[Webkit-unassigned] [Bug 216106] New: [iOS WK1] Crashes when using ANGLE WebGL from another thread
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Sep 2 16:09:48 PDT 2020
https://bugs.webkit.org/show_bug.cgi?id=216106
Bug ID: 216106
Summary: [iOS WK1] Crashes when using ANGLE WebGL from another
thread
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: WebGL
Assignee: webkit-unassigned at lists.webkit.org
Reporter: dino at apple.com
CC: dino at apple.com
We are seeing a lot of incoming crash reports on the iOS 14 beta when WebGL is used with UIWebView (WK1). The issue is that ANGLE is not yet able to handle multithreaded use of a single context (even when WebKit is ensuring only one of them is actually using the context).
This is tracked by ANGLE bug: https://bugs.chromium.org/p/angleproject/issues/detail?id=5010
There are three cases:
1. Web thread calls EGL_Initialize first, and then the main thread tries to create another WebGL context. This will crash in `RendererGL::getRendererDescription()`, where the `reinterpret_cast<char*>` fails because it is passed a null pointer.
2. Main thread calls EGL_Initialize first, and then the Web thread tries to create another WebGL context. This appears to crash in gl::FramebufferManager::getFramebuffer.
3. Thread A creates the only WebGL context, and it is used from thread B. (I think this might be a similar stack to 2).
Again, this only applies to WebKit 1.
Stack Trace for case 1.
-----
Thread 0 name: ScePS4LinkRPCtrl Dispatch queue: com.apple.main-thread
Thread 0 Crashed ↩:
0 libsystem_platform.dylib 0x00000001cf5c9bc4 _platform_strlen + 4
1 WebCore 0x0000000196afe468 std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >::basic_string<std::nullptr_t>(char const*) + 40 (__string:253)
2 WebCore 0x0000000196c82ac4 rx::RendererGL::getRendererDescription() const + 76 (RendererGL.cpp:263)
3 WebCore 0x0000000196b164d0 gl::Context::initRendererString() + 220 (Context.cpp:2890)
4 WebCore 0x0000000196b1621c gl::Context::makeCurrent(egl::Display*, egl::Surface*, egl::Surface*) + 92 (Context.cpp:650)
5 WebCore 0x0000000196b5d87c egl::Display::makeCurrent(egl::Thread const*, egl::Surface*, egl::Surface*, gl::Context*) + 204 (Display.cpp:1227)
6 WebCore 0x0000000196b680bc EGL_MakeCurrent + 212 (entry_points_egl.cpp:454)
7 WebCore 0x000000019555a224 WebCore::GraphicsContextGLOpenGL::GraphicsContextGLOpenGL(WebCore::GraphicsContextGLAttributes, WebCore::HostWindow*, WebCore::GraphicsContextGL::Destination, WebCore::GraphicsContextGLOpenGL*) + 1748 (GraphicsContextGLOpenGLCocoa.mm:382)
8 WebCore 0x0000000195559888 WebCore::GraphicsContextGLOpenGL::create(WebCore::GraphicsContextGLAttributes, WebCore::HostWindow*, WebCore::GraphicsContextGL::Destination) + 168 (GraphicsContextGLOpenGLCocoa.mm:188)
9 WebCore 0x0000000195f6fa30 WebCore::WebGLRenderingContextBase::create(WebCore::CanvasBase&, WebCore::GraphicsContextGLAttributes&, WTF::String const&) + 1164 (WebGLRenderingContextBase.cpp:705)
10 WebCore 0x0000000195e0a5e0 WebCore::HTMLCanvasElement::getContext(JSC::JSGlobalObject&, WTF::String const&, WTF::Vector<JSC::Strong<JSC::Unknown, (JSC::ShouldStrongDestructorGrabLock)0>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&&) + 896 (HTMLCanvasElement.cpp:442)
11 WebCore 0x0000000194f1ae74 WebCore::jsHTMLCanvasElementPrototypeFunctionGetContext(JSC::JSGlobalObject*, JSC::CallFrame*) + 500 (JSHTMLCanvasElement.cpp:312)
12 JavaScriptCore 0x00000001916b940c llint_entry + 159388
13 JavaScriptCore 0x00000001916b6880 llint_entry + 148240
14 JavaScriptCore 0x00000001916b6880 llint_entry + 148240
15 JavaScriptCore 0x00000001916b6880 llint_entry + 148240
16 JavaScriptCore 0x00000001916b67cc llint_entry + 148060
17 JavaScriptCore 0x00000001916922c4 vmEntryToJavaScript + 276
18 JavaScriptCore 0x0000000191cbeacc JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 488 (JITCodeInlines.h:42)
19 JavaScriptCore 0x0000000191ee50b8 JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 176 (CallData.cpp:57)
20 WebCore 0x000000019592984c WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) + 1636 (JSExecState.h:73)
21 WebCore 0x0000000195bf7354 WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase) + 440 (EventTarget.cpp:341)
22 WebCore 0x0000000195bf4690 WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) + 384 (EventTarget.cpp:273)
23 WebCore 0x0000000195befc90 WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) + 128 (EventDispatcher.cpp:85)
24 WebCore 0x0000000195bef684 WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) + 1224 (EventDispatcher.cpp:154)
25 WebCore 0x00000001952390f8 WebCore::EventHandler::dispatchTouchEvent(WebCore::PlatformTouchEvent const&, WTF::AtomString const&, WTF::HashMap<WTF::Ref<WebCore::EventTarget, WTF::DumbPtrTraits<WebCore::EventTarget> >, std::__1::unique_ptr<WTF::Vector<WTF::RefPtr<WebCore::Touch, WTF::DumbPtrTraits<WebCore::Touch> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, std::__1::default_delete<WTF::Vector<WTF::RefPtr<WebCore::Touch, WTF::DumbPtrTraits<WebCore::Touch> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> > >, WTF::DefaultHash<WTF::Ref<WebCore::EventTarget, WTF::DumbPtrTraits<WebCore::EventTarget> > >, WTF::HashTraits<WTF::Ref<WebCore::EventTarget, WTF::DumbPtrTraits<WebCore::EventTarget> > >, WTF::HashTraits<std::__1::unique_ptr<WTF::Vector<WTF::RefPtr<WebCore::Touch, WTF::DumbPtrTraits<WebCore::Touch> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, std::__1::default_delete<WTF::Vector<WTF::RefPtr<WebCore::Touch, WTF::DumbPtrTraits<WebCore::Touch> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> > > > > const&, float, float) + 3216 (EventHandlerIOSTouch.cpp:188)
26 WebCore 0x000000019523b694 WebCore::EventHandler::handleTouchEvent(WebCore::PlatformTouchEvent const&) + 7828 (EventHandlerIOSTouch.cpp:519)
27 WebCore 0x000000019523c724 WebCore::EventHandler::touchEvent(WebEvent*) + 128 (EventHandlerIOS.mm:128)
Stack trace for other cases
----------
41 WebCore: gl::FramebufferManager::getFramebuffer(gl::FramebufferID) const <==
41 WebCore: gl::Context::unsetDefaultFramebuffer()
41 WebCore: gl::Context::unsetDefaultFramebuffer()
41 WebCore: gl::Context::unMakeCurrent(egl::Display const*)
41 WebCore: egl::Display::makeCurrent(egl::Thread const*, egl::Surface*, egl::Surface*, gl::Context*)
41 WebCore: EGL_MakeCurrent
41 WebCore: WebCore::GraphicsContextGLOpenGL::GraphicsContextGLOpenGL(WebCore::GraphicsContextGLAttributes, WebCore::HostWindow*, WebCore::GraphicsContextGL::Destination, WebCore::GraphicsContextGLOpenGL*)
41 WebCore: WebCore::GraphicsContextGLOpenGL::create(WebCore::GraphicsContextGLAttributes, WebCore::HostWindow*, WebCore::GraphicsContextGL::Destination)
41 WebCore: WebCore::WebGLRenderingContextBase::create(WebCore::CanvasBase&, WebCore::GraphicsContextGLAttributes&, WTF::String const&)
41 WebCore: WebCore::HTMLCanvasElement::getContext(JSC::JSGlobalObject&, WTF::String const&, WTF::Vector<JSC::Strong<JSC::Unknown, (JSC::ShouldStrongDestructorGrabLock)0>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&&)
41 WebCore: WebCore::jsHTMLCanvasElementPrototypeFunctionGetContext(JSC::JSGlobalObject*, JSC::CallFrame*)
41
41 JavaScriptCore: llint_entry
41 JavaScriptCore: llint_entry
41 JavaScriptCore: llint_entry
41 JavaScriptCore: llint_entry
41 JavaScriptCore: llint_entry
41 JavaScriptCore: llint_entry
41 JavaScriptCore: vmEntryToJavaScript
41 JavaScriptCore: JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*)
41 JavaScriptCore: JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
41 WebCore: WebCore::JSExecState::profiledEvaluate(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
41 WebCore: WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&)
41 WebCore: WebCore::ScriptController::evaluateIgnoringException(WebCore::ScriptSourceCode const&)
41 WebCore: WebCore::ScriptElement::executeClassicScript(WebCore::ScriptSourceCode const&)
41 WebCore: WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport)
41 WebCore: WebCore::HTMLScriptElement::didFinishInsertingNode()
41 WebCore: WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(WebCore::Node&)
41 WebCore: WebCore::Node::appendChild(WebCore::Node&)
41 WebCore: WebCore::jsNodePrototypeFunctionAppendChild(JSC::JSGlobalObject*, JSC::CallFrame*)
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200902/8e179952/attachment-0001.htm>
More information about the webkit-unassigned
mailing list