Bug 236005 - REGRESSION(r288865): SourceImage should never sink its ImageBuffer to a NativeImage
Summary: REGRESSION(r288865): SourceImage should never sink its ImageBuffer to a Nativ...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Layout and Rendering (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Said Abou-Hallawa
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2022-02-01 23:28 PST by Said Abou-Hallawa
Modified: 2022-02-02 12:08 PST (History)
4 users (show)

See Also:

Attachments
test case (677 bytes, text/html)
2022-02-01 23:28 PST, Said Abou-Hallawa 		no flags Details
Patch (8.16 KB, patch)
2022-02-02 00:43 PST, Said Abou-Hallawa 		simon.fraser: review+
Details | Formatted Diff | Diff
Patch (8.11 KB, patch)
2022-02-02 10:42 PST, Said Abou-Hallawa 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Said Abou-Hallawa 2022-02-01 23:28:02 PST 
Created attachment 450615 [details]
test case

Since the SourceImage::nativeImage returns the sunk NativeImage, the SourceImage will be left with invalid ImageBuffer which should never be used.

Repro steps: 
1. Enable GPU Process rendering for DOM in mini browser.
2. Open the attached test case.

Results: WebKit will crash with the following call stack:

#0	0x0000000159f9d205 in std::__1::unique_ptr<WebCore::GraphicsContext, std::__1::default_delete<WebCore::GraphicsContext> >::operator bool() const at /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.3.Internal.sdk/usr/include/c++/v1/__memory/unique_ptr.h:303
#1	0x0000000159f9d14d in WebCore::IOSurface::ensureGraphicsContext() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/platform/graphics/cocoa/IOSurface.mm:379
#2	0x000000015c3f7cd5 in WebCore::ImageBufferIOSurfaceBackend::context() const at /Volumes/Data/WebKit/OpenSource/Source/WebCore/platform/graphics/cg/ImageBufferIOSurfaceBackend.cpp:125
#3	0x000000015c3f7d26 in WebCore::ImageBufferIOSurfaceBackend::flushContext() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/platform/graphics/cg/ImageBufferIOSurfaceBackend.cpp:135
#4	0x00000001294665f0 in WebCore::ConcreteImageBuffer<WebKit::ImageBufferShareableMappedIOSurfaceBackend>::flushContext() at /Volumes/Data/WebKit/OpenSource/WebKitBuild/Debug/WebCore.framework/PrivateHeaders/ConcreteImageBuffer.h:92
#5	0x000000012944f56a in WebKit::RemoteDisplayListRecorder::flushContext(WTF::ObjectIdentifier<WebCore::GraphicsContextFlushIdentifierType>) at /Volumes/Data/WebKit/OpenSource/Source/WebKit/GPUProcess/graphics/RemoteDisplayListRecorder.cpp:527
#6	0x00000001291ebd22 in void IPC::callMemberFunctionImpl<WebKit::RemoteDisplayListRecorder, void (WebKit::RemoteDisplayListRecorder::*)(WTF::ObjectIdentifier<WebCore::GraphicsContextFlushIdentifierType>), std::__1::tuple<WTF::ObjectIdentifier<WebCore::GraphicsContextFlushIdentifierType> >, 0ul>(WebKit::RemoteDisplayListRecorder*, void (WebKit::RemoteDisplayListRecorder::*)(WTF::ObjectIdentifier<WebCore::GraphicsContextFlushIdentifierType>), std::__1::tuple<WTF::ObjectIdentifier<WebCore::GraphicsContextFlushIdentifierType> >&&, std::__1::integer_sequence<unsigned long, 0ul>) at /Volumes/Data/WebKit/OpenSource/Source/WebKit/Platform/IPC/HandleMessage.h:125
#7	0x00000001291eb17d in void IPC::callMemberFunction<WebKit::RemoteDisplayListRecorder, void (WebKit::RemoteDisplayListRecorder::*)(WTF::ObjectIdentifier<WebCore::GraphicsContextFlushIdentifierType>), std::__1::tuple<WTF::ObjectIdentifier<WebCore::GraphicsContextFlushIdentifierType> >, std::__1::integer_sequence<unsigned long, 0ul> >(std::__1::tuple<WTF::ObjectIdentifier<WebCore::GraphicsContextFlushIdentifierType> >&&, WebKit::RemoteDisplayListRecorder*, void (WebKit::RemoteDisplayListRecorder::*)(WTF::ObjectIdentifier<WebCore::GraphicsContextFlushIdentifierType>)) at /Volumes/Data/WebKit/OpenSource/Source/WebKit/Platform/IPC/HandleMessage.h:131
#8	0x000000012918d779 in void IPC::handleMessage<Messages::RemoteDisplayListRecorder::FlushContext, WebKit::RemoteDisplayListRecorder, void (WebKit::RemoteDisplayListRecorder::*)(WTF::ObjectIdentifier<WebCore::GraphicsContextFlushIdentifierType>)>(IPC::Connection&, IPC::Decoder&, WebKit::RemoteDisplayListRecorder*, void (WebKit::RemoteDisplayListRecorder::*)(WTF::ObjectIdentifier<WebCore::GraphicsContextFlushIdentifierType>)) at /Volumes/Data/WebKit/OpenSource/Source/WebKit/Platform/IPC/HandleMessage.h:197
#9	0x00000001291894bf in WebKit::RemoteDisplayListRecorder::didReceiveStreamMessage(IPC::StreamServerConnectionBase&, IPC::Decoder&) at /Volumes/Data/WebKit/OpenSource/WebKitBuild/Debug/DerivedSources/WebKit/RemoteDisplayListRecorderMessageReceiver.cpp:218
#10	0x0000000129bd44fb in IPC::StreamServerConnection::dispatchStreamMessage(IPC::Decoder&&, IPC::StreamMessageReceiver&) at /Volumes/Data/WebKit/OpenSource/Source/WebKit/Platform/IPC/StreamServerConnection.cpp:254
#11	0x0000000129bd3e94 in IPC::StreamServerConnection::dispatchStreamMessages(unsigned long) at /Volumes/Data/WebKit/OpenSource/Source/WebKit/Platform/IPC/StreamServerConnection.cpp:229
#12	0x0000000129bd2854 in IPC::StreamConnectionWorkQueue::processStreams() at /Volumes/Data/WebKit/OpenSource/Source/WebKit/Platform/IPC/StreamConnectionWorkQueue.cpp:135
#13	0x0000000129bda890 in IPC::StreamConnectionWorkQueue::startProcessingThread()::$_0::operator()() at /Volumes/Data/WebKit/OpenSource/Source/WebKit/Platform/IPC/StreamConnectionWorkQueue.cpp:107
#14	0x0000000129bda849 in WTF::Detail::CallableWrapper<IPC::StreamConnectionWorkQueue::startProcessingThread()::$_0, void>::call() at /Volumes/Data/WebKit/OpenSource/WebKitBuild/Debug/usr/local/include/wtf/Function.h:53
#15	0x000000011d0a4672 in WTF::Function<void ()>::operator()() const at /Volumes/Data/WebKit/OpenSource/WebKitBuild/Debug/usr/local/include/wtf/Function.h:82
#16	0x000000011d167e88 in WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) at /Volumes/Data/WebKit/OpenSource/Source/WTF/wtf/Threading.cpp:191
#17	0x000000011d173aa5 in WTF::wtfThreadEntryPoint(void*) at /Volumes/Data/WebKit/OpenSource/Source/WTF/wtf/posix/ThreadingPOSIX.cpp:244

Another repro steps:

1. Save the attached file to LayoutTests/svg/custom/pattern-multiple-referencing.html
2. run-webkit-tests --debug LayoutTests/svg/custom/pattern-multiple-referencing.html  --guard-malloc --repeat=10

0Result: WKTR will crash with the following call stack:

Thread 0 0Crashed::  Dispatch queue: com.apple.main-thread
0   WebCore                       	       0x14eebab9c WebCore::Pattern::repeatX() const + 12 (Pattern.h:80)
1   WebCore                       	       0x14f9d0147 WebCore::Pattern::createPlatformPattern(WebCore::AffineTransform const&) const + 375 (PatternCG.cpp:74)
2   WebCore                       	       0x14f99dd47 WebCore::GraphicsContextCG::applyFillPattern() + 135 (GraphicsContextCG.cpp:582)
3   WebCore                       	       0x14f99f03f WebCore::GraphicsContextCG::fillRect(WebCore::FloatRect const&) + 1167 (GraphicsContextCG.cpp:812)
4   WebCore                       	       0x1500b8517 WebCore::LegacyRenderSVGRect::fillShape(WebCore::GraphicsContext&) const + 167 (LegacyRenderSVGRect.cpp:120)
5   WebCore                       	       0x1500d2af1 WebCore::RenderSVGResource::fillAndStrokePathOrShape(WebCore::GraphicsContext&, WTF::OptionSet<WebCore::RenderSVGResourceMode>, WebCore::Path const*, WebCore::RenderElement const*) const + 209 (RenderSVGResource.cpp:255)
6   WebCore                       	       0x1500f00ae WebCore::RenderSVGResourcePattern::postApplyResource(WebCore::RenderElement&, WebCore::GraphicsContext*&, WTF::OptionSet<WebCore::RenderSVGResourceMode>, WebCore::Path const*, WebCore::RenderElement const*) + 270 (RenderSVGResourcePattern.cpp:204)
7   WebCore                       	       0x1500bc4ad WebCore::LegacyRenderSVGShape::fillShape(WebCore::RenderStyle const&, WebCore::GraphicsContext&) + 221 (LegacyRenderSVGShape.cpp:224)
8   WebCore                       	       0x1500bc96e WebCore::LegacyRenderSVGShape::fillStrokeMarkers(WebCore::PaintInfo&) + 190 (LegacyRenderSVGShape.cpp:270)
9   WebCore                       	       0x1500bce29 WebCore::LegacyRenderSVGShape::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 425 (LegacyRenderSVGShape.cpp:304)
10  WebCore                       	       0x1500ba442 WebCore::LegacyRenderSVGRoot::paintReplaced(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 1330 (LegacyRenderSVGRoot.cpp:294)
11  WebCore                       	       0x14ff76d97 WebCore::RenderReplaced::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 1959 (RenderReplaced.cpp:262)
12  WebCore                       	       0x14fe584e9 WebCore::paintPhase(WebCore::RenderElement&, WebCore::PaintPhase, WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 57 (RenderElement.cpp:1135)
13  WebCore                       	       0x14fe58478 WebCore::RenderElement::paintAsInlineBlock(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 232 (RenderElement.cpp:1150)
14  WebCore                       	       0x14fd3d09a WebCore::LegacyInlineElementBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 298 (LegacyInlineElementBox.cpp:81)
15  WebCore                       	       0x14fd43ebf WebCore::LegacyInlineFlowBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 655 (LegacyInlineFlowBox.cpp:1132)
16  WebCore                       	       0x14fd5eb03 WebCore::LegacyRootInlineBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 67 (LegacyRootInlineBox.cpp:172)
17  WebCore                       	       0x14ff43e92 WebCore::RenderLineBoxList::paint(WebCore::RenderBoxModelObject*, WebCore::PaintInfo&, WebCore::LayoutPoint const&) const + 1346 (RenderLineBoxList.cpp:260)
Comment 1 Said Abou-Hallawa 2022-02-02 00:43:49 PST 
Created attachment 450625 [details]
Patch
Comment 3 Said Abou-Hallawa 2022-02-02 10:42:04 PST 
Created attachment 450671 [details]
Patch

Fix a typo in the ChangeLog
Comment 4 EWS 2022-02-02 12:07:15 PST 
Committed r288977 (246705@main): <https://commits.webkit.org/246705@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 450671 [details].
Comment 5 Radar WebKit Bug Importer 2022-02-02 12:08:17 PST 
<rdar://problem/88394478>