumentParser.cpp:244)
41  com.apple.WebCore             	0x0000000452fc8c1c WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) + 140 (HTMLDocumentParser.cpp:263)
42  com.apple.WebCore             	0x0000000452fc7f8f WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) + 495 (HTMLDocumentParser.cpp:322)
43  com.apple.WebCore             	0x0000000452fc78dd WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode) + 205 (HTMLDocumentParser.cpp:196)
44  com.apple.WebCore             	0x0000000452fca0d5 WebCore::HTMLDocumentParser::resumeParsingAfterScriptExecution() + 277 (HTMLDocumentParser.cpp:542)
45  com.apple.WebCore             	0x0000000452fca4c0 WebCore::HTMLDocumentParser::notifyFinished(WebCore::PendingScript&) + 400 (HTMLDocumentParser.cpp:586)
46  com.apple.WebCore             	0x0000000452a34e13 WebCore::PendingScript::notifyClientFinished() + 67 (PendingScript.cpp:69)
47  com.apple.WebCore             	0x0000000452a34e79 WebCore::PendingScript::notifyFinished(WebCore::LoadableScript&) + 25 (PendingScript.cpp:74)
48  com.apple.WebCore             	0x00000004529d8171 WebCore::LoadableScript::notifyClientFinished() + 321 (LoadableScript.cpp:60)
49  com.apple.WebCore             	0x00000004529c9391 WebCore::LoadableClassicScript::notifyFinished(WebCore::CachedResource&, WebCore::NetworkLoadMetrics const&) + 1409 (LoadableClassicScript.cpp:117)
50  com.apple.WebCore             	0x0000000453571d0a WebCore::CachedResource::checkNotify(WebCore::NetworkLoadMetrics const&) + 138 (CachedResource.cpp:375)
51  com.apple.WebCore             	0x000000045356d7fc WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*, WebCore::NetworkLoadMetrics const&) + 60 (CachedResource.cpp:391)
52  com.apple.WebCore             	0x00000004535a98e7 WebCore::CachedScript::finishLoading(WebCore::SharedBuffer*, WebCore::NetworkLoadMetrics const&) + 135 (CachedScript.cpp:103)
53  com.apple.WebCore             	0x00000004534f49b4 WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) + 1684 (SubresourceLoader.cpp:733)
54  com.apple.WebKit              	0x0000000441b72862 WebKit::WebResourceLoader::didReceiveResource(WebKit::ShareableResource::Handle const&) + 1394 (WebResourceLoader.cpp:321)
55  com.apple.WebKit              	0x00000004421486b0 void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebKit::ShareableResource::Handle const&), std::__1::tuple<WebKit::ShareableResource::Handle>, 0ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebKit::ShareableResource::Handle const&), std::__1::tuple<WebKit::ShareableResource::Handle>&&, std::__1::integer_sequence<unsigned long, 0ul>) + 160 (HandleMessage.h:42)
56  com.apple.WebKit              	0x0000000442148220 void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebKit::ShareableResource::Handle const&), std::__1::tuple<WebKit::ShareableResource::Handle>, std::__1::integer_sequence<unsigned long, 0ul> >(std::__1::tuple<WebKit::ShareableResource::Handle>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebKit::ShareableResource::Handle const&)) + 112 (HandleMessage.h:48)
57  com.apple.WebKit              	0x0000000442145f1d void IPC::handleMessage<Messages::WebResourceLoader::DidReceiveResource, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebKit::ShareableResource::Handle const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebKit::ShareableResource::Handle const&)) + 157 (HandleMessage.h:120)
58  com.apple.WebKit              	0x0000000442145678 WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) + 1112 (WebResourceLoaderMessageReceiver.cpp:89)
59  com.apple.WebKit              	0x0000000441b64550 WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) + 144 (NetworkProcessConnection.cpp:93)
60  com.apple.WebKit              	0x0000000440084a1a IPC::Connection::dispatchMessage(IPC::Decoder&) + 634 (Connection.cpp:1038)
61  com.apple.WebKit              	0x0000000440085b40 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) + 528 (Connection.cpp:1138)
62  com.apple.WebKit              	0x00000004400861a0 IPC::Connection::dispatchOneIncomingMessage() + 208 (Connection.cpp:1207)
63  com.apple.WebKit              	0x00000004400a6228 IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_8::operator()() + 88 (Connection.cpp:1001)
64  com.apple.WebKit              	0x00000004400a613e WTF::Detail::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_8, void>::call() + 30 (Function.h:52)
65  com.apple.JavaScriptCore      	0x000000046fa7d742 WTF::Function<void ()>::operator()() const + 130 (Function.h:83)
66  com.apple.JavaScriptCore      	0x000000046faf4015 WTF::RunLoop::performWork() + 341 (RunLoop.cpp:128)
67  com.apple.JavaScriptCore      	0x000000046faf7961 WTF::RunLoop::performWork(void*) + 33 (RunLoopCF.cpp:46)
68  com.apple.CoreFoundation      	0x00007fff206c726c __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
69  com.apple.CoreFoundation      	0x00007fff206c71d4 __CFRunLoopDoSource0 + 180
70  com.apple.CoreFoundation      	0x00007fff206c6f54 __CFRunLoopDoSources0 + 242
71  com.apple.CoreFoundation      	0x00007fff206c597c __CFRunLoopRun + 893
72  com.apple.CoreFoundation      	0x00007fff206c4f2c CFRunLoopRunSpecific + 563
73  com.apple.Foundation          	0x00007fff2144c027 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 212
74  com.apple.Foundation          	0x00007fff214d9ef1 -[NSRunLoop(NSRunLoop) run] + 76
75  libxpc.dylib                  	0x00007fff2031d35d _xpc_objc_main + 825
76  libxpc.dylib                  	0x00007fff2031cca3 xpc_main + 116
77  com.apple.WebKit              	0x0000000440ce74bc WebKit::XPCServiceMain(int, char const**) + 1020 (XPCServiceMain.mm:208)
78  com.apple.WebKit              	0x00000004421d454b WKXPCServiceMain + 27 (WKMain.mm:33)
79  com.apple.WebKit.WebContent   	0x00000001041daea2 main + 34 (AuxiliaryProcessMain.cpp:30)
80  libdyld.dylib                 	0x00007fff205e9e7d start + 1

Thread 1:: JavaScriptCore bmalloc scavenger
0   libsystem_kernel.dylib        	0x00007fff2059bd2e __psynch_cvwait + 10
1   libsystem_pthread.dylib       	0x00007fff205ceea1 _pthread_cond_wait + 1298
2   libc++.1.dylib                	0x00007fff20537e03 std::__1::condition_variable::__do_timed_wait(std::__1::unique_lock<std::__1::mutex>&, std::__1::chrono::time_point<std::__1::chrono::system_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >) + 93
3   com.apple.JavaScriptCore      	0x000000046fbb19f6 std::__1::cv_status std::__1::condition_variable::wait_for<long long, std::__1::ratio<1l, 1000000000l> >(std::__1::unique_lock<std::__1::mutex>&, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > const&) + 358 (__mutex_base:468)
4   com.apple.JavaScriptCore      	0x000000046fbb171f void std::__1::condition_variable::__do_timed_wait<std::__1::chrono::steady_clock>(std::__1::unique_lock<std::__1::mutex>&, std::__1::chrono::time_point<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >) + 79 (__mutex_base:523)
5   com.apple.JavaScriptCore      	0x000000046fbb14eb std::__1::cv_status std::__1::condition_variable::wait_until<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >(std::__1::unique_lock<std::__1::mutex>&, std::__1::chrono::time_point<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > > const&) + 139 (__mutex_base:426)
6   com.apple.JavaScriptCore      	0x000000046fbb142b std::__1::cv_status std::__1::condition_variable_any::wait_until<std::__1::unique_lock<bmalloc::Mutex>, std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >(std::__1::unique_lock<bmalloc::Mutex>&, std::__1::chrono::time_point<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > > const&) + 123 (condition_variable:225)
7   com.apple.JavaScriptCore      	0x000000046fbb12e9 bool std::__1::condition_variable_any::wait_until<std::__1::unique_lock<bmalloc::Mutex>, std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> >, bmalloc::Scavenger::threadRunLoop()::$_5>(std::__1::unique_lock<bmalloc::Mutex>&, std::__1::chrono::time_point<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > > const&, bmalloc::Scavenger::threadRunLoop()::$_5) + 73 (condition_variable:236)
8   com.apple.JavaScriptCore      	0x000000046fbae2a7 bool std::__1::condition_variable_any::wait_for<std::__1::unique_lock<bmalloc::Mutex>, long long, std::__1::ratio<1l, 1000l>, bmalloc::Scavenger::threadRunLoop()::$_5>(std::__1::unique_lock<bmalloc::Mutex>&, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000l> > const&, bmalloc::Scavenger::threadRunLoop()::$_5) + 103 (condition_variable:257)
9   com.apple.JavaScriptCore      	0x000000046fbae0e1 bmalloc::Scavenger::threadRunLoop() + 225 (Scavenger.cpp:421)
10  com.apple.JavaScriptCore      	0x000000046fbad2c5 bmalloc::Scavenger::threadEntryPoint(bmalloc::Scavenger*) + 21 (Scavenger.cpp:395)
11  com.apple.JavaScriptCore      	0x000000046fbb0bb2 decltype(std::__1::forward<void (*)(bmalloc::Scavenger*)>(fp)(std::__1::forward<bmalloc::Scavenger*>(fp0))) std::__1::__invoke<void (*)(bmalloc::Scavenger*), bmalloc::Scavenger*>(void (*&&)(bmalloc::Scavenger*), bmalloc::Scavenger*&&) + 50 (type_traits:3747)
12  com.apple.JavaScriptCore      	0x000000046fbb0afe void std::__1::__thread_execute<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct> >, void (*)(bmalloc::Scavenger*), bmalloc::Scavenger*, 2ul>(std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct> >, void (*)(bmalloc::Scavenger*), bmalloc::Scavenger*>&, std::__1::__tuple_indices<2ul>) + 62 (thread:280)
13  com.apple.JavaScriptCore      	0x000000046fbb030b void* std::__1::__thread_proxy<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct> >, void (*)(bmalloc::Scavenger*), bmalloc::Scavenger*> >(void*) + 91 (thread:291)
14  libsystem_pthread.dylib       	0x00007fff205ce954 _pthread_start + 224
15  libsystem_pthread.dylib       	0x00007fff205ca4a7 thread_start + 15

Thread 2:
0   libsystem_pthread.dylib       	0x00007fff205ca484 start_wqthread + 0

Thread 3:
0   libsystem_pthread.dylib       	0x00007fff205ca484 start_wqthread + 0

Thread 4:
0   libsystem_pthread.dylib       	0x00007fff205ca484 start_wqthread + 0

Thread 5:
0   libsystem_pthread.dylib       	0x00007fff205ca484 start_wqthread + 0

Thread 6:: JIT Worklist Helper Thread
0   libsystem_kernel.dylib        	0x00007fff2059bd2e __psynch_cvwait + 10
1   libsystem_pthread.dylib       	0x00007fff205ceea1 _pthread_cond_wait + 1298
2   com.apple.JavaScriptCore      	0x000000046fb3d8cc WTF::ThreadCondition::timedWait(WTF::Mutex&, WTF::WallTime) + 252 (ThreadingPOSIX.cpp:599)
3   com.apple.JavaScriptCore      	0x000000046fae0fcb WTF::ParkingLot::parkConditionallyImpl(void const*, WTF::ScopedLambda<bool ()> const&, WTF::ScopedLambda<void ()> const&, WTF::TimeWithDynamicClockType const&) + 427 (ParkingLot.cpp:595)
4   com.apple.JavaScriptCore      	0x000000046fa69690 WTF::ParkingLot::ParkResult WTF::ParkingLot::parkConditionally<bool WTF::Condition::waitUntil<WTF::Lock>(WTF::Lock&, WTF::TimeWithDynamicClockType const&)::'lambda'(), bool WTF::Condition::waitUntil<WTF::Lock>(WTF::Lock&, WTF::TimeWithDynamicClockType const&)::'lambda0'()>(void const*, WTF::Lock const&, bool WTF::Condition::waitUntil<WTF::Lock>(WTF::Lock&, WTF::TimeWithDynamicClockType const&)::'lambda0'() const&, WTF::TimeWithDynamicClockType const&) + 96 (ParkingLot.h:82)
5   com.apple.JavaScriptCore      	0x000000046fa6959c bool WTF::Condition::waitUntil<WTF::Lock>(WTF::Lock&, WTF::TimeWithDynamicClockType const&) + 140 (Condition.h:76)
6   com.apple.JavaScriptCore      	0x000000046fa67c09 bool WTF::Condition::waitFor<WTF::Lock>(WTF::Lock&, WTF::Seconds) + 105 (Condition.h:116)
7   com.apple.JavaScriptCore      	0x000000046fa6b209 WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const + 521 (AutomaticThread.cpp:214)
8   com.apple.JavaScriptCore      	0x000000046fa6ae7e WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call() + 30 (Function.h:52)
9   com.apple.JavaScriptCore      	0x000000046fa7d742 WTF::Function<void ()>::operator()() const + 130 (Function.h:83)
10  com.apple.JavaScriptCore      	0x000000046fb30898 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) + 424 (Threading.cpp:181)
11  com.apple.JavaScriptCore      	0x000000046fb3cbd8 WTF::wtfThreadEntryPoint(void*) + 24 (ThreadingPOSIX.cpp:235)
12  libsystem_pthread.dylib       	0x00007fff205ce954 _pthread_start + 224
13  libsystem_pthread.dylib       	0x00007fff205ca4a7 thread_start + 15

Thread 7:: DFG Worklist Worker Thread
0   com.apple.JavaScriptCore      	0x000000046fcb2924 JSC::DFG::AbstractHeap::operator!() const + 4 (DFGAbstractHeap.h:221)
1   com.apple.JavaScriptCore      	0x000000046fcb2822 JSC::DFG::HeapLocation::HeapLocation(JSC::DFG::LocationKind, JSC::DFG::AbstractHeap, JSC::DFG::Node*, JSC::DFG::LazyNode, JSC::DFG::Node*) + 226 (DFGHeapLocation.h:97)
2   com.apple.JavaScriptCore      	0x000000046fcaf3ac JSC::DFG::HeapLocation::HeapLocation(JSC::DFG::LocationKind, JSC::DFG::AbstractHeap, JSC::DFG::Node*, JSC::DFG::LazyNode, JSC::DFG::Node*) + 92 (DFGHeapLocation.h:95)
3   com.apple.JavaScriptCore      	0x0000000470875543 void JSC::DFG::clobberize<JSC::DFG::ReadMethodClobberize<JSC::DFG::(anonymous namespace)::LocalCSEPhase::BlockCSE<JSC::DFG::(anonymous namespace)::LocalCSEPhase::SmallMaps> >, JSC::DFG::WriteMethodClobberize<JSC::DFG::(anonymous namespace)::LocalCSEPhase::BlockCSE<JSC::DFG::(anonymous namespace)::LocalCSEPhase::SmallMaps> >, JSC::DFG::DefMethodClobberize<JSC::DFG::(anonymous namespace)::LocalCSEPhase::BlockCSE<JSC::DFG::(anonymous namespace)::LocalCSEPhase::SmallMaps> >, void JSC::DFG::clobberize<JSC::DFG::ReadMethodClobberize<JSC::DFG::(anonymous namespace)::LocalCSEPhase::BlockCSE<JSC::DFG::(anonymous namespace)::LocalCSEPhase::SmallMaps> >, JSC::DFG::WriteMethodClobberize<JSC::DFG::(anonymous namespace)::LocalCSEPhase::BlockCSE<JSC::DFG::(anonymous namespace)::LocalCSEPhase::SmallMaps> >, JSC::DFG::DefMethodClobberize<JSC::DFG::(anonymous namespace)::LocalCSEPhase::BlockCSE<JSC::DFG::(anonymous namespace)::LocalCSEPhase::SmallMaps> > >(JSC::DFG::Graph&, JSC::DFG::Node*, JSC::DFG::ReadMethodClobberize<JSC::DFG::(anonymous namespace)::LocalCSEPhase::BlockCSE<JSC::DFG::(anonymous namespace)::LocalCSEPhase::SmallMaps> > const&, JSC::DFG::WriteMethodClobberize<JSC::DFG::(anonymous namespace)::LocalCSEPhase::BlockCSE<JSC::DFG::(anonymous namespace)::LocalCSEPhase::SmallMaps> > const&, JSC::DFG::DefMethodClobberize<JSC::DFG::(anonymous namespace)::LocalCSEPhase::BlockCSE<JSC::DFG::(anonymous namespace)::LocalCSEPhase::SmallMaps> > const&)::'lambda'()>(JSC::DFG::Graph&, JSC::DFG::Node*, JSC::DFG::ReadMethodClobberize<JSC::DFG::(anonymous namespace)::LocalCSEPhase::BlockCSE<JSC::DFG::(anonymous namespace)::LocalCSEPhase::SmallMaps> > const&, JSC::DFG::WriteMethodClobberize<JSC::DFG::(anonymous namespace)::LocalCSEPhase::BlockCSE<JSC::DFG::(anonymous namespace)::LocalCSEPhase::SmallMaps> > const&, JSC::DFG::DefMethodClobberize<JSC::DFG::(anonymous namespace)::LocalCSEPhase::BlockCSE<JSC::DFG::(anonymous namespace)::LocalCSEPhase::SmallMaps> > const&, void JSC::DFG::clobberize<JSC::DFG::ReadMethodClobberize<JSC::DFG::(anonymous namespace)::LocalCSEPhase::BlockCSE<JSC::DFG::(anonymous namespace)::LocalCSEPhase::SmallMaps> >, JSC::DFG::WriteMethodClobberize<JSC::DFG::(anonymous namespace)::LocalCSEPhase::BlockCSE<JSC::DFG::(anonymous namespace)::LocalCSEPhase::SmallMaps> >, JSC::DFG::DefMethodClobberize<JSC::DFG::(anonymous namespace)::LocalCSEPhase::BlockCSE<JSC::DFG::(anonymous namespace)::LocalCSEPhase::SmallMaps> > >(JSC::DFG::Graph&, JSC::DFG::Node*, JSC::DFG::ReadMethodClobberize<JSC::DFG::(anonymous namespace)::LocalCSEPhase::BlockCSE<JSC::DFG::(anonymous namespace)::LocalCSEPhase::SmallMaps> > const&, JSC::DFG::WriteMethodClobberize<JSC::DFG::(anonymous namespace)::LocalCSEPhase::BlockCSE<JSC::DFG::(anonymous namespace)::LocalCSEPhase::SmallMaps> > const&, JSC::DFG::DefMethodClobberize<JSC::DFG::(anonymous namespace)::LocalCSEPhase::BlockCSE<JSC::DFG::(anonymous namespace)::LocalCSEPhase::SmallMaps> > const&)::'lambda'() const&) + 15011 (DFGClobberize.h:854)
4   com.apple.JavaScriptCore      	0x0000000470871a39 void JSC::DFG::clobberize<JSC::DFG::ReadMethodClobberize<JSC::DFG::(anonymous namespace)::LocalCSEPhase::BlockCSE<JSC::DFG::(anonymous namespace)::LocalCSEPhase::SmallMaps> >, JSC::DFG::WriteMethodClobberize<JSC::DFG::(anonymous namespace)::LocalCSEPhase::BlockCSE<JSC::DFG::(anonymous namespace)::LocalCSEPhase::SmallMaps> >, JSC::DFG::DefMethodClobberize<JSC::DFG::(anonymous namespace)::LocalCSEPhase::BlockCSE<JSC::DFG::(anonymous namespace)::LocalCSEPhase::SmallMaps> > >(JSC::DFG::Graph&, JSC::DFG::Node*, JSC::DFG::ReadMethodClobberize<JSC::DFG::(anonymous namespace)::LocalCSEPhase::BlockCSE<JSC::DFG::(anonymous namespace)::LocalCSEPhase::SmallMaps> > const&, JSC::DFG::WriteMethodClobberize<JSC::DFG::(anonymous namespace)::LocalCSEPhase::BlockCSE<JSC::DFG::(anonymous namespace)::LocalCSEPhase::SmallMaps> > const&, JSC::DFG::DefMethodClobberize<JSC::DFG::(anonymous namespace)::LocalCSEPhase::BlockCSE<JSC::DFG::(anonymous namespace)::LocalCSEPhase::SmallMaps> > const&) + 57 (DFGClobberize.h:45)
5   com.apple.JavaScriptCore      	0x00000004708717a4 void JSC::DFG::clobberize<JSC::DFG::(anonymous namespace)::LocalCSEPhase::BlockCSE<JSC::DFG::(anonymous namespace)::LocalCSEPhase::SmallMaps> >(JSC::DFG::Graph&, JSC::DFG::Node*, JSC::DFG::(anonymous namespace)::LocalCSEPhase::BlockCSE<JSC::DFG::(anonymous namespace)::LocalCSEPhase::SmallMaps>&) + 84 (DFGClobberize.h:2075)
6   com.apple.JavaScriptCore      	0x0000000470870952 JSC::DFG::(anonymous namespace)::LocalCSEPhase::BlockCSE<JSC::DFG::(anonymous namespace)::LocalCSEPhase::SmallMaps>::run(JSC::DFG::BasicBlock*) + 1362 (DFGCSEPhase.cpp:587)
7   com.apple.JavaScriptCore      	0x0000000470870340 JSC::DFG::(anonymous namespace)::LocalCSEPhase::run() + 368 (DFGCSEPhase.cpp:332)
8   com.apple.JavaScriptCore      	0x000000047086f894 bool JSC::DFG::runAndLog<JSC::DFG::(anonymous namespace)::LocalCSEPhase>(JSC::DFG::(anonymous namespace)::LocalCSEPhase&) + 52 (DFGPhase.h:84)
9   com.apple.JavaScriptCore      	0x0000000470827fb1 bool JSC::DFG::runPhase<JSC::DFG::(anonymous namespace)::LocalCSEPhase>(JSC::DFG::Graph&) + 49 (DFGPhase.h:95)
10  com.apple.JavaScriptCore      	0x0000000470827f75 JSC::DFG::performLocalCSE(JSC::DFG::Graph&) + 21 (DFGCSEPhase.cpp:985)
11  com.apple.JavaScriptCore      	0x0000000470b3fb68 JSC::DFG::Plan::compileInThreadImpl() + 4648 (DFGPlan.cpp:336)
12  com.apple.JavaScriptCore      	0x0000000470b3e168 JSC::DFG::Plan::compileInThread(JSC::DFG::ThreadData*) + 344 (DFGPlan.cpp:188)
13  com.apple.JavaScriptCore      	0x0000000470bfc53e JSC::DFG::Worklist::ThreadBody::work() + 462 (DFGWorklist.cpp:115)
14  com.apple.JavaScriptCore      	0x000000046fa6b293 WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const + 659 (AutomaticThread.cpp:229)
15  com.apple.JavaScriptCore      	0x000000046fa6ae7e WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call() + 30 (Function.h:52)
16  com.apple.JavaScriptCore      	0x000000046fa7d742 WTF::Function<void ()>::operator()() const + 130 (Function.h:83)
17  com.apple.JavaScriptCore      	0x000000046fb30898 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) + 424 (Threading.cpp:181)
18  com.apple.JavaScriptCore      	0x000000046fb3cbd8 WTF::wtfThreadEntryPoint(void*) + 24 (ThreadingPOSIX.cpp:235)
19  libsystem_pthread.dylib       	0x00007fff205ce954 _pthread_start + 224
20  libsystem_pthread.dylib       	0x00007fff205ca4a7 thread_start + 15

Comment 1 Radar WebKit Bug Importer 2021-01-22 14:58:03 PST

<rdar://problem/73517112>

Comment 2 Kenneth Russell 2021-01-22 15:42:39 PST

If I remember correctly, Kyle fixed this crash in the work-in-progress upstreaming patch of Apple's major revision to ANGLE's Metal backend:

https://chromium-review.googlesource.com/2618530

It seems a bit early to be testing the Metal backend with the WebGL conformance tests. I think we should focus on getting Apple's direct-to-Metal backend passing angle_end2end_tests, finish the upstreaming, and roll ANGLE back down into WebKit. At that point we'll be more confident that it's robust and should be able to pass WebGL conformance tests.

Comment 3 Kyle Piddington 2021-01-28 18:57:34 PST

Created attachment 418692 [details]
Patch

Comment 4 EWS Watchlist 2021-01-28 18:58:26 PST

Note that there are important steps to take when updating ANGLE. See https://trac.webkit.org/wiki/UpdatingANGLE

Comment 5 Dean Jackson 2021-01-29 12:04:16 PST

Comment on attachment 418692 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=418692&action=review

> Source/ThirdParty/ANGLE/ChangeLog:24
> +2021-01-28  Kyle Piddington  <kpiddington@apple.com>
> +
> +        Need a short description (OOPS!).
> +        Need the bug URL (OOPS!).
> +
> +        Reviewed by NOBODY (OOPS!).
> +
> +        * src/libANGLE/renderer/metal/RenderBufferMtl.mm:
> +        (rx::RenderbufferMtl::initializeContents):

Oops! Extra blank changelog entry.

> Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/RenderBufferMtl.mm:178
> +    if(imageIndex.valid())

Nit: missing space after if.

Comment 6 Kyle Piddington 2021-02-16 17:35:14 PST

Created attachment 420566 [details]
Patch

Comment 7 Dean Jackson 2021-02-19 03:54:40 PST

Committed r273137 (234334@main): <https://commits.webkit.org/234334@main>