RESOLVED FIXED 249689
REGRESSION(255641@main): Web process crash in WebCore::isDescendantOfFullScreenLayer when when fullscreening video on reddit.com 
https://bugs.webkit.org/show_bug.cgi?id=249689
Summary REGRESSION(255641@main): Web process crash in WebCore::isDescendantOfFullScre...
Michael Catanzaro
Reported 2022-12-20 18:02:20 PST
Created attachment 464130 [details] gdb.txt Visit https://www.reddit.com/r/IdiotsInCars/comments/zqehls/they_said_my_headlights_were_off_and_i_ran_the/ or any other reddit video and play the video, then click the fullscreen button. In Ephy Tech Preview with WebKitGTK 2.39.3, the web process will crash and the UI process hangs. I'll report a separate bug for the UI process hang. The crash looks like a cross-platform issue. Note in particular this=0x0 in frame 2, so the RenderLayerCompositor decided to use a nullptr RenderLayerModelObject. I'll attach a full backtrace with all member variables. Wonder if this reproduces in Safari. #0 std::__uniq_ptr_impl<WebCore::RenderLayer, std::default_delete<WebCore::RenderLayer> >::_M_ptr() const (this=0xa8) at /usr/include/c++/12.1.0/bits/unique_ptr.h:191 #1 std::unique_ptr<WebCore::RenderLayer, std::default_delete<WebCore::RenderLayer> >::get() const (this=0xa8) at /usr/include/c++/12.1.0/bits/unique_ptr.h:462 #2 WebCore::RenderLayerModelObject::layer() const (this=0x0) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderLayerModelObject.h:48 #3 WebCore::isDescendantOfFullScreenLayer(WebCore::RenderLayer const&) (layer=...) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderLayerCompositor.cpp:2669 #4 0x00007f1687c58ed5 in WebCore::RenderLayerCompositor::requiresCompositingForPosition(WebCore::RenderLayerModelObject&, WebCore::RenderLayer const&, WebCore::RenderLayerCompositor::RequiresCompositingData&) const (this=0x7f16760202a0, renderer=..., layer=..., queryData=...) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderLayerCompositor.cpp:3352 #5 0x00007f1687c59104 in WebCore::RenderLayerCompositor::requiresCompositingLayer(WebCore::RenderLayer const&, WebCore::RenderLayerCompositor::RequiresCompositingData&) const (this=0x7f16760202a0, layer=<optimized out>, queryData=...) at /usr/include/c++/12.1.0/bits/unique_ptr.h:191 #6 0x00007f1687c59216 in WebCore::RenderLayerCompositor::needsToBeComposited(WebCore::RenderLayer const&, WebCore::RenderLayerCompositor::RequiresCompositingData&) const (this=0x7f16760202a0, layer=..., queryData=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderLayerCompositor.cpp:2612 #7 0x00007f1687c5ebd5 in WebCore::RenderLayerCompositor::updateBacking(WebCore::RenderLayer&, WebCore::RenderLayerCompositor::RequiresCompositingData&, WebCore::RenderLayerCompositor::BackingSharingState*, WebCore::RenderLayerCompositor::BackingRequired) (this=0x7f16760202a0, layer=..., queryData=..., backingSharingState=<optimized out>, backingRequired=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderLayerCompositor.cpp:1827 #8 0x00007f1687c5ef55 in WebCore::RenderLayerCompositor::layerStyleChanged(WebCore::StyleDifference, WebCore::RenderLayer&, WebCore::RenderStyle const*) (this=0x7f16760202a0, diff=WebCore::StyleDifference::NewStyle, layer=..., oldStyle=0x0) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderLayerCompositor.cpp:1697 #9 0x00007f1687c645e1 in WebCore::RenderLayer::styleChanged(WebCore::StyleDifference, WebCore::RenderStyle const*) (this=0x7f148e5a1870, diff=WebCore::StyleDifference::NewStyle, oldStyle=0x0) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderLayer.cpp:5371 #10 0x00007f1687c6486b in WebCore::RenderLayerModelObject::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) (this=this@entry=0x7f14161f8440, diff=diff@entry=WebCore::StyleDifference::NewStyle, oldStyle=oldStyle@entry=0x0) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderLayerModelObject.cpp:168 #11 0x00007f1687bcf09c in WebCore::RenderBox::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) (this=this@entry=0x7f14161f8440, diff=diff@entry=WebCore::StyleDifference::NewStyle, oldStyle=oldStyle@entry=0x0) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderBox.cpp:319 #12 0x00007f1687b9211f in WebCore::RenderBlock::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) (this=this@entry=0x7f14161f8440, diff=diff@entry=WebCore::StyleDifference::NewStyle, oldStyle=oldStyle@entry=0x0) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderBlock.cpp:459 #13 0x00007f1687b92612 in WebCore::RenderBlockFlow::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) (this=0x7f14161f8440, diff=WebCore::StyleDifference::NewStyle, oldStyle=0x0) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderBlockFlow.cpp:2147 #14 0x00007f1687def62b in WebCore::RenderTreeUpdater::createRenderer(WebCore::Element&, WebCore::RenderStyle&&) (this=this@entry=0x7ffea77cc4f0, element=..., style=...) at /usr/include/c++/12.1.0/bits/unique_ptr.h:191 #15 0x00007f1687def809 in WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdate const&) (this=this@entry=0x7ffea77cc4f0, element=..., elementUpdate=...) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:352 #16 0x00007f1687df174c in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) (this=0x7ffea77cc4f0, root=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:187 #17 0x00007f1687df1e43 in WebCore::RenderTreeUpdater::commit(std::unique_ptr<WebCore::Style::Update const, std::defaul--Type <RET> for more, q to quit, c to continue without paging-- t_delete<WebCore::Style::Update const> >) (this=0x7ffea77cc4f0, styleUpdate=std::unique_ptr<const WebCore::Style::Update> = {...}) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:114 #18 0x00007f1687102d4c in WebCore::Document::updateRenderTree(std::unique_ptr<WebCore::Style::Update const, std::default_delete<WebCore::Style::Update const> >) (this=this@entry=0x7f1626140c00, styleUpdate=std::unique_ptr<const WebCore::Style::Update> = {...}) at /usr/include/c++/12.1.0/bits/unique_ptr.h:189 #19 0x00007f168711f13b in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) (this=this@entry=0x7f1626140c00, type=<optimized out>, type@entry=WebCore::Document::ResolveStyleType::Normal) at /usr/include/c++/12.1.0/tuple:199 #20 0x00007f168711f8be in WebCore::Document::updateStyleIfNeeded() (this=0x7f1626140c00) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/dom/Document.cpp:2258 #21 WebCore::Document::updateStyleIfNeeded() (this=0x7f1626140c00) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/dom/Document.cpp:2233 #22 0x00007f1687120aab in WebCore::Document::updateLayoutIfDimensionsOutOfDate(WebCore::Element&, WebCore::DimensionsCheck) (this=0x7f1626140c00, element=..., dimensionsCheck=dimensionsCheck@entry=WebCore::HeightDimensionsCheck) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/dom/Document.cpp:2360 #23 0x00007f1687140b29 in WebCore::Element::clientHeight() (this=0x7f160209c850) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/dom/Element.cpp:1419 #24 0x00007f1686408c51 in WebCore::jsElement_clientHeightGetter (thisObject=<optimized out>, lexicalGlobalObject=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/_builddir/WebCore/DerivedSources/JSElement.cpp:3050 #25 WebCore::IDLAttribute<WebCore::JSElement>::get<WebCore::jsElement_clientHeightGetter, (WebCore::CastedThisErrorBehavior)3> (attributeName=..., thisValue=<optimized out>, lexicalGlobalObject=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/bindings/js/JSDOMAttribute.h:88 #26 WebCore::jsElement_clientHeight(JSC::JSGlobalObject*, JSC::EncodedJSValue, JSC::PropertyName) (lexicalGlobalObject=<optimized out>, thisValue=<optimized out>, attributeName=...) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/_builddir/WebCore/DerivedSources/JSElement.cpp:3055 #27 0x00007f16844f2708 in WTF::FunctionPtr<(WTF::PtrTag)57072, long (JSC::JSGlobalObject*, long, JSC::PropertyName), (WTF::FunctionAttributes)1>::operator()(JSC::JSGlobalObject*, long, JSC::PropertyName) const (this=0x7ffea77cca50, in#2=..., in#1=<optimized out>, in#0=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/_builddir/WTF/Headers/wtf/FunctionPtr.h:101 #28 JSC::PropertySlot::customGetter(JSC::VM&, JSC::PropertyName) const (this=this@entry=0x7ffea77ccc20, vm=<optimized out>, propertyName=..., propertyName@entry=...) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/JavaScriptCore/runtime/PropertySlot.cpp:47 #29 0x00007f16841602bf in JSC::PropertySlot::getValue(JSC::JSGlobalObject*, JSC::PropertyName) const (propertyName=..., globalObject=<optimized out>, this=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/JavaScriptCore/runtime/PropertySlot.h:405 #30 JSC::JSValue::get(JSC::JSGlobalObject*, JSC::PropertyName, JSC::PropertySlot&) const (slot=..., propertyName=..., globalObject=<optimized out>, this=0x7ffea77ccbd8) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/JavaScriptCore/runtime/JSCJSValueInlines.h:1045 #31 JSC::LLInt::performLLIntGetByID(JSC::BytecodeIndex, JSC::CodeBlock*, JSC::JSGlobalObject*, JSC::JSValue, JSC::Identifier const&, JSC::GetByIdModeMetadata&) (bytecodeIndex=..., codeBlock=0x7f14c5945b70, globalObject=<optimized out>, baseValue=..., ident=..., metadata=...) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:814 #32 0x00007f1684160ded in JSC::LLInt::llint_slow_path_get_by_id(JSC::CallFrame*, JSC::JSInstruction const*) (callFrame=0x7ffea77cce20, pc=0x7f1676a3b25e) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:888 #33 0x00007f16835a8734 in llint_op_get_by_id () at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:118 #34 0x00007f14b56da9e8 in ()
Attachments
gdb.txt (213.82 KB, text/plain)
2022-12-20 18:02 PST, Michael Catanzaro 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Michael Catanzaro
Comment 1 2022-12-20 18:05:32 PST
The associated UI process hang is bug #249690 (which I'll assume, without evidence, to be GTK-specific).
Sam Sneddon [:gsnedders]
Comment 2 2022-12-21 07:27:16 PST
> Wonder if this reproduces in Safari. I can't reproduce it anywhere in Safari (either STP or stable, macOS Ventura), FWIW.
Michael Catanzaro
Comment 3 2023-01-04 13:01:46 PST
There is a bug in RenderLayerCompositor::isDescendantOfFullScreenLayer, here: auto* fullScreenRenderer = dynamicDowncast<RenderLayerModelObject>(fullScreenElement->renderer()); auto* fullScreenLayer = fullScreenRenderer->layer(); if (!fullScreenRenderer || !fullScreenLayer) return FullScreenDescendant::NotApplicable; The code first assumes that fullScreenRenderer is not nullptr (as if the dynamicDowncast cannot fail) and uses it unconditionally. Then it checks to see if it's nullptr on the very next line. No good. The downcast is surely failing here. There might be a platform-specific reason for that, but this is a cross-platform bug.
Michael Catanzaro
Comment 4 2023-01-04 14:00:06 PST
Actually that's the only problem here. Fullscreen works fine with that fixed.
Brent Fulgham
Comment 5 2023-01-04 14:07:25 PST
Certainly seems worth fixing!
Michael Catanzaro
Comment 6 2023-01-04 14:17:43 PST
Pull request: https://github.com/WebKit/WebKit/pull/8213
Radar WebKit Bug Importer
Comment 7 2023-01-04 14:24:13 PST
<rdar://problem/103888322>
EWS
Comment 8 2023-01-06 18:54:50 PST
Committed 258593@main (e29dfab61f35): <https://commits.webkit.org/258593@main> Reviewed commits have been landed. Closing PR #8213 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.