[Webkit-unassigned] [Bug 222379] New: [GPU Process] Stroke and fill StateChangeFlags should be set exclusively

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Feb 24 13:05:44 PST 2021 

https://bugs.webkit.org/show_bug.cgi?id=222379

            Bug ID: 222379
           Summary: [GPU Process] Stroke and fill StateChangeFlags should
                    be set exclusively
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Canvas
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: sabouhallawa at apple.com
                CC: dino at apple.com

The stroke and the fill in GraphicsContextState can be set exclusively to color, pattern or gradient. The corresponding flag in StateChangeFlags is set once the GraphicsContext function is called. The problem is we do not clear the old flags. And this is why in StateState::encode() and StateState::decode(), we were expecting the flags might be set but the pointers of the pattern and the gradient are null. This has been an area of mistakes and confusion and can lead to this crash with GPUP enabled when GraphicsContext::setFillColor is called after GraphicsContext::setFillGradient() is called:

frame #1: 0x000000011d9870bb WebCore`WTFCrashWithInfo((null)=82, (null)="/Volumes/Data/Development/system/webkit/OpenSource/WebKitBuild/Debug/usr/local/include/wtf/RefPtr.h", (null)="T &WTF::RefPtr<WebCore::Gradient, WTF::RawPtrTraits<WebCore::Gradient>, WTF::DefaultRefDerefTraits<WebCore::Gradient> >::operator*() const [T = WebCore::Gradient, _PtrTraits = WTF::RawPtrTraits<WebCore::Gradient>, _RefDerefTraits = WTF::DefaultRefDerefTraits<WebCore::Gradient>]", (null)=23) at Assertions.h:671:5
frame #2: 0x000000012184a3f8 WebCore`WTF::RefPtr<WebCore::Gradient, WTF::RawPtrTraits<WebCore::Gradient>, WTF::DefaultRefDerefTraits<WebCore::Gradient> >::operator*(this=0x0000700005297cc0) const at RefPtr.h:82:28
frame #3: 0x0000000121849d0e WebCore`WebCore::GraphicsContextStateChange::apply(this=0x0000700005297cb0, context=0x000000010b0cf1b0) const at GraphicsContext.cpp:220:33
frame #4: 0x00000001219f38cd WebCore`WebCore::DisplayList::SetState::apply(this=0x0000700005297cb0, context=0x000000010b0cf1b0) const at DisplayListItems.cpp:223:13
frame #5: 0x00000001219f3088 WebCore`WebCore::DisplayList::ItemHandle::apply(this=0x0000700005297918, context=0x000000010b0cf1b0) at DisplayListItemBuffer.cpp:92:25
frame #6: 0x0000000121a0426d WebCore`WebCore::DisplayList::Replayer::applyItem(this=0x0000700005297e70, item=(data = "\v")) at DisplayListReplayer.cpp:120:10
frame #7: 0x00000001219f21da WebCore`WebCore::DisplayList::Replayer::replay(this=0x0000700005297e70, initialClip={ x = 0.0, y = 0.0, width = 0.0, height = 0.0 }, trackReplayList=false) at DisplayListReplayer.cpp:158:73

The crash happens in this following statement in GraphicsContextStateChange::apply()

    if (m_changeFlags.contains(GraphicsContextState::FillGradientChange))
        context.setFillGradient(*m_state.fillGradient, m_state.fillGradientSpaceTransform);

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210224/c4e77f09/attachment-0001.htm>

More information about the webkit-unassigned mailing list