WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
Bug 223739
ANGLE Metal crash ASAN webgl/1.0.3/conformance/misc/object-deletion-behaviour.html
https://bugs.webkit.org/show_bug.cgi?id=223739
Summary
ANGLE Metal crash ASAN webgl/1.0.3/conformance/misc/object-deletion-behaviour...
Kimmo Kinnunen
Reported
2021-03-25 03:14:05 PDT
ANGLE Metal crash ASAN webgl/1.0.3/conformance/misc/object-deletion-behaviour.html make debug ASAN=YES && Tools/Scripts/run-webkit-tests --debug --order=random webgl --timeout=300000 ==93334==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110000d6720 at pc 0x0006b65e17b0 bp 0x7ffee6976060 sp 0x7ffee6976058 READ of size 8 at 0x6110000d6720 thread T0 ==93334==WARNING: failed to spawn external symbolizer (errno: 25) ==93334==WARNING: failed to spawn external symbolizer (errno: 25) ==93334==WARNING: failed to spawn external symbolizer (errno: 25) ==93334==WARNING: failed to spawn external symbolizer (errno: 25) ==93334==WARNING: failed to spawn external symbolizer (errno: 25) ==93334==WARNING: Failed to use and restart external symbolizer! #0 0x6b65e17af in rx::RenderTargetMtl::getFormat() const+0x3f (/Users/kkinnunen/Build/Debug/libANGLE-shared.dylib:x86_64+0xa2f7af) #1 0x6b65d94d3 in rx::(anonymous namespace)::GetReadAttachmentInfo(gl::Context const*, rx::RenderTargetMtl*)+0x23 (/Users/kkinnunen/Build/Debug/libANGLE-shared.dylib:x86_64+0xa274d3) #2 0x6b65d94a0 in rx::FramebufferMtl::getImplementationColorReadFormat(gl::Context const*) const+0x30 (/Users/kkinnunen/Build/Debug/libANGLE-shared.dylib:x86_64+0xa274a0) #3 0x6b65a5fbf in gl::Framebuffer::getImplementationColorReadFormat(gl::Context const*)+0xcf (/Users/kkinnunen/Build/Debug/libANGLE-shared.dylib:x86_64+0x9f3fbf) #4 0x6b73f0272 in gl::ValidateReadPixelsBase(gl::Context const*, int, int, int, int, unsigned int, unsigned int, int, int*, int*, int*, void const*)+0x8f2 (/Users/kkinnunen/Build/Debug/libANGLE-shared.dylib:x86_64+0x183e272) #5 0x6b73f0e2e in gl::ValidateReadnPixelsRobustANGLE(gl::Context const*, int, int, int, int, unsigned int, unsigned int, int, int const*, int const*, int const*, void const*)+0x30e (/Users/kkinnunen/Build/Debug/libANGLE-shared.dylib:x86_64+0x183ee2e) #6 0x6b628b28a in gl::ReadnPixelsRobustANGLE(int, int, int, int, unsigned int, unsigned int, int, int*, int*, int*, void*)+0x19a (/Users/kkinnunen/Build/Debug/libANGLE-shared.dylib:x86_64+0x6d928a) #7 0x670381211 in WebCore::GraphicsContextGLOpenGL::readnPixelsImpl(int, int, int, int, unsigned int, unsigned int, int, int*, int*, int*, void*, bool)+0x511 (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x57b211) #8 0x670380c7f in WebCore::GraphicsContextGLOpenGL::readnPixels(int, int, int, int, unsigned int, unsigned int, GCGLSpan<void, 18446744073709551615ul>)+0x2cf (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x57ac7f) #9 0x678d5f38d in WebCore::WebGLRenderingContextBase::readPixels(int, int, int, int, unsigned int, unsigned int, JSC::ArrayBufferView&)+0x5dd (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x8f5938d) #10 0x67412d296 in WebCore::jsWebGLRenderingContextPrototypeFunction_readPixelsBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSWebGLRenderingContext*)::'lambda'()::operator()() const+0x5c6 (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x4327296) #11 0x67412c483 in JSC::JSValue WebCore::toJS<WebCore::IDLUndefined, WebCore::jsWebGLRenderingContextPrototypeFunction_readPixelsBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSWebGLRenderingContext*)::'lambda'()>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::jsWebGLRenderingContextPrototypeFunction_readPixelsBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSWebGLRenderingContext*)::'lambda'()&&)+0xe3 (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x4326483) #12 0x67412be2c in WebCore::jsWebGLRenderingContextPrototypeFunction_readPixelsBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSWebGLRenderingContext*)+0x1e1c (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x4325e2c) #13 0x674129f36 in long long WebCore::IDLOperation<WebCore::JSWebGLRenderingContext>::call<&(WebCore::jsWebGLRenderingContextPrototypeFunction_readPixelsBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSWebGLRenderingContext*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*)+0x4c6 (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x4323f36) #14 0x67408a113 in WebCore::jsWebGLRenderingContextPrototypeFunction_readPixels(JSC::JSGlobalObject*, JSC::CallFrame*)+0x23 (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x4284113) #15 0x26e8b1e011d7 (<unknown module>) #16 0x26e8b1e0a54e (<unknown module>) #17 0x6a6aead6e in llint_entry+0x21c9a (/Users/kkinnunen/Build/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12e4d6e) #18 0x6a6aead6e in llint_entry+0x21c9a (/Users/kkinnunen/Build/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12e4d6e) #19 0x6a6ac8de1 in vmEntryToJavaScript+0x120 (/Users/kkinnunen/Build/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12c2de1) #20 0x6a948584d in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)+0x4fd (/Users/kkinnunen/Build/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3c7f84d) #21 0x6a9478c77 in JSC::Interpreter::execute(JSC::EvalExecutable*, JSC::JSGlobalObject*, JSC::JSValue, JSC::JSScope*)+0x4037 (/Users/kkinnunen/Build/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3c72c77) #22 0x6a9474311 in JSC::eval(JSC::JSGlobalObject*, JSC::CallFrame*, JSC::ECMAMode)+0x1691 (/Users/kkinnunen/Build/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3c6e311) #23 0x6a96a5b9f in JSC::operationCallEval(JSC::JSGlobalObject*, JSC::CallFrame*, JSC::ECMAMode)+0x57f (/Users/kkinnunen/Build/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3e9fb9f) #24 0x26e8b1e06254 (<unknown module>) #25 0x6a6aeae16 in llint_entry+0x21d42 (/Users/kkinnunen/Build/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12e4e16) #26 0x6a6ac8de1 in vmEntryToJavaScript+0x120 (/Users/kkinnunen/Build/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12c2de1) #27 0x6a948584d in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)+0x4fd (/Users/kkinnunen/Build/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3c7f84d) #28 0x6a9483313 in JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*)+0x42d3 (/Users/kkinnunen/Build/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3c7d313) #29 0x6a9f3ce16 in JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)+0x6d6 (/Users/kkinnunen/Build/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x4736e16) #30 0x6a9f3d31a in JSC::profiledEvaluate(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)+0x24a (/Users/kkinnunen/Build/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x473731a) #31 0x676ec11e2 in WebCore::JSExecState::profiledEvaluate(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)+0x262 (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x70bb1e2) #32 0x676ec0516 in WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&)+0x4c6 (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x70ba516) #33 0x676ebff32 in WebCore::ScriptController::evaluateInWorldIgnoringException(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&)+0x132 (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x70b9f32) #34 0x676ec16bd in WebCore::ScriptController::evaluateIgnoringException(WebCore::ScriptSourceCode const&)+0xfd (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x70bb6bd) #35 0x6780d28d6 in WebCore::ScriptElement::executeClassicScript(WebCore::ScriptSourceCode const&)+0xc26 (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x82cc8d6) #36 0x6780cd7d8 in WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport)+0x1e18 (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x82c77d8) #37 0x678e4a31e in WebCore::HTMLScriptRunner::runScript(WebCore::ScriptElement&, WTF::TextPosition const&)+0x45e (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x904431e) #38 0x678e49ce0 in WebCore::HTMLScriptRunner::execute(WTF::Ref<WebCore::ScriptElement, WTF::RawPtrTraits<WebCore::ScriptElement> >&&, WTF::TextPosition const&)+0xf0 (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x9043ce0) #39 0x678e04003 in WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder()+0x643 (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x8ffe003) #40 0x678e047f6 in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&)+0x1a6 (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x8ffe7f6) #41 0x678e0317c in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode)+0x39c (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x8ffd17c) #42 0x678e024da in WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode)+0xca (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x8ffc4da) #43 0x678e062fe in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl, WTF::RawPtrTraits<WTF::StringImpl>, WTF::DefaultRefDerefTraits<WTF::StringImpl> >&&)+0x36e (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x90002fe) #44 0x677c3a1f9 in WebCore::DecodedDataDocumentParser::appendBytes(WebCore::DocumentWriter&, char const*, unsigned long)+0x1e9 (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x7e341f9) #45 0x67988177d in WebCore::DocumentWriter::addData(char const*, unsigned long)+0x29d (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x9a7b77d) #46 0x6797dfa59 in WebCore::DocumentLoader::commitData(char const*, unsigned long)+0x1079 (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x99d9a59) #47 0x65c586205 in WebKit::WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, int)+0x145 (/Users/kkinnunen/Build/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x4584205) #48 0x6797ec1a8 in WebCore::DocumentLoader::commitLoad(char const*, int)+0x258 (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x99e61a8) #49 0x6797ebedd in WebCore::DocumentLoader::dataReceived(char const*, int)+0x3cd (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x99e5edd) #50 0x6797ed23c in WebCore::DocumentLoader::dataReceived(WebCore::CachedResource&, char const*, int)+0x9c (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x99e723c) #51 0x679b3ad42 in WebCore::CachedRawResource::notifyClientsDataWasReceived(char const*, unsigned int)+0x222 (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x9d34d42) #52 0x679b3a8c0 in WebCore::CachedRawResource::updateBuffer(WebCore::SharedBuffer&)+0x3b0 (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x9d348c0) #53 0x679a3bde4 in WebCore::SubresourceLoader::didReceiveDataOrBuffer(char const*, int, WTF::RefPtr<WebCore::SharedBuffer, WTF::RawPtrTraits<WebCore::SharedBuffer>, WTF::DefaultRefDerefTraits<WebCore::SharedBuffer> >&&, long long, WebCore::DataPayloadType)+0x774 (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x9c35de4) #54 0x679a3b5e7 in WebCore::SubresourceLoader::didReceiveData(char const*, unsigned int, long long, WebCore::DataPayloadType)+0x127 (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x9c355e7) #55 0x65c3364ac in WebKit::WebResourceLoader::didReceiveData(IPC::ArrayReference<unsigned char, 18446744073709551615ul> const&, long long)+0x81c (/Users/kkinnunen/Build/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x43344ac) #56 0x65d0ce5a7 in void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(IPC::ArrayReference<unsigned char, 18446744073709551615ul> const&, long long), std::__1::tuple<IPC::ArrayReference<unsigned char, 18446744073709551615ul>, long long>, 0ul, 1ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::ArrayReference<unsigned char, 18446744073709551615ul> const&, long long), std::__1::tuple<IPC::ArrayReference<unsigned char, 18446744073709551615ul>, long long>&&, std::__1::integer_sequence<unsigned long, 0ul, 1ul>)+0x2b7 (/Users/kkinnunen/Build/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x50cc5a7) #57 0x65d0ce276 in void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(IPC::ArrayReference<unsigned char, 18446744073709551615ul> const&, long long), std::__1::tuple<IPC::ArrayReference<unsigned char, 18446744073709551615ul>, long long>, std::__1::integer_sequence<unsigned long, 0ul, 1ul> >(std::__1::tuple<IPC::ArrayReference<unsigned char, 18446744073709551615ul>, long long>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::ArrayReference<unsigned char, 18446744073709551615ul> const&, long long))+0x2b6 (/Users/kkinnunen/Build/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x50cc276) #58 0x65d0c8c36 in void IPC::handleMessage<Messages::WebResourceLoader::DidReceiveData, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(IPC::ArrayReference<unsigned char, 18446744073709551615ul> const&, long long)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::ArrayReference<unsigned char, 18446744073709551615ul> const&, long long))+0x346 (/Users/kkinnunen/Build/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x50c6c36) #59 0x65d0c7337 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&)+0x6a7 (/Users/kkinnunen/Build/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x50c5337) #60 0x65c2ae39e in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&)+0x24e (/Users/kkinnunen/Build/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x42ac39e) #61 0x658126ae4 in IPC::Connection::dispatchMessage(IPC::Decoder&)+0x494 (/Users/kkinnunen/Build/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x124ae4) #62 0x658127e47 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)+0x7d7 (/Users/kkinnunen/Build/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x125e47) #63 0x658129b34 in IPC::Connection::dispatchOneIncomingMessage()+0x204 (/Users/kkinnunen/Build/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x127b34) #64 0x65816c3c7 in IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_9::operator()()+0x57 (/Users/kkinnunen/Build/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x16a3c7) #65 0x65816c28d in WTF::Detail::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_9, void>::call()+0x1d (/Users/kkinnunen/Build/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x16a28d) #66 0x6a586e444 in WTF::Function<void ()>::operator()() const+0xf4 (/Users/kkinnunen/Build/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x68444) #67 0x6a59bc53d in WTF::RunLoop::performWork()+0x37d (/Users/kkinnunen/Build/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1b653d) #68 0x6a59c3ea5 in WTF::RunLoop::performWork(void*)+0xe5 (/Users/kkinnunen/Build/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bdea5) #69 0x7fff20434e2b in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__+0x10 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x81e2b) #70 0x7fff20434d93 in __CFRunLoopDoSource0+0xb3 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x81d93) #71 0x7fff20434b13 in __CFRunLoopDoSources0+0xf1 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x81b13) #72 0x7fff2043353b in __CFRunLoopRun+0x37c (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8053b) #73 0x7fff20432afb in CFRunLoopRunSpecific+0x232 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x7fafb) #74 0x7fff211bcbb6 in -[NSRunLoop(NSRunLoop) runMode:beforeDate:]+0xd3 (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x5fbb6) #75 0x7fff2124aa80 in -[NSRunLoop(NSRunLoop) run]+0x4b (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0xeda80) #76 0x7fff2008a38c in _xpc_objc_main+0x338 (/usr/lib/system/libxpc.dylib:x86_64+0x1538c) #77 0x7fff20089cd2 in xpc_main+0x73 (/usr/lib/system/libxpc.dylib:x86_64+0x14cd2) #78 0x659e58d3c in WebKit::XPCServiceMain(int, char const**)+0x9fc (/Users/kkinnunen/Build/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x1e56d3c) #79 0x65d1fdbfa in WKXPCServiceMain+0x1a (/Users/kkinnunen/Build/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x51fbbfa) #80 0x10927fe11 in main+0x21 (/Users/kkinnunen/Build/Debug/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x100003e11) #81 0x7fff20356f3c in start+0x0 (/usr/lib/system/libdyld.dylib:x86_64+0x15f3c) 0x6110000d6720 is located 224 bytes inside of 232-byte region [0x6110000d6640,0x6110000d6728) freed by thread T0 here: #0 0x66d53665d in wrap__ZdlPv+0x7d (/Volumes/Xcode12E5244b_m20F25_i18F26_FastSim_Boost_43GB/Xcode.app/Contents/Developer/Toolchains/OSX11.4.xctoolchain/usr/lib/clang/12.0.5/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x5465d) #1 0x6b6e11857 in rx::RenderbufferMtl::~RenderbufferMtl()+0x27 (/Users/kkinnunen/Build/Debug/libANGLE-shared.dylib:x86_64+0x125f857) #2 0x6b6e0ed35 in std::__1::default_delete<rx::RenderbufferImpl>::operator()(rx::RenderbufferImpl*) const+0x95 (/Users/kkinnunen/Build/Debug/libANGLE-shared.dylib:x86_64+0x125cd35) #3 0x6b6e0ec4e in std::__1::unique_ptr<rx::RenderbufferImpl, std::__1::default_delete<rx::RenderbufferImpl> >::reset(rx::RenderbufferImpl*)+0xbe (/Users/kkinnunen/Build/Debug/libANGLE-shared.dylib:x86_64+0x125cc4e) #4 0x6b6e0eb88 in std::__1::unique_ptr<rx::RenderbufferImpl, std::__1::default_delete<rx::RenderbufferImpl> >::~unique_ptr()+0x18 (/Users/kkinnunen/Build/Debug/libANGLE-shared.dylib:x86_64+0x125cb88) #5 0x6b6e0a534 in std::__1::unique_ptr<rx::RenderbufferImpl, std::__1::default_delete<rx::RenderbufferImpl> >::~unique_ptr()+0x14 (/Users/kkinnunen/Build/Debug/libANGLE-shared.dylib:x86_64+0x1258534) #6 0x6b6e0a4ca in gl::Renderbuffer::~Renderbuffer()+0x16a (/Users/kkinnunen/Build/Debug/libANGLE-shared.dylib:x86_64+0x12584ca) #7 0x6b6e0a574 in gl::Renderbuffer::~Renderbuffer()+0x14 (/Users/kkinnunen/Build/Debug/libANGLE-shared.dylib:x86_64+0x1258574) #8 0x6b6e0a5fb in gl::Renderbuffer::~Renderbuffer()+0x1b (/Users/kkinnunen/Build/Debug/libANGLE-shared.dylib:x86_64+0x12585fb) #9 0x6b5dae1b2 in angle::RefCountObject<gl::Context, angle::Result>::release(gl::Context const*)+0x462 (/Users/kkinnunen/Build/Debug/libANGLE-shared.dylib:x86_64+0x1fc1b2) #10 0x6b6e958bf in gl::RenderbufferManager::DeleteObject(gl::Context const*, gl::Renderbuffer*)+0x1f (/Users/kkinnunen/Build/Debug/libANGLE-shared.dylib:x86_64+0x12e38bf) #11 0x6b6e94f12 in gl::TypedResourceManager<gl::Renderbuffer, gl::RenderbufferManager, gl::RenderbufferID>::deleteObject(gl::Context const*, gl::RenderbufferID)+0x382 (/Users/kkinnunen/Build/Debug/libANGLE-shared.dylib:x86_64+0x12e2f12) #12 0x6b5db88be in gl::Context::deleteRenderbuffer(gl::RenderbufferID)+0x38e (/Users/kkinnunen/Build/Debug/libANGLE-shared.dylib:x86_64+0x2068be) #13 0x6b5e13b7a in gl::Context::deleteRenderbuffers(int, gl::RenderbufferID const*)+0x17a (/Users/kkinnunen/Build/Debug/libANGLE-shared.dylib:x86_64+0x261b7a) #14 0x6b623654a in gl::DeleteRenderbuffers(int, unsigned int const*)+0x15a (/Users/kkinnunen/Build/Debug/libANGLE-shared.dylib:x86_64+0x68454a) #15 0x67039493c in WebCore::GraphicsContextGLOpenGL::deleteRenderbuffer(unsigned int)+0x14c (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x58e93c) #16 0x678d1a59a in WebCore::WebGLRenderbuffer::deleteObjectImpl(WTF::AbstractLocker const&, WebCore::GraphicsContextGL*, unsigned int)+0x9a (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x8f1459a) #17 0x678d17044 in WebCore::WebGLObject::deleteObject(WTF::AbstractLocker const&, WebCore::GraphicsContextGL*)+0x374 (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x8f11044) #18 0x678d17316 in WebCore::WebGLObject::onDetached(WTF::AbstractLocker const&, WebCore::GraphicsContextGL*)+0x156 (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x8f11316) #19 0x678cfa665 in WebCore::(anonymous namespace)::WebGLRenderbufferAttachment::onDetached(WTF::AbstractLocker const&, WebCore::GraphicsContextGL*)+0x35 (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x8ef4665) #20 0x678cf4cda in WebCore::WebGLFramebuffer::removeAttachmentInternal(WTF::AbstractLocker const&, unsigned int)+0x25a (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x8eeecda) #21 0x678cf0877 in WebCore::WebGLFramebuffer::setAttachmentInternal(unsigned int, unsigned int, WebCore::WebGLTexture*, int, int)+0x277 (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x8eea877) #22 0x678cf0063 in WebCore::WebGLFramebuffer::setAttachmentForBoundFramebuffer(unsigned int, unsigned int, unsigned int, WebCore::WebGLTexture*, int, int)+0x113 (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x8eea063) #23 0x678d4b70c in WebCore::WebGLRenderingContextBase::framebufferTexture2D(unsigned int, unsigned int, unsigned int, WebCore::WebGLTexture*, int)+0x28c (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x8f4570c) #24 0x6740f34d0 in WebCore::jsWebGLRenderingContextPrototypeFunction_framebufferTexture2DBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSWebGLRenderingContext*)::'lambda'()::operator()() const+0x350 (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x42ed4d0) #25 0x6740f29a3 in JSC::JSValue WebCore::toJS<WebCore::IDLUndefined, WebCore::jsWebGLRenderingContextPrototypeFunction_framebufferTexture2DBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSWebGLRenderingContext*)::'lambda'()>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::jsWebGLRenderingContextPrototypeFunction_framebufferTexture2DBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSWebGLRenderingContext*)::'lambda'()&&)+0xe3 (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x42ec9a3) #26 0x6740f23e1 in WebCore::jsWebGLRenderingContextPrototypeFunction_framebufferTexture2DBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSWebGLRenderingContext*)+0x17a1 (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x42ec3e1) #27 0x6740f0b66 in long long WebCore::IDLOperation<WebCore::JSWebGLRenderingContext>::call<&(WebCore::jsWebGLRenderingContextPrototypeFunction_framebufferTexture2DBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSWebGLRenderingContext*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*)+0x4c6 (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x42eab66) #28 0x674089993 in WebCore::jsWebGLRenderingContextPrototypeFunction_framebufferTexture2D(JSC::JSGlobalObject*, JSC::CallFrame*)+0x23 (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x4283993) #29 0x26e8b1e011d7 (<unknown module>) previously allocated by thread T0 here: #0 0x66d53623d in wrap__Znwm+0x7d (/Volumes/Xcode12E5244b_m20F25_i18F26_FastSim_Boost_43GB/Xcode.app/Contents/Developer/Toolchains/OSX11.4.xctoolchain/usr/lib/clang/12.0.5/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x5423d) #1 0x6b5f89199 in rx::ContextMtl::createRenderbuffer(gl::RenderbufferState const&)+0x19 (/Users/kkinnunen/Build/Debug/libANGLE-shared.dylib:x86_64+0x3d7199) #2 0x6b6e09b7b in gl::Renderbuffer::Renderbuffer(rx::GLImplFactory*, gl::RenderbufferID)+0x4eb (/Users/kkinnunen/Build/Debug/libANGLE-shared.dylib:x86_64+0x1257b7b) #3 0x6b6e0a14b in gl::Renderbuffer::Renderbuffer(rx::GLImplFactory*, gl::RenderbufferID)+0x1ab (/Users/kkinnunen/Build/Debug/libANGLE-shared.dylib:x86_64+0x125814b) #4 0x6b6ea3c35 in gl::RenderbufferManager::AllocateNewObject(rx::GLImplFactory*, gl::RenderbufferID)+0x1e5 (/Users/kkinnunen/Build/Debug/libANGLE-shared.dylib:x86_64+0x12f1c35) #5 0x6b5e94b87 in gl::Renderbuffer* gl::TypedResourceManager<gl::Renderbuffer, gl::RenderbufferManager, gl::RenderbufferID>::checkObjectAllocationImpl<>(rx::GLImplFactory*, gl::RenderbufferID)+0x267 (/Users/kkinnunen/Build/Debug/libANGLE-shared.dylib:x86_64+0x2e2b87) #6 0x6b5e94020 in gl::Renderbuffer* gl::TypedResourceManager<gl::Renderbuffer, gl::RenderbufferManager, gl::RenderbufferID>::checkObjectAllocation<>(rx::GLImplFactory*, gl::RenderbufferID)+0x370 (/Users/kkinnunen/Build/Debug/libANGLE-shared.dylib:x86_64+0x2e2020) #7 0x6b5e0db76 in gl::RenderbufferManager::checkRenderbufferAllocation(rx::GLImplFactory*, gl::RenderbufferID)+0x1e6 (/Users/kkinnunen/Build/Debug/libANGLE-shared.dylib:x86_64+0x25bb76) #8 0x6b5dab08a in gl::Context::bindRenderbuffer(unsigned int, gl::RenderbufferID)+0x45a (/Users/kkinnunen/Build/Debug/libANGLE-shared.dylib:x86_64+0x1f908a) #9 0x6b62326be in gl::BindRenderbuffer(unsigned int, unsigned int)+0x2fe (/Users/kkinnunen/Build/Debug/libANGLE-shared.dylib:x86_64+0x6806be) #10 0x670384d82 in WebCore::GraphicsContextGLOpenGL::bindRenderbuffer(unsigned int, unsigned int)+0x32 (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x57ed82) #11 0x678d41680 in WebCore::WebGLRenderingContextBase::bindRenderbuffer(unsigned int, WebCore::WebGLRenderbuffer*)+0x240 (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x8f3b680) #12 0x6740968ce in WebCore::jsWebGLRenderingContextPrototypeFunction_bindRenderbufferBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSWebGLRenderingContext*)::'lambda'()::operator()() const+0x15e (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x42908ce) #13 0x674095f93 in JSC::JSValue WebCore::toJS<WebCore::IDLUndefined, WebCore::jsWebGLRenderingContextPrototypeFunction_bindRenderbufferBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSWebGLRenderingContext*)::'lambda'()>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::jsWebGLRenderingContextPrototypeFunction_bindRenderbufferBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSWebGLRenderingContext*)::'lambda'()&&)+0xe3 (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x428ff93) #14 0x674095a73 in WebCore::jsWebGLRenderingContextPrototypeFunction_bindRenderbufferBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSWebGLRenderingContext*)+0xd13 (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x428fa73) #15 0x674094c86 in long long WebCore::IDLOperation<WebCore::JSWebGLRenderingContext>::call<&(WebCore::jsWebGLRenderingContextPrototypeFunction_bindRenderbufferBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSWebGLRenderingContext*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*)+0x4c6 (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x428ec86) #16 0x674089093 in WebCore::jsWebGLRenderingContextPrototypeFunction_bindRenderbuffer(JSC::JSGlobalObject*, JSC::CallFrame*)+0x23 (/Users/kkinnunen/Build/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x4283093) #17 0x26e8b1e011d7 (<unknown module>) #18 0x6a6aead6e in llint_entry+0x21c9a (/Users/kkinnunen/Build/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12e4d6e) #19 0x6a6ac8de1 in vmEntryToJavaScript+0x120 (/Users/kkinnunen/Build/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12c2de1) #20 0x6a948584d in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)+0x4fd (/Users/kkinnunen/Build/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3c7f84d) #21 0x6a9478c77 in JSC::Interpreter::execute(JSC::EvalExecutable*, JSC::JSGlobalObject*, JSC::JSValue, JSC::JSScope*)+0x4037 (/Users/kkinnunen/Build/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3c72c77) #22 0x6a9474311 in JSC::eval(JSC::JSGlobalObject*, JSC::CallFrame*, JSC::ECMAMode)+0x1691 (/Users/kkinnunen/Build/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3c6e311) #23 0x6a96a5b9f in JSC::operationCallEval(JSC::JSGlobalObject*, JSC::CallFrame*, JSC::ECMAMode)+0x57f (/Users/kkinnunen/Build/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3e9fb9f) #24 0x26e8b1e06254 (<unknown module>) #25 0x6a6aeae16 in llint_entry+0x21d42 (/Users/kkinnunen/Build/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12e4e16) #26 0x6a6ac8de1 in vmEntryToJavaScript+0x120 (/Users/kkinnunen/Build/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12c2de1) #27 0x6a948584d in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)+0x4fd (/Users/kkinnunen/Build/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3c7f84d) #28 0x6a9483313 in JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*)+0x42d3 (/Users/kkinnunen/Build/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3c7d313) #29 0x6a9f3ce16 in JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)+0x6d6 (/Users/kkinnunen/Build/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x4736e16) SUMMARY: AddressSanitizer: heap-use-after-free (/Users/kkinnunen/Build/Debug/libANGLE-shared.dylib:x86_64+0xa2f7af) in rx::RenderTargetMtl::getFormat() const+0x3f Shadow bytes around the buggy address: 0x1c220001ac90: 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x1c220001aca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1c220001acb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1c220001acc0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x1c220001acd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x1c220001ace0: fd fd fd fd[fd]fa fa fa fa fa fa fa fa fa fa fa 0x1c220001acf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1c220001ad00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1c220001ad10: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x1c220001ad20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1c220001ad30: 00 00 06 fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==93334==ABORTING
Attachments
Patch
(4.21 KB, patch)
2021-03-25 11:17 PDT
,
Kyle Piddington
dino
: review+
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Kyle Piddington
Comment 1
2021-03-25 11:17:20 PDT
Created
attachment 424263
[details]
Patch
EWS Watchlist
Comment 2
2021-03-25 11:18:12 PDT
Note that there are important steps to take when updating ANGLE. See
https://trac.webkit.org/wiki/UpdatingANGLE
Dean Jackson
Comment 3
2021-03-25 20:14:57 PDT
Committed
r275074
(
235786@main
): <
https://commits.webkit.org/235786@main
>
Radar WebKit Bug Importer
Comment 4
2021-03-25 20:15:20 PDT
<
rdar://problem/75869236
>
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug