RESOLVED FIXED 240545
Crash under RemoteDisplayListRecorder::restore()
https://bugs.webkit.org/show_bug.cgi?id=240545
Summary Crash under RemoteDisplayListRecorder::restore()
Simon Fraser (smfr)
Reported 2022-05-17 15:57:08 PDT
Created attachment 459519 [details] Crash log EWS shows a crash under RemoteDisplayListRecorder::restore(): https://ews-build.s3-us-west-2.amazonaws.com/macOS-BigSur-Release-WK2-Tests-EWS/459507-7519/fast/mediastream/granted-denied-request-management2-crash-log.txt Thread 30 Crashed:: RemoteRenderingBackend work queue 0 com.apple.WebCore 0x000000011482a475 WebCore::Color::operator=(WebCore::Color const&) + 229 1 com.apple.WebCore 0x00000001148a7c62 WebCore::GraphicsContextState::operator=(WebCore::GraphicsContextState const&) + 34 2 com.apple.WebCore 0x00000001148a7b97 WebCore::GraphicsContext::restore() + 55 3 com.apple.WebCore 0x0000000114933e07 WebCore::GraphicsContextCG::restore() + 23 4 com.apple.WebKit 0x000000010f092a5c WebKit::RemoteDisplayListRecorder::restore() + 34 5 com.apple.WebKit 0x000000010f27e5e8 IPC::StreamServerConnection::dispatchStreamMessage(IPC::Decoder&&, IPC::StreamMessageReceiver&) + 32 6 com.apple.WebKit 0x000000010f27d953 IPC::StreamServerConnection::dispatchStreamMessages(unsigned long) + 377 7 com.apple.WebKit 0x000000010f27d6bf IPC::StreamConnectionWorkQueue::processStreams() + 435 8 com.apple.WebKit 0x000000010f27ee3a WTF::Detail::CallableWrapper<IPC::StreamConnectionWorkQueue::startProcessingThread()::$_0, void>::call() + 46 9 com.apple.JavaScriptCore 0x0000000117e7bbdc WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) + 124 10 com.apple.JavaScriptCore 0x0000000117e7e209 WTF::wtfThreadEntryPoint(void*) + 9 11 libsystem_pthread.dylib 0x00007fff2045a8fc _pthread_start + 224 12 libsystem_pthread.dylib 0x00007fff20456443 thread_start + 15 Main thread is in: Thread 0:: Dispatch queue: com.apple.main-thread 0 libsystem_malloc.dylib 0x00007fff202865f0 tiny_free_no_lock + 997 1 libsystem_malloc.dylib 0x00007fff202860c9 free_tiny + 442 2 com.apple.CoreGraphics 0x00007fff24fb0e8d CGGStateRelease + 44 3 com.apple.CoreGraphics 0x00007fff24fbb804 CGGStackReset + 44 4 com.apple.CoreGraphics 0x00007fff24fbb7c9 CGGStackRelease + 19 5 com.apple.CoreGraphics 0x00007fff24fbb755 context_finalize + 67 6 com.apple.CoreFoundation 0x00007fff2061c967 _CFRelease + 244 7 com.apple.WebCore 0x000000011493a6e5 WebCore::IOSurfacePool::willAddSurface(WebCore::IOSurface&, bool) + 85 8 com.apple.WebCore 0x000000011493b208 WebCore::IOSurfacePool::addSurface(std::__1::unique_ptr<WebCore::IOSurface, std::__1::default_delete<WebCore::IOSurface> >&&) + 104 9 com.apple.WebCore 0x0000000114946ee7 WebCore::ImageBufferIOSurfaceBackend::~ImageBufferIOSurfaceBackend() + 71 10 com.apple.WebKit 0x000000010f098fbf std::__1::unique_ptr<WebKit::ImageBufferShareableMappedIOSurfaceBackend, std::__1::default_delete<WebKit::ImageBufferShareableMappedIOSurfaceBackend> >::reset(WebKit::ImageBufferShareableMappedIOSurfaceBackend*) + 25 11 com.apple.WebKit 0x000000010f098ede WebKit::RemoteImageBuffer<WebKit::ImageBufferShareableMappedIOSurfaceBackend>::~RemoteImageBuffer() + 120 12 com.apple.WebKit 0x000000010f098780 WebKit::RemoteImageBuffer<WebKit::ImageBufferShareableMappedIOSurfaceBackend>::~RemoteImageBuffer() + 14 13 com.apple.JavaScriptCore 0x0000000117e617c1 WTF::RunLoop::performWork() + 545 14 com.apple.JavaScriptCore 0x0000000117e62072 WTF::RunLoop::performWork(void*) + 34 15 com.apple.CoreFoundation 0x00007fff205520dc __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 16 com.apple.CoreFoundation 0x00007fff20552044 __CFRunLoopDoSource0 + 180 17 com.apple.CoreFoundation 0x00007fff20551dba __CFRunLoopDoSources0 + 242 18 com.apple.CoreFoundation 0x00007fff205507c8 __CFRunLoopRun + 897 19 com.apple.CoreFoundation 0x00007fff2054fd80 CFRunLoopRunSpecific + 567 20 com.apple.Foundation 0x00007fff2120b607 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 212 21 com.apple.Foundation 0x00007fff212994d1 -[NSRunLoop(NSRunLoop) run] + 76 22 libxpc.dylib 0x00007fff201a938d _xpc_objc_main + 825
Attachments
Crash log (86.12 KB, text/plain)
2022-05-17 15:57 PDT, Simon Fraser (smfr)
no flags
Patch (2.03 KB, patch)
2022-05-18 07:06 PDT, Kimmo Kinnunen
no flags
For landing. (2.03 KB, patch)
2022-05-24 04:27 PDT, Kimmo Kinnunen
dino: commit-queue+
[fast-cq] Patch for landing (2.03 KB, patch)
2022-05-30 14:05 PDT, Dean Jackson
no flags
Radar WebKit Bug Importer
Comment 1 2022-05-17 15:57:26 PDT
Kimmo Kinnunen
Comment 4 2022-05-18 07:06:09 PDT
Kimmo Kinnunen
Comment 5 2022-05-18 07:10:05 PDT
I could not repro the issue, but I didn't have the exact same configuration. The strange thing is that dereferencing a disengaged std::optional should assert if the patch is fixing what it thinks it is fixing. However, I could not make std::optional assert in our builds. However, I seem to remember seeing such an assertion, so I don't know which is wrong -- my try or my recollection.
Kimmo Kinnunen
Comment 6 2022-05-18 08:08:42 PDT
I was in fact thinking of std::optional::value() which throws bad_optional_access. It appears we don't compile with libc++ debug assertions even on debug. From this perspective the patch is still consistent (potentially fixing the issue)
Kimmo Kinnunen
Comment 7 2022-05-24 04:27:06 PDT
Created attachment 459713 [details] For landing.
Dean Jackson
Comment 9 2022-05-27 14:39:52 PDT
Ignore that commit. It was landed incorrectly.
Dean Jackson
Comment 10 2022-05-30 13:59:47 PDT
Why isn't the commit-queue picking this up?
Dean Jackson
Comment 11 2022-05-30 14:05:15 PDT
Created attachment 459873 [details] [fast-cq] Patch for landing Trying to poke the cq.
Dean Jackson
Comment 12 2022-05-30 14:34:07 PDT
I guess all cq patches have to go via github now.
Kimmo Kinnunen
Comment 13 2022-05-31 00:21:33 PDT
Somehow commit queue already applied this but never heralded.
Note You need to log in before you can comment on or make changes to this bug.