[Webkit-unassigned] [Bug 211074] New: [GTK] Crash in Nicosia::CairoOperationRecorder::drawGlyphs

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Apr 27 06:41:24 PDT 2020 

https://bugs.webkit.org/show_bug.cgi?id=211074

            Bug ID: 211074
           Summary: [GTK] Crash in
                    Nicosia::CairoOperationRecorder::drawGlyphs
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKitGTK
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mcatanzaro at gnome.org
                CC: bugs-noreply at webkitgtk.org

My Epiphany is in a weird state (reminds me of bug #201507, but different) where the web process crashes when loading target.com. As with bug #201507, the crash is 100% reproducible in my current UI process but not reproducible at all in new processes. Unlike bug #201507, this crash is not triggered by AC mode. It only occurs on target.com, not for poster circle.

Note, in particular, frame #12 here, where we have an illegal call to Nicosia::CairoOperationRecorder::drawGlyphs with this=0x0:

#12 0x00007f77fdf37958 in Nicosia::CairoOperationRecorder::drawGlyphs(WebCore::Font const&, WebCore::GlyphBuffer const&, unsigned int, unsigned int, WebCore::FloatPoint const&, WebCore::FontSmoothingMode) (this=0x0, font=..., glyphBuffer=..., from=<optimized out>, numGlyphs=<optimized out>, point=..., fontSmoothing=WebCore::FontSmoothingMode::AutoSmoothing) at ../Source/WebCore/platform/graphics/nicosia/cairo/NicosiaCairoOperationRecorder.cpp:529



Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f77fdf37958 in std::__exchange<_cairo_scaled_font*, decltype(nullptr)&>(_cairo_scaled_font*&, decltype(nullptr)&) (__new_val=<optimized out>, 
    __obj=@0x7fffcb2dd938: 0x0) at /usr/include/c++/9.2.0/bits/move.h:149
149         __exchange(_Tp& __obj, _Up&& __new_val)
#0  0x00007f77fdf37958 in std::__exchange<_cairo_scaled_font*, decltype(nullptr)&>(_cairo_scaled_font*&, decltype(nullptr)&)
    (__new_val=<optimized out>, __obj=@0x7fffcb2dd938: 0x0)
    at /usr/include/c++/9.2.0/bits/move.h:149
#1  0x00007f77fdf37958 in std::exchange<_cairo_scaled_font*, decltype(nullptr)&>(_cairo_scaled_font*&, decltype(nullptr)&)
    (__new_val=<optimized out>, __obj=@0x7fffcb2dd938: 0x0)
    at /usr/include/c++/9.2.0/utility:287
#2  0x00007f77fdf37958 in WTF::DumbPtrTraits<_cairo_scaled_font>::exchange<decltype(nullptr)>(_cairo_scaled_font*&, decltype(nullptr)&&)
    (newValue=<optimized out>, ptr=@0x7fffcb2dd938: 0x0)
    at DerivedSources/ForwardingHeaders/wtf/DumbPtrTraits.h:40
#3  0x00007f77fdf37958 in WTF::RefPtr<_cairo_scaled_font, WTF::DumbPtrTraits<_cairo_scaled_font> >::~RefPtr() (this=0x7fffcb2dd938, __in_chrg=<optimized out>)
    at DerivedSources/ForwardingHeaders/wtf/RefPtr.h:70
#4  0x00007f77fdf37958 in std::_Head_base<4ul, WTF::RefPtr<_cairo_scaled_font, WTF::DumbPtrTraits<_cairo_scaled_font> >, false>::~_Head_base()
    (this=0x7fffcb2dd938, __in_chrg=<optimized out>)
    at /usr/include/c++/9.2.0/tuple:120
#5  0x00007f77fdf37958 in std::_Tuple_impl<4ul, WTF::RefPtr<_cairo_scaled_font, WTF::DumbPtrTraits<_cairo_scaled_font> >, float, WTF::Vector<cairo_glyph_t, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, float, unsigned int, float, WebCore::FloatSize, WebCore::Color, WebCore::FontSmoothingMode>::~_Tuple_impl()
    (this=0x7fffcb2dd8f8, __in_chrg=<optimized out>) at /usr/include/c++/9.2.0/tuple:185
#6  0x00007f77fdf37958 in std::_Tuple_impl<3ul, WebCore::FloatPoint, WTF::RefPtr<_cairo_scaled_font, WTF::DumbPtrTraits<_cairo_scaled_font> >, float, WTF::Vector<cairo_glyph_t, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, float, unsigned int, float, WebCore::FloatSize, WebCore::Color, WebCore::FontSmoothingMode>::~_Tuple_impl() (this=0x7fffcb2dd8f8, __in_chrg=<optimized out>) at /usr/include/c++/9.2.0/tuple:185
#7  0x00007f77fdf37958 in std::_Tuple_impl<2ul, WebCore::Cairo::ShadowState, WebCore::FloatPoint, WTF::RefPtr<_cairo_scaled_font, WTF::DumbPtrTraits<_cairo_scaled_font> >, float, WTF::Vector<cairo_glyph_t, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, float, unsigned int, float, WebCore::FloatSize, WebCore::Color, WebCore::FontSmoothingMode>::~_Tuple_impl() (this=0x7fffcb2dd8f8, __in_chrg=<optimized out>) at /usr/include/c++/9.2.0/tuple:185
#8  0x00007f77fdf37958 in std::_Tuple_impl<1ul, WebCore::Cairo::StrokeSource, WebCore::Cairo::ShadowState, WebCore::FloatPoint, WTF::RefPtr<_cairo_scaled_font, WTF::DumbPtrTraits<_cairo_scaled_font> >, float, WTF::Vector<cairo_glyph_t, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, float, unsigned int, float, WebCore::FloatSize, WebCore::Color, WebCore::FontSmoothingMode>::~_Tuple_impl() (this=0x7fffcb2dd8f8, __in_chrg=<optimized out>) at /usr/include/c++/9.2.0/tuple:185
#9  0x00007f77fdf37958 in std::_Tuple_impl<0ul, WebCore::Cairo::FillSource, WebCore::Cairo::StrokeSource, WebCore::Cairo::ShadowState, WebCore::FloatPoint, WTF::RefPtr<_cairo_scaled_font, WTF::DumbPtrTraits<_cairo_scaled_font> >, float, WTF::Vector<cairo_glyph_t, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, float, unsigned int, float, WebCore::FloatSize, WebCore::Color, WebCore::FontSmoothingMode>::~_Tuple_impl() (this=0x7fffcb2dd8f8, __in_chrg=<optimized out>) at /usr/include/c++/9.2.0/tuple:185
#10 0x00007f77fdf37958 in std::tuple<WebCore::Cairo::FillSource, WebCore::Cairo::StrokeSource, WebCore::Cairo::ShadowState, WebCore::FloatPoint, WTF::RefPtr<_cairo_scaled_font, WTF::DumbPtrTraits<_cairo_scaled_font> >, float, WTF::Vector<cairo_glyph_t, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, float, unsigned int, float, WebCore::FloatSize, WebCore::Color, WebCore::FontSmoothingMode>::~tuple() (this=0x7fffcb2dd8f8, __in_chrg=<optimized out>) at /usr/include/c++/9.2.0/tuple:523
#11 0x00007f77fdf37958 in Nicosia::createCommand<Nicosia::CairoOperationRecorder::drawGlyphs(const WebCore::Font&, const WebCore::GlyphBuffer&, unsigned int, unsigned int, const WebCore::FloatPoint&, WebCore::FontSmoothingMode)::DrawGlyphs, WebCore::Cairo::FillSource, WebCore::Cairo::StrokeSource, WebCore::Cairo::ShadowState, const WebCore::FloatPoint&, WTF::RefPtr<_cairo_scaled_font, WTF::DumbPtrTraits<_cairo_scaled_font> >, float, WTF::Vector<cairo_glyph_t, 0, WTF::CrashOnOverflow, 16, WTF::FastMalloc>, float&, unsigned int const&, float const&, const WebCore::FloatSize&, const WebCore::Color&, WebCore::FontSmoothingMode&> () at ../Source/WebCore/platform/graphics/nicosia/cairo/NicosiaCairoOperationRecorder.cpp:64
#12 0x00007f77fdf37958 in Nicosia::CairoOperationRecorder::drawGlyphs(WebCore::Font const&, WebCore::GlyphBuffer const&, unsigned int, unsigned int, WebCore::FloatPoint const&, WebCore::FontSmoothingMode) (this=0x0, font=..., glyphBuffer=..., from=<optimized out>, numGlyphs=<optimized out>, point=..., fontSmoothing=WebCore::FontSmoothingMode::AutoSmoothing) at ../Source/WebCore/platform/graphics/nicosia/cairo/NicosiaCairoOperationRecorder.cpp:529
#13 0x0000000101000101 in  ()
#14 0x0001000000000000 in  ()
#15 0x000000003f800000 in  ()
#16 0x00007f77fd483beb in std::__exchange<WebCore::WebGLBuffer*, decltype(nullptr)&>(WebCore::WebGLBuffer*&, decltype(nullptr)&) (__new_val=<optimized out>, __obj=@0x7fffcb2dda70: 0x7f77ed3fbb00) at /usr/include/c++/9.2.0/bits/move.h:149
#17 0x00007f77fd483beb in std::exchange<WebCore::WebGLBuffer*, decltype(nullptr)&>(WebCore::WebGLBuffer*&, decltype(nullptr)&) (__new_val=<optimized out>, __obj=@0x7fffcb2dda70: 0x7f77ed3fbb00) at /usr/include/c++/9.2.0/utility:287
#18 0x00007f77fd483beb in WTF::DumbPtrTraits<WebCore::WebGLBuffer>::exchange<decltype(nullptr)>(WebCore::WebGLBuffer*&, decltype(nullptr)&&) (newValue=<optimized out>, ptr=@0x7fffcb2dda70: 0x7f77ed3fbb00) at DerivedSources/ForwardingHeaders/wtf/DumbPtrTraits.h:40
#19 0x00007f77fd483beb in WTF::RefPtr<WebCore::WebGLBuffer, WTF::DumbPtrTraits<WebCore::WebGLBuffer> >::leakRef() (this=0x7fffcb2dda70) at DerivedSources/ForwardingHeaders/wtf/RefPtr.h:125
#20 0x00007f77fd483beb in WTF::RefPtr<WebCore::WebGLBuffer, WTF::DumbPtrTraits<WebCore::WebGLBuffer> >::RefPtr(WTF::RefPtr<WebCore::WebGLBuffer, WTF::DumbPtrTraits<WebCore::WebGLBuffer> >&&) (o=..., this=<synthetic pointer>) at DerivedSources/ForwardingHeaders/wtf/RefPtr.h:62
#21 0x00007f77fd483beb in WTF::RefPtr<WebCore::WebGLBuffer, WTF::DumbPtrTraits<WebCore::WebGLBuffer> >::operator=(WTF::RefPtr<WebCore::WebGLBuffer, WTF::DumbPtrTraits<WebCore::WebGLBuffer> >&&) (o=..., this=0x7fffcb2ddd00) at DerivedSources/ForwardingHeaders/wtf/RefPtr.h:163
#22 0x00007f77fd483beb in WebCore::WebGLRenderingContextBase::initVertexAttrib0() (this=0x7fffcb2ddb10) at ../Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp:6150
#23 0xdaa039c7f156d100 in  ()
#24 0x00007f77ece00000 in  ()
#25 0x00007f77ec3049d0 in  ()
#26 0x00007f77ec3049d0 in  ()
#27 0x00007fffcb2ddc50 in  ()
#28 0x00007fffcb2ddbb0 in  ()
#29 0x00007f77ed1edc68 in  ()
#30 0x00007fffcb2ddb10 in  ()
#31 0x00007f77fd35ef23 in WebCore::HTMLBodyElement::parseAttribute(WebCore::QualifiedName const&, WTF::AtomString const&) (this=0x7d4aa000, name=..., value=...) at DerivedSources/ForwardingHeaders/wtf/text/AtomString.h:91
#32 0x0001000000000000 in  ()
#33 0x000000003f800000 in  ()
#34 0x0000000000000000 in  ()

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200427/308c9ade/attachment.htm>

More information about the webkit-unassigned mailing list