The stroke and the fill in GraphicsContextState can be set exclusively to color, pattern or gradient. The corresponding flag in StateChangeFlags is set once the GraphicsContext function is called. The problem is we do not clear the old flags. And this is why in StateState::encode() and StateState::decode(), we were expecting the flags might be set but the pointers of the pattern and the gradient are null. This has been an area of mistakes and confusion and can lead to this crash with GPUP enabled when GraphicsContext::setFillColor is called after GraphicsContext::setFillGradient() is called: frame #1: 0x000000011d9870bb WebCore`WTFCrashWithInfo((null)=82, (null)="/Volumes/Data/Development/system/webkit/OpenSource/WebKitBuild/Debug/usr/local/include/wtf/RefPtr.h", (null)="T &WTF::RefPtr<WebCore::Gradient, WTF::RawPtrTraits<WebCore::Gradient>, WTF::DefaultRefDerefTraits<WebCore::Gradient> >::operator*() const [T = WebCore::Gradient, _PtrTraits = WTF::RawPtrTraits<WebCore::Gradient>, _RefDerefTraits = WTF::DefaultRefDerefTraits<WebCore::Gradient>]", (null)=23) at Assertions.h:671:5 frame #2: 0x000000012184a3f8 WebCore`WTF::RefPtr<WebCore::Gradient, WTF::RawPtrTraits<WebCore::Gradient>, WTF::DefaultRefDerefTraits<WebCore::Gradient> >::operator*(this=0x0000700005297cc0) const at RefPtr.h:82:28 frame #3: 0x0000000121849d0e WebCore`WebCore::GraphicsContextStateChange::apply(this=0x0000700005297cb0, context=0x000000010b0cf1b0) const at GraphicsContext.cpp:220:33 frame #4: 0x00000001219f38cd WebCore`WebCore::DisplayList::SetState::apply(this=0x0000700005297cb0, context=0x000000010b0cf1b0) const at DisplayListItems.cpp:223:13 frame #5: 0x00000001219f3088 WebCore`WebCore::DisplayList::ItemHandle::apply(this=0x0000700005297918, context=0x000000010b0cf1b0) at DisplayListItemBuffer.cpp:92:25 frame #6: 0x0000000121a0426d WebCore`WebCore::DisplayList::Replayer::applyItem(this=0x0000700005297e70, item=(data = "\v")) at DisplayListReplayer.cpp:120:10 frame #7: 0x00000001219f21da WebCore`WebCore::DisplayList::Replayer::replay(this=0x0000700005297e70, initialClip={ x = 0.0, y = 0.0, width = 0.0, height = 0.0 }, trackReplayList=false) at DisplayListReplayer.cpp:158:73 The crash happens in this following statement in GraphicsContextStateChange::apply() if (m_changeFlags.contains(GraphicsContextState::FillGradientChange)) context.setFillGradient(*m_state.fillGradient, m_state.fillGradientSpaceTransform);
Created attachment 421448 [details] Patch
Created attachment 421449 [details] Patch
<rdar://problem/73610005>
Comment on attachment 421449 [details] Patch Does this fix any test crashes? Should we add a new test?
Created attachment 421530 [details] Patch
A new test was added. Without this patch, it crashes if GPUProcess for canvas rendering is enabled.
Committed r273493: <https://commits.webkit.org/r273493> All reviewed patches have been landed. Closing bug and clearing flags on attachment 421530 [details].
<rdar://problem/72783926>