Bug 240545 - Crash under RemoteDisplayListRecorder::restore()
Summary: Crash under RemoteDisplayListRecorder::restore()
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit Process Model (show other bugs)
Version: Safari Technology Preview
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Kimmo Kinnunen
URL: https://ews-build.s3-us-west-2.amazon...
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2022-05-17 15:57 PDT by Simon Fraser (smfr)
Modified: 2022-05-31 00:21 PDT (History)
5 users (show)

See Also:


Attachments
Crash log (86.12 KB, text/plain)
2022-05-17 15:57 PDT, Simon Fraser (smfr)
no flags Details
Patch (2.03 KB, patch)
2022-05-18 07:06 PDT, Kimmo Kinnunen
no flags Details | Formatted Diff | Diff
For landing. (2.03 KB, patch)
2022-05-24 04:27 PDT, Kimmo Kinnunen
dino: commit-queue+
Details | Formatted Diff | Diff
[fast-cq] Patch for landing (2.03 KB, patch)
2022-05-30 14:05 PDT, Dean Jackson
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Simon Fraser (smfr) 2022-05-17 15:57:08 PDT
Created attachment 459519 [details]
Crash log

EWS shows a crash under RemoteDisplayListRecorder::restore():
https://ews-build.s3-us-west-2.amazonaws.com/macOS-BigSur-Release-WK2-Tests-EWS/459507-7519/fast/mediastream/granted-denied-request-management2-crash-log.txt

Thread 30 Crashed:: RemoteRenderingBackend work queue
0   com.apple.WebCore             	0x000000011482a475 WebCore::Color::operator=(WebCore::Color const&) + 229
1   com.apple.WebCore             	0x00000001148a7c62 WebCore::GraphicsContextState::operator=(WebCore::GraphicsContextState const&) + 34
2   com.apple.WebCore             	0x00000001148a7b97 WebCore::GraphicsContext::restore() + 55
3   com.apple.WebCore             	0x0000000114933e07 WebCore::GraphicsContextCG::restore() + 23
4   com.apple.WebKit              	0x000000010f092a5c WebKit::RemoteDisplayListRecorder::restore() + 34
5   com.apple.WebKit              	0x000000010f27e5e8 IPC::StreamServerConnection::dispatchStreamMessage(IPC::Decoder&&, IPC::StreamMessageReceiver&) + 32
6   com.apple.WebKit              	0x000000010f27d953 IPC::StreamServerConnection::dispatchStreamMessages(unsigned long) + 377
7   com.apple.WebKit              	0x000000010f27d6bf IPC::StreamConnectionWorkQueue::processStreams() + 435
8   com.apple.WebKit              	0x000000010f27ee3a WTF::Detail::CallableWrapper<IPC::StreamConnectionWorkQueue::startProcessingThread()::$_0, void>::call() + 46
9   com.apple.JavaScriptCore      	0x0000000117e7bbdc WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) + 124
10  com.apple.JavaScriptCore      	0x0000000117e7e209 WTF::wtfThreadEntryPoint(void*) + 9
11  libsystem_pthread.dylib       	0x00007fff2045a8fc _pthread_start + 224
12  libsystem_pthread.dylib       	0x00007fff20456443 thread_start + 15


Main thread is in:

Thread 0:: Dispatch queue: com.apple.main-thread
0   libsystem_malloc.dylib        	0x00007fff202865f0 tiny_free_no_lock + 997
1   libsystem_malloc.dylib        	0x00007fff202860c9 free_tiny + 442
2   com.apple.CoreGraphics        	0x00007fff24fb0e8d CGGStateRelease + 44
3   com.apple.CoreGraphics        	0x00007fff24fbb804 CGGStackReset + 44
4   com.apple.CoreGraphics        	0x00007fff24fbb7c9 CGGStackRelease + 19
5   com.apple.CoreGraphics        	0x00007fff24fbb755 context_finalize + 67
6   com.apple.CoreFoundation      	0x00007fff2061c967 _CFRelease + 244
7   com.apple.WebCore             	0x000000011493a6e5 WebCore::IOSurfacePool::willAddSurface(WebCore::IOSurface&, bool) + 85
8   com.apple.WebCore             	0x000000011493b208 WebCore::IOSurfacePool::addSurface(std::__1::unique_ptr<WebCore::IOSurface, std::__1::default_delete<WebCore::IOSurface> >&&) + 104
9   com.apple.WebCore             	0x0000000114946ee7 WebCore::ImageBufferIOSurfaceBackend::~ImageBufferIOSurfaceBackend() + 71
10  com.apple.WebKit              	0x000000010f098fbf std::__1::unique_ptr<WebKit::ImageBufferShareableMappedIOSurfaceBackend, std::__1::default_delete<WebKit::ImageBufferShareableMappedIOSurfaceBackend> >::reset(WebKit::ImageBufferShareableMappedIOSurfaceBackend*) + 25
11  com.apple.WebKit              	0x000000010f098ede WebKit::RemoteImageBuffer<WebKit::ImageBufferShareableMappedIOSurfaceBackend>::~RemoteImageBuffer() + 120
12  com.apple.WebKit              	0x000000010f098780 WebKit::RemoteImageBuffer<WebKit::ImageBufferShareableMappedIOSurfaceBackend>::~RemoteImageBuffer() + 14
13  com.apple.JavaScriptCore      	0x0000000117e617c1 WTF::RunLoop::performWork() + 545
14  com.apple.JavaScriptCore      	0x0000000117e62072 WTF::RunLoop::performWork(void*) + 34
15  com.apple.CoreFoundation      	0x00007fff205520dc __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
16  com.apple.CoreFoundation      	0x00007fff20552044 __CFRunLoopDoSource0 + 180
17  com.apple.CoreFoundation      	0x00007fff20551dba __CFRunLoopDoSources0 + 242
18  com.apple.CoreFoundation      	0x00007fff205507c8 __CFRunLoopRun + 897
19  com.apple.CoreFoundation      	0x00007fff2054fd80 CFRunLoopRunSpecific + 567
20  com.apple.Foundation          	0x00007fff2120b607 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 212
21  com.apple.Foundation          	0x00007fff212994d1 -[NSRunLoop(NSRunLoop) run] + 76
22  libxpc.dylib                  	0x00007fff201a938d _xpc_objc_main + 825
Comment 1 Radar WebKit Bug Importer 2022-05-17 15:57:26 PDT
<rdar://problem/93459252>
Comment 4 Kimmo Kinnunen 2022-05-18 07:06:09 PDT
Created attachment 459540 [details]
Patch
Comment 5 Kimmo Kinnunen 2022-05-18 07:10:05 PDT
I could not repro the issue, but I didn't have the exact same configuration.

The strange thing is that dereferencing a disengaged std::optional should assert if the patch is fixing what it thinks it is fixing. However, I could not make std::optional assert in our builds. However, I seem to remember seeing such an assertion, so I don't know which is wrong -- my try or my recollection.
Comment 6 Kimmo Kinnunen 2022-05-18 08:08:42 PDT
I was in fact thinking of std::optional::value() which throws bad_optional_access.
It appears we don't compile with libc++ debug assertions even on debug.

From this perspective the patch is still consistent (potentially fixing the issue)
Comment 7 Kimmo Kinnunen 2022-05-24 04:27:06 PDT
Created attachment 459713 [details]
For landing.
Comment 9 Dean Jackson 2022-05-27 14:39:52 PDT
Ignore that commit. It was landed incorrectly.
Comment 10 Dean Jackson 2022-05-30 13:59:47 PDT
Why isn't the commit-queue picking this up?
Comment 11 Dean Jackson 2022-05-30 14:05:15 PDT
Created attachment 459873 [details]
[fast-cq] Patch for landing

Trying to poke the cq.
Comment 12 Dean Jackson 2022-05-30 14:34:07 PDT
I guess all cq patches have to go via github now.
Comment 13 Kimmo Kinnunen 2022-05-31 00:21:33 PDT
Somehow commit queue already applied this but never heralded.