RESOLVED FIXED224744
[GPU Process] Closing the GPU Process should clean all the back pointers from ItemBuffer to RemoteRenderingBackendProxy 
https://bugs.webkit.org/show_bug.cgi?id=224744
Summary [GPU Process] Closing the GPU Process should clean all the back pointers from...
Kimmo Kinnunen
Reported 2021-04-19 02:42:06 PDT
SHOULD NEVER BE REACHED in void WebKit::RemoteRenderingBackendProxy::didAppendData WebContent process crashes after GPU process crashes. First ASSERT is for GPU process crash. Second ASSERT is for this bug, WebContent process crash. ASSERTION FAILED: MIMETypeRegistry::isSupportedImageMIMETypeForEncoding(mimeType) ./platform/graphics/cg/ImageBufferCGBackend.cpp(176) : virtual RetainPtr<CFDataRef> WebCore::ImageBufferCGBackend::toCFData(const WTF::String &, Optional<double>, WebCore::PreserveResolution) const 1 0x1274ab0cc WTFCrash 2 0x138616b04 WebCore::JSDOMSelection::createPrototype(JSC::VM&, WebCore::JSDOMGlobalObject&) 3 0x13bd60f28 WebCore::ImageBufferCGBackend::toCFData(WTF::String const&, WTF::Optional<double>, WebCore::PreserveResolution) const 4 0x13bd71a84 WebCore::ImageBufferIOSurfaceBackend::toCFData(WTF::String const&, WTF::Optional<double>, WebCore::PreserveResolution) const 5 0x13bd61afc WebCore::ImageBufferCGBackend::toDataURL(WTF::String const&, WTF::Optional<double>, WebCore::PreserveResolution) const 6 0x110a66a0c WebCore::ConcreteImageBuffer<WebKit::ImageBufferShareableMappedIOSurfaceBackend>::toDataURL(WTF::String const&, WTF::Optional<double>, WebCore::PreserveResolution) const 7 0x110a57910 WebKit::RemoteRenderingBackend::getDataURLForImageBuffer(WTF::String const&, WTF::Optional<double>, WebCore::PreserveResolution, WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::CompletionHandler<void (WTF::String&&)>&&) 8 0x110a1c1a8 void IPC::callMemberFunctionImpl<WebKit::RemoteRenderingBackend, void (WebKit::RemoteRenderingBackend::*)(WTF::String const&, WTF::Optional<double>, WebCore::PreserveResolution, WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::CompletionHandler<void (WTF::String&&)>&&), void (WTF::String const&), std::__1::tuple<WTF::String, WTF::Optional<double>, WebCore::PreserveResolution, WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType> >, 0ul, 1ul, 2ul, 3ul>(WebKit::RemoteRenderingBackend*, void (WebKit::RemoteRenderingBackend::*)(WTF::String const&, WTF::Optional<double>, WebCore::PreserveResolution, WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::CompletionHandler<void (WTF::String&&)>&&), WTF::CompletionHandler<void (WTF::String const&)>&&, std::__1::tuple<WTF::String, WTF::Optional<double>, WebCore::PreserveResolution, WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType> >&&, std::__1::integer_sequence<unsigned long, 0ul, 1ul, 2ul, 3ul>) 9 0x110a19820 void IPC::callMemberFunction<WebKit::RemoteRenderingBackend, void (WebKit::RemoteRenderingBackend::*)(WTF::String const&, WTF::Optional<double>, WebCore::PreserveResolution, WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::CompletionHandler<void (WTF::String&&)>&&), void (WTF::String const&), std::__1::tuple<WTF::String, WTF::Optional<double>, WebCore::PreserveResolution, WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType> >, std::__1::integer_sequence<unsigned long, 0ul, 1ul, 2ul, 3ul> >(std::__1::tuple<WTF::String, WTF::Optional<double>, WebCore::PreserveResolution, WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType> >&&, WTF::CompletionHandler<void (WTF::String const&)>&&, WebKit::RemoteRenderingBackend*, void (WebKit::RemoteRenderingBackend::*)(WTF::String const&, WTF::Optional<double>, WebCore::PreserveResolution, WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::CompletionHandler<void (WTF::String&&)>&&)) 10 0x110a0007c bool IPC::handleMessageSynchronous<Messages::RemoteRenderingBackend::GetDataURLForImageBuffer, WebKit::RemoteRenderingBackend, void (WebKit::RemoteRenderingBackend::*)(WTF::String const&, WTF::Optional<double>, WebCore::PreserveResolution, WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::CompletionHandler<void (WTF::String&&)>&&)>(IPC::Connection&, IPC::Decoder&, WTF::UniqueRef<IPC::Encoder>&, WebKit::RemoteRenderingBackend*, void (WebKit::RemoteRenderingBackend::*)(WTF::String const&, WTF::Optional<double>, WebCore::PreserveResolution, WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::CompletionHandler<void (WTF::String&&)>&&)) 11 0x1109ffa44 WebKit::RemoteRenderingBackend::didReceiveSyncMessage(IPC::Connection&, IPC::Decoder&, WTF::UniqueRef<IPC::Encoder>&) 12 0x10ffbb5e8 IPC::Connection::dispatchMessageReceiverMessage(IPC::MessageReceiver&, std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >&&) 13 0x10ffc4014 IPC::WorkQueueMessageReceiverQueue::enqueueMessage(IPC::Connection&, std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >&&)::'lambda'()::operator()() 14 0x10ffc3cec WTF::Detail::CallableWrapper<IPC::WorkQueueMessageReceiverQueue::enqueueMessage(IPC::Connection&, std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >&&)::'lambda'(), void>::call() 15 0x1274cddc4 WTF::Function<void ()>::operator()() const 16 0x1275c7810 WTF::WorkQueue::dispatch(WTF::Function<void ()>&&)::$_0::operator()() const 17 0x1275c7ae0 WTF::BlockPtr<void ()> WTF::BlockPtr<void ()>::fromCallable<WTF::WorkQueue::dispatch(WTF::Function<void ()>&&)::$_0>(WTF::WorkQueue::dispatch(WTF::Function<void ()>&&)::$_0)::'lambda'(void*)::operator()(void*) const 18 0x1275c7ab0 WTF::BlockPtr<void ()> WTF::BlockPtr<void ()>::fromCallable<WTF::WorkQueue::dispatch(WTF::Function<void ()>&&)::$_0>(WTF::WorkQueue::dispatch(WTF::Function<void ()>&&)::$_0)::'lambda'(void*)::__invoke(void*) 19 0x1951f8d70 _dispatch_call_block_and_release 20 0x1951fab74 _dispatch_client_callout 21 0x195202750 _dispatch_lane_serial_drain 22 0x195203354 _dispatch_lane_invoke 23 0x19520e3a8 _dispatch_workloop_worker_thread 24 0x1953b4d48 _pthread_wqthread 25 0x1953b3a5c start_wqthread 2021-04-19 12:38:42.760 com.apple.WebKit.WebContent.Development[40260:4915662] XType: com.apple.fonts is not accessible. 2021-04-19 12:38:42.760 com.apple.WebKit.WebContent.Development[40260:4915662] XType: XTFontStaticRegistry is enabled. SHOULD NEVER BE REACHED /Users/kkinnunen/WebKit/OpenSource/Source/WebKit/WebProcess/GPU/graphics/RemoteRenderingBackendProxy.cpp(325) : void WebKit::RemoteRenderingBackendProxy::didAppendData(const DisplayList::ItemBufferHandle &, size_t, DisplayList::DidChangeItemBuffer, WebCore::RenderingResourceIdentifier) 1 0x129bdb0cc WTFCrash 2 0x11286d184 WTF::Optional<JSC::JSValue>::Optional(JSC::JSValue&&) 3 0x114225d68 WebKit::RemoteRenderingBackendProxy::didAppendData(WebCore::DisplayList::ItemBufferHandle const&, unsigned long, WebCore::DisplayList::DidChangeItemBuffer, WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>) 4 0x1142ced44 WebKit::RemoteImageBufferProxy<WebKit::ImageBufferShareableMappedIOSurfaceBackend>::didAppendData(WebCore::DisplayList::ItemBufferHandle const&, unsigned long, WebCore::DisplayList::DidChangeItemBuffer) 5 0x13e524d9c WebCore::DisplayList::ItemBuffer::didAppendData(unsigned long, WebCore::DisplayList::DidChangeItemBuffer) 6 0x13e54acb4 void WebCore::DisplayList::ItemBuffer::uncheckedAppend<WebCore::DisplayList::Save>(WebCore::DisplayList::DidChangeItemBuffer) 7 0x13e54ac4c void WebCore::DisplayList::ItemBuffer::append<WebCore::DisplayList::Save>() 8 0x13e54abf0 void WebCore::DisplayList::DisplayList::append<WebCore::DisplayList::Save>() 9 0x13e52c9f4 void WebCore::DisplayList::Recorder::append<WebCore::DisplayList::Save>() 10 0x13e52c974 WebCore::DisplayList::Recorder::save() 11 0x13e37b644 WebCore::GraphicsContext::save() 12 0x13a94dbd0 WebCore::GraphicsContextStateSaver::GraphicsContextStateSaver(WebCore::GraphicsContext&, bool) 13 0x13a93cba0 WebCore::GraphicsContextStateSaver::GraphicsContextStateSaver(WebCore::GraphicsContext&, bool) 14 0x13e48df74 WebCore::GraphicsContextGLOpenGL::paintToCanvas(WebCore::GraphicsContextGLAttributes const&, WTF::Ref<WebCore::ImageData, WTF::RawPtrTraits<WebCore::ImageData> >&&, WebCore::IntSize const&, WebCore::GraphicsContext&) 15 0x13e591410 WebCore::GraphicsContextGLOpenGL::paintRenderingResultsToCanvas(WebCore::ImageBuffer&) 16 0x13d9161fc WebCore::WebGLRenderingContextBase::paintRenderingResultsToCanvas() 17 0x13d64429c WebCore::CanvasBase::makeRenderingResultsAvailable() 18 0x13d6ac4e4 WebCore::HTMLCanvasElement::toDataURL(WTF::String const&, JSC::JSValue) 19 0x13b0befe4 WebCore::jsHTMLCanvasElementPrototypeFunction_toDataURLBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSHTMLCanvasElement*) 20 0x13b0becc4 long long WebCore::IDLOperation<WebCore::JSHTMLCanvasElement>::call<&(WebCore::jsHTMLCanvasElementPrototypeFunction_toDataURLBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSHTMLCanvasElement*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) 21 0x13b0bbcec WebCore::jsHTMLCanvasElementPrototypeFunction_toDataURL(JSC::JSGlobalObject*, JSC::CallFrame*) 22 0x280004c04 23 0x280004008 24 0x280004008 25 0x280004008 26 0x280004728 27 0x12b5e90ac JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) 28 0x12aeb83a4 JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) 29 0x12b210ba4 JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) 30 0x12b210c60 JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) 31 0x12b210f7c JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)
Attachments
Patch (2.94 KB, patch)
2021-05-06 13:50 PDT, Said Abou-Hallawa 		no flags
DetailsFormatted DiffDiff
Patch (1.85 KB, patch)
2021-05-06 16:43 PDT, Said Abou-Hallawa 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Said Abou-Hallawa
Comment 1 2021-04-19 11:53:58 PDT
<rdar://76286963>
Kimmo Kinnunen
Comment 2 2021-04-20 00:31:11 PDT
The rdar link is wrong. As said: First ASSERT is for GPU process crash. <rdar://76286963> Second ASSERT is for this bug, WebContent process crash.
Alexey Proskuryakov
Comment 3 2021-04-23 12:09:35 PDT
Removing InRadar keyword so that this get re-imported.
Radar WebKit Bug Importer
Comment 4 2021-04-23 13:10:35 PDT
<rdar://problem/77083169>
Said Abou-Hallawa
Comment 5 2021-05-06 13:32:04 PDT
<rdar://74592639>
Said Abou-Hallawa
Comment 6 2021-05-06 13:50:16 PDT
Created attachment 427932 [details] Patch
Tim Horton
Comment 7 2021-05-06 13:53:53 PDT
Comment on attachment 427932 [details] Patch Maybe separately these should all be WeakPtr-y things?
Said Abou-Hallawa
Comment 8 2021-05-06 16:41:56 PDT
Comment on attachment 427932 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=427932&action=review > Source/WebCore/platform/graphics/displaylists/DisplayListImageBuffer.h:95 > + m_drawingContext.recorder().clearDelegate(); > + > + m_drawingContext.displayList().setItemBufferWritingClient(nullptr); > + m_drawingContext.displayList().setItemBufferReadingClient(nullptr); These lines caused the API test GPUProcess.CanvasBasicCrashHandling to fail. They should not be here because the RemoteRenderingBackendProxy will try to recreate the backend of the RemoteImageBufferProxy after it calls clearBackend(). Once it's recreated the DisplayList::Recorder will need the delegate and the DisplayList::DisplayList will need the writing client to create new ItemBufferHandles. So these pointers should stay as they are since they are always valid. They point to the RemoteRenderingBackendProxy and the RemoteRenderingBackendProxy owns the DisplayList and its Recorder.
Said Abou-Hallawa
Comment 9 2021-05-06 16:43:21 PDT
Created attachment 427957 [details] Patch
EWS
Comment 10 2021-05-07 00:44:38 PDT
Committed r277162 (237448@main): <https://commits.webkit.org/237448@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 427957 [details].
Note You need to log in before you can comment on or make changes to this bug.