RESOLVED FIXED 222379
[GPU Process] Stroke and fill StateChangeFlags should be set exclusively 
https://bugs.webkit.org/show_bug.cgi?id=222379
Summary [GPU Process] Stroke and fill StateChangeFlags should be set exclusively
Said Abou-Hallawa
Reported 2021-02-24 13:05:44 PST
The stroke and the fill in GraphicsContextState can be set exclusively to color, pattern or gradient. The corresponding flag in StateChangeFlags is set once the GraphicsContext function is called. The problem is we do not clear the old flags. And this is why in StateState::encode() and StateState::decode(), we were expecting the flags might be set but the pointers of the pattern and the gradient are null. This has been an area of mistakes and confusion and can lead to this crash with GPUP enabled when GraphicsContext::setFillColor is called after GraphicsContext::setFillGradient() is called: frame #1: 0x000000011d9870bb WebCore`WTFCrashWithInfo((null)=82, (null)="/Volumes/Data/Development/system/webkit/OpenSource/WebKitBuild/Debug/usr/local/include/wtf/RefPtr.h", (null)="T &WTF::RefPtr<WebCore::Gradient, WTF::RawPtrTraits<WebCore::Gradient>, WTF::DefaultRefDerefTraits<WebCore::Gradient> >::operator*() const [T = WebCore::Gradient, _PtrTraits = WTF::RawPtrTraits<WebCore::Gradient>, _RefDerefTraits = WTF::DefaultRefDerefTraits<WebCore::Gradient>]", (null)=23) at Assertions.h:671:5 frame #2: 0x000000012184a3f8 WebCore`WTF::RefPtr<WebCore::Gradient, WTF::RawPtrTraits<WebCore::Gradient>, WTF::DefaultRefDerefTraits<WebCore::Gradient> >::operator*(this=0x0000700005297cc0) const at RefPtr.h:82:28 frame #3: 0x0000000121849d0e WebCore`WebCore::GraphicsContextStateChange::apply(this=0x0000700005297cb0, context=0x000000010b0cf1b0) const at GraphicsContext.cpp:220:33 frame #4: 0x00000001219f38cd WebCore`WebCore::DisplayList::SetState::apply(this=0x0000700005297cb0, context=0x000000010b0cf1b0) const at DisplayListItems.cpp:223:13 frame #5: 0x00000001219f3088 WebCore`WebCore::DisplayList::ItemHandle::apply(this=0x0000700005297918, context=0x000000010b0cf1b0) at DisplayListItemBuffer.cpp:92:25 frame #6: 0x0000000121a0426d WebCore`WebCore::DisplayList::Replayer::applyItem(this=0x0000700005297e70, item=(data = "\v")) at DisplayListReplayer.cpp:120:10 frame #7: 0x00000001219f21da WebCore`WebCore::DisplayList::Replayer::replay(this=0x0000700005297e70, initialClip={ x = 0.0, y = 0.0, width = 0.0, height = 0.0 }, trackReplayList=false) at DisplayListReplayer.cpp:158:73 The crash happens in this following statement in GraphicsContextStateChange::apply() if (m_changeFlags.contains(GraphicsContextState::FillGradientChange)) context.setFillGradient(*m_state.fillGradient, m_state.fillGradientSpaceTransform);
Attachments
Patch (8.62 KB, patch)
2021-02-24 13:10 PST, Said Abou-Hallawa 		no flags
DetailsFormatted DiffDiff
Patch (8.65 KB, patch)
2021-02-24 13:10 PST, Said Abou-Hallawa 		no flags
DetailsFormatted DiffDiff
Patch (11.10 KB, patch)
2021-02-25 09:09 PST, Said Abou-Hallawa 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Said Abou-Hallawa
Comment 1 2021-02-24 13:10:01 PST
Created attachment 421448 [details] Patch
Said Abou-Hallawa
Comment 2 2021-02-24 13:10:47 PST
Created attachment 421449 [details] Patch
Said Abou-Hallawa
Comment 3 2021-02-24 13:11:20 PST
<rdar://problem/73610005>
Simon Fraser (smfr)
Comment 4 2021-02-24 13:40:31 PST
Comment on attachment 421449 [details] Patch Does this fix any test crashes? Should we add a new test?
Said Abou-Hallawa
Comment 5 2021-02-25 09:09:50 PST
Created attachment 421530 [details] Patch
Said Abou-Hallawa
Comment 6 2021-02-25 09:11:59 PST
A new test was added. Without this patch, it crashes if GPUProcess for canvas rendering is enabled.
EWS
Comment 7 2021-02-25 10:24:26 PST
Committed r273493: <https://commits.webkit.org/r273493> All reviewed patches have been landed. Closing bug and clearing flags on attachment 421530 [details].
Said Abou-Hallawa
Comment 8 2021-03-01 21:36:55 PST
<rdar://problem/72783926>
Note You need to log in before you can comment on or make changes to this bug.