[Webkit-unassigned] [Bug 217323] New: [GTK][X11] WebProcess crash in WebCore::GLContextGLX::createPbufferContext() with NVidia proprietary drivers

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Oct 5 11:06:17 PDT 2020 

https://bugs.webkit.org/show_bug.cgi?id=217323

            Bug ID: 217323
           Summary: [GTK][X11] WebProcess crash in
                    WebCore::GLContextGLX::createPbufferContext() with
                    NVidia proprietary drivers
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKitGTK
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: eocanha at igalia.com
                CC: bugs-noreply at webkitgtk.org

I'm getting this crash on trunk at 267957 when using NVidia binary drivers:

#0  WebCore::GLContextGLX::createPbufferContext(WebCore::PlatformDisplay&, __GLXcontextRec*) (platformDisplay=..., sharingContext=0x0)
    at ../../Source/WebCore/platform/graphics/glx/GLContextGLX.cpp:232
#1  0x00007f85bdd7541d in WebCore::GLContextGLX::createSharingContext(WebCore::PlatformDisplay&) (platformDisplay=...)
    at ../../Source/WebCore/platform/graphics/glx/GLContextGLX.cpp:295
#2  0x00007f85bdd1e5cf in WebCore::GLContext::createSharingContext(WebCore::PlatformDisplay&) (display=...)
    at ../../Source/WebCore/platform/graphics/GLContext.cpp:115
#3  0x00007f85bdd1fc73 in WebCore::PlatformDisplay::sharingGLContext() (this=0x7f85a1dd0000)
    at ../../Source/WebCore/platform/graphics/PlatformDisplay.cpp:179
#4  0x00007f85bdd752df in WebCore::GLContextGLX::createContext(unsigned long, WebCore::PlatformDisplay&)
    (window=192937988, platformDisplay=...) at ../../Source/WebCore/platform/graphics/glx/GLContextGLX.cpp:283
#5  0x00007f85bdd1e415 in WebCore::GLContext::createContextForWindow(unsigned long, WebCore::PlatformDisplay*)
    (windowHandle=192937988, platformDisplay=0x7f85a1dd0000) at ../../Source/WebCore/platform/graphics/GLContext.cpp:89
#6  0x00007f85bab4e220 in WebKit::ThreadedCompositor::createGLContext() (this=0x7f853a4f1780)
    at ../../Source/WebKit/Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.cpp:87
#7  0x00007f85bab4dec9 in operator()() const (__closure=0x7f853a4e04b8)
    at ../../Source/WebKit/Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.cpp:73
#8  0x00007f85bab53e36 in WTF::Detail::CallableWrapper<WebKit::ThreadedCompositor::ThreadedCompositor(WebKit::ThreadedCompositor::Client&, WebKit::ThreadedDisplayRefreshMonitor::Client&, WebCore::PlatformDisplayID, const WebCore::IntSize&, float, WebCore::TextureMapper::PaintFlags)::<lambda()>, void>::call(void) (this=0x7f853a4e04b0) at DerivedSources/ForwardingHeaders/wtf/Function.h:52
#9  0x00007f85ba034adb in WTF::Function<void ()>::operator()() const (this=0x7f853a4e04d8)
    at DerivedSources/ForwardingHeaders/wtf/Function.h:83
#10 0x00007f85bab4d7c3 in operator()() const (__closure=0x7f853a4e04d0)
    at ../../Source/WebKit/Shared/CoordinatedGraphics/threadedcompositor/CompositingRunLoop.cpp:90
#11 0x00007f85bab53e56 in WTF::Detail::CallableWrapper<WebKit::CompositingRunLoop::performTaskSync(WTF::Function<void()>&&)::<lambda()>, void>::call(void) (this=0x7f853a4e04c8) at DerivedSources/ForwardingHeaders/wtf/Function.h:52
#12 0x00007f85ba034adb in WTF::Function<void ()>::operator()() const (this=0x7f853a3fe940)
    at DerivedSources/ForwardingHeaders/wtf/Function.h:83
#13 0x00007f85abb12e7f in WTF::RunLoop::performWork() (this=0x7f853a4d8000) at ../../Source/WTF/wtf/RunLoop.cpp:123
#14 0x00007f85abb9c7ea in operator()(gpointer) const (__closure=0x0, userData=0x7f853a4d8000)
    at ../../Source/WTF/wtf/glib/RunLoopGLib.cpp:80
#15 0x00007f85abb9c80e in _FUN(gpointer) () at ../../Source/WTF/wtf/glib/RunLoopGLib.cpp:82
#16 0x00007f85abb9c77d in operator()(GSource*, GSourceFunc, gpointer) const
    (__closure=0x0, source=0x7f8540005c10, callback=0x7f85abb9c7f1 <_FUN(gpointer)>, userData=0x7f853a4d8000)
    at ../../Source/WTF/wtf/glib/RunLoopGLib.cpp:53
#17 0x00007f85abb9c7cb in _FUN(GSource*, GSourceFunc, gpointer) () at ../../Source/WTF/wtf/glib/RunLoopGLib.cpp:56
#18 0x00007f85a4c1304f in g_main_dispatch (context=0x7f854000b2a0) at ../glib/gmain.c:3325
#19 g_main_context_dispatch (context=0x7f854000b2a0) at ../glib/gmain.c:4016
#20 0x00007f85a4c133f8 in g_main_context_iterate
    (context=0x7f854000b2a0, block=block at entry=1, dispatch=dispatch at entry=1, self=<optimized out>) at ../glib/gmain.c:4092
#21 0x00007f85a4c13713 in g_main_loop_run (loop=0x7f8540008800) at ../glib/gmain.c:4290
#22 0x00007f85abb9cd94 in WTF::RunLoop::run() () at ../../Source/WTF/wtf/glib/RunLoopGLib.cpp:108
#23 0x00007f85bab4d3dd in operator()() const (__closure=0x7f853a4e04a0)
    at ../../Source/WebKit/Shared/CoordinatedGraphics/threadedcompositor/CompositingRunLoop.cpp:49
#24 0x00007f85bab53eb6 in WTF::Detail::CallableWrapper<WebKit::createRunLoop()::<lambda()>, void>::call(void) (this=0x7f853a4e0498)
    at DerivedSources/ForwardingHeaders/wtf/Function.h:52
--Type <RET> for more, q to quit, c to continue without paging--
#25 0x00007f85ba034adb in WTF::Function<void ()>::operator()() const (this=0x7f853a3fec30)
    at DerivedSources/ForwardingHeaders/wtf/Function.h:83
#26 0x00007f85abb18aa3 in WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) (newThreadContext=0x7f853a4e4410)
    at ../../Source/WTF/wtf/Threading.cpp:179
#27 0x00007f85abba7f7b in WTF::wtfThreadEntryPoint(void*) (context=0x7f853a4e4410) at ../../Source/WTF/wtf/posix/ThreadingPOSIX.cpp:213
#28 0x00007f85a5d074d2 in start_thread (arg=<optimized out>) at pthread_create.c:477
#29 0x00007f85a387d4d3 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

The crash wasn't present on trunk at 266718.

After debugging it with rr, I realized that the call to glXChooseFBConfig() returns early in my specific case, leaving returnedElements untouched and uninitialized[1], usually with a value different from zero. This causes the wrong branch to be taken and triggers the crash, as the configs variable is holding a null pointer.

This problem might be related or be a subset of the issue reported in https://bugs.webkit.org/show_bug.cgi?id=199666#c2

[1] https://github.com/WebKit/webkit/blob/9fb817f9a912a7860499f63fd9661f399511c3fe/Source/WebCore/platform/graphics/glx/GLContextGLX.cpp#L224

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20201005/ae1cb947/attachment-0001.htm>

More information about the webkit-unassigned mailing list