[Webkit-unassigned] [Bug 239107] New: RemoteRenderingBackend::willDestroyImageBuffer() can crash if the RemoteRenderingBackend has already been destroyed
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Apr 11 22:20:25 PDT 2022
https://bugs.webkit.org/show_bug.cgi?id=239107
Bug ID: 239107
Summary: RemoteRenderingBackend::willDestroyImageBuffer() can
crash if the RemoteRenderingBackend has already been
destroyed
Product: WebKit
Version: Safari Technology Preview
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: WebKit Process Model
Assignee: webkit-unassigned at lists.webkit.org
Reporter: simon.fraser at apple.com
I'm seeing occasional crashes when running fast/scrolling/ios/autoscroll-input-when-very-zoomed.html in the iOS simulator (via Xcode).
It looks like the RemoteRenderingBackend has been destroyed by the time a RemoteImageBuffer is destroyed on the main thread:
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
* frame #0: 0x000000016933868d WebCore`bool std::__1::__cxx_atomic_compare_exchange_weak<unsigned char>(__a=0x6e6f697461657243, __expected="", __value='\x01', __success=acquire, __failure=acquire) at atomic:1050:12
frame #1: 0x0000000169338452 WebCore`std::__1::__atomic_base<unsigned char, false>::compare_exchange_weak(this=0x6e6f697461657243, __e=0x00007ff7b239e83f, __d='\x01', __m=acquire) at atomic:1681:17
frame #2: 0x00000001693383fa WebCore`WTF::Atomic<unsigned char>::compareExchangeWeak(this=0x6e6f697461657243, expected='\0', desired='\x01', order=acquire) at Atomics.h:89:22
frame #3: 0x00000001693383b1 WebCore`WTF::LockAlgorithm<unsigned char, (unsigned char)1, (unsigned char)2, WTF::EmptyLockHooks<unsigned char> >::lockFastAssumingZero(lock=0x6e6f697461657243) at LockAlgorithm.h:53:21
frame #4: 0x0000000169338359 WebCore`WTF::Lock::lock(this=0x6e6f697461657243) at Lock.h:65:13
frame #5: 0x0000000169338324 WebCore`WTF::Locker<WTF::Lock>::Locker(this=0x00007ff7b239e910, lock=0x6e6f697461657243) at Lock.h:158:16
frame #6: 0x00000001693378dd WebCore`WTF::Locker<WTF::Lock>::Locker(this=0x00007ff7b239e910, lock=0x6e6f697461657243) at Lock.h:157:5
frame #7: 0x000000016d97dcd1 WebCore`WebCore::IOSurfacePool::addSurface(this=0x6e6f697461657243, surface=WebCore::IOSurface @ 0x00007f9cecc09e00) at IOSurfacePool.cpp:180:12
frame #8: 0x000000016b494848 WebCore`WebCore::IOSurface::moveToPool(surface=WebCore::IOSurface @ 0x00007f9cecc09e00, pool=0x6e6f697461657243) at IOSurface.mm:102:15
frame #9: 0x000000016d9a0269 WebCore`WebCore::ImageBufferIOSurfaceBackend::releaseBufferToPool(this=0x00007f9cebf04530, pool=0x6e6f697461657243) at ImageBufferIOSurfaceBackend.cpp:267:5
frame #10: 0x0000000128112272 WebKit`WebCore::ConcreteImageBuffer<WebKit::ImageBufferShareableMappedIOSurfaceBackend>::releaseBufferToPool(this=0x00007f9cebf05270, pool=0x6e6f697461657243) at ConcreteImageBuffer.h:333:22
frame #11: 0x00000001280fdef2 WebKit`WebKit::RemoteRenderingBackend::willDestroyImageBuffer(this=0x00007f9cec808e90, imageBuffer=0x00007f9cebf05270) at RemoteRenderingBackend.cpp:175:21
frame #12: 0x0000000128113708 WebKit`WebKit::RemoteImageBuffer<WebKit::ImageBufferShareableMappedIOSurfaceBackend>::~RemoteImageBuffer(this=0x00007f9cebf05270) at RemoteImageBuffer.h:76:34
frame #13: 0x0000000128111c95 WebKit`WebKit::RemoteImageBuffer<WebKit::ImageBufferShareableMappedIOSurfaceBackend>::~RemoteImageBuffer(this=0x00007f9cebf05270) at RemoteImageBuffer.h:70:5
frame #14: 0x0000000128111cb9 WebKit`WebKit::RemoteImageBuffer<WebKit::ImageBufferShareableMappedIOSurfaceBackend>::~RemoteImageBuffer(this=0x00007f9cebf05270) at RemoteImageBuffer.h:70:5
frame #15: 0x0000000127d7580f WebKit`WTF::ThreadSafeRefCounted<WebCore::ImageBuffer, (WTF::DestructionThread)1>::deref(this=0x00007f9cfbfb2408) const::'lambda'()::operator()() const at ThreadSafeRefCounted.h:117:13
frame #16: 0x0000000127d757b9 WebKit`WTF::Detail::CallableWrapper<WTF::ThreadSafeRefCounted<WebCore::ImageBuffer, (WTF::DestructionThread)1>::deref() const::'lambda'(), void>::call(this=0x00007f9cfbfb2400) at Function.h:53:39
frame #17: 0x0000000144647ce2 JavaScriptCore`WTF::Function<void ()>::operator(this=0x00007ff7b239ead0)() const at Function.h:82:35
frame #18: 0x00000001446d1bc2 JavaScriptCore`WTF::RunLoop::performWork(this=0x00007f9cfbfb58b0) at RunLoop.cpp:133:9
frame #19: 0x00000001446d54ee JavaScriptCore`WTF::RunLoop::performWork(context=0x00007f9cfbfb58b0) at RunLoopCF.cpp:46:37
frame #20: 0x000000010e3b5833 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
frame #21: 0x000000010e3b572b CoreFoundation`__CFRunLoopDoSource0 + 180
frame #22: 0x000000010e3b4bf8 CoreFoundation`__CFRunLoopDoSources0 + 242
frame #23: 0x000000010e3af2f4 CoreFoundation`__CFRunLoopRun + 871
frame #24: 0x000000010e3aea90 CoreFoundation`CFRunLoopRunSpecific + 562
frame #25: 0x000000010ecfee31 Foundation`-[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 213
frame #26: 0x000000010ecff04f Foundation`-[NSRunLoop(NSRunLoop) run] + 76
frame #27: 0x000000010f979feb libxpc.dylib`_xpc_objc_main + 440
frame #28: 0x000000010f97bfd4 libxpc.dylib`xpc_main + 122
frame #29: 0x000000012819aeda WebKit`WebKit::XPCServiceMain((null)=1, (null)=0x00007ff7b239fcd8) at XPCServiceMain.mm:221:5
frame #30: 0x000000012a14e99b WebKit`WKXPCServiceMain(argc=1, argv=0x00007ff7b239fcd8) at WKMain.mm:35:12
frame #31: 0x000000010db5ed32 com.apple.WebKit.GPU.Development`main(argc=1, argv=0x00007ff7b239fcd8) at AuxiliaryProcessMain.cpp:30:12
frame #32: 0x000000010dd74f21 dyld_sim`start_sim + 10
frame #33: 0x000000011299b50e dyld`start + 462
(lldb)
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220412/c3788cab/attachment-0001.htm>
More information about the webkit-unassigned
mailing list