[Webkit-unassigned] [Bug 255761] New: Crash in WebCore::BackgroundPainter::calculateBackgroundImageGeometry

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Apr 20 20:09:43 PDT 2023 

https://bugs.webkit.org/show_bug.cgi?id=255761

            Bug ID: 255761
           Summary: Crash in
                    WebCore::BackgroundPainter::calculateBackgroundImageGe
                    ometry
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Layout and Rendering
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mcatanzaro at redhat.com
                CC: bfulgham at webkit.org, simon.fraser at apple.com,
                    zalan at apple.com

Created attachment 466023

  --> https://bugs.webkit.org/attachment.cgi?id=466023&action=review

Full backtrace

Using WebKitGTK 2.41.2 (262949 at main), load https://www.ksl.com/article/50624749/hero-uhp-sergeant-praised-for-stopping-wrong-way-driver and the web process will always crash:

#0  WTF::RefPtr<WebCore::WeakPtrImplWithEventTargetData, WTF::RawPtrTraits<WebCore::WeakPtrImplWithEventTargetData>, WTF::DefaultRefDerefTraits<WebCore::WeakPtrImplWithEventTargetData> >::operator bool() const (this=0x10)
    at WTF/Headers/wtf/RefPtr.h:92
#1  WTF::WeakPtr<WebCore::Node, WebCore::WeakPtrImplWithEventTargetData>::get() const (this=0x10)
    at WTF/Headers/wtf/WeakPtr.h:127
#2  WTF::WeakPtr<WebCore::Node, WebCore::WeakPtrImplWithEventTargetData>::operator->() const (this=0x10)
    at WTF/Headers/wtf/WeakPtr.h:140
#3  WebCore::RenderObject::document() const (this=0x0)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderObject.h:509
#4  WebCore::RenderObject::view() const (this=0x0)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderObject.h:488
#5  WebCore::BackgroundPainter::calculateBackgroundImageGeometry(WebCore::RenderBoxModelObject const&, WebCore::RenderLayerModelObject const*, WebCore::FillLayer const&, WebCore::LayoutPoint const&, WebCore::LayoutRect const&)
    (renderer=..., paintContainer=0x0, fillLayer=..., paintOffset=..., borderBoxRect=...)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/BackgroundPainter.cpp:510
#6  0x00007fc8790f68e4 in WebCore::RenderLayerBacking::updateDirectlyCompositedBackgroundImage(WebCore::PaintedContentsInfo&, bool&) (this=0x7fc85e448100, contentsInfo=..., didUpdateContentsRect=@0x7ffef129ba70: true)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderLayerBacking.cpp:2735
#7  0x00007fc8790f1833 in WebCore::RenderLayerBacking::updateDirectlyCompositedBoxDecorations(WebCore::PaintedContentsInfo&, bool&) (this=0x7fc85e448100, contentsInfo=..., didUpdateContentsRect=@0x7ffef129ba70: true)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderLayerBacking.cpp:1713
#8  WebCore::RenderLayerBacking::updateConfiguration(WebCore::RenderLayer const*)
    (this=0x7fc85e448100, compositingAncestor=<optimized out>)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderLayerBacking.cpp:1107
#9  0x00007fc879100ba3 in WebCore::RenderLayerCompositor::updateBackingAndHierarchy(WebCore::RenderLayer&, WTF::Vector<WTF::Ref<WebCore::GraphicsLayer, WTF::RawPtrTraits<WebCore::GraphicsLayer> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::RenderLayerCompositor::UpdateBackingTraversalState&, WebCore::ScrollingTreeState&, WTF::OptionSet<WebCore::RenderLayerCompositor::UpdateLevel>)
    (this=0x7fc85e0200e0, layer=..., childLayersOfEnclosingLayer=..., traversalState=..., scrollingTreeState=..., updateLevel=...) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderLayerCompositor.cpp:1364
#10 0x00007fc879100f61 in WebCore::RenderLayerCompositor::updateBackingAndHierarchy(WebCore::RenderLayer&, WTF::Vector<WTF::Ref<WebCore::GraphicsLayer, WTF::RawPtrTraits<WebCore::GraphicsLayer> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::RenderLayerCompositor::UpdateBackingTraversalState&, WebCore::ScrollingTreeState&, WTF::OptionSet<WebCore::RenderLayerCompositor::UpdateLevel>)
    (this=0x7fc85e0200e0, layer=..., childLayersOfEnclosingLayer=..., traversalState=..., scrollingTreeState=..., updateLevel=...) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderLayerCompositor.cpp:1439 

I'll attach a full backtrace.

Notably, the second parameter to BackgroundPainter::calculateBackgroundImageGeometry is nullptr. And the first and second parameters are both the same, so that means the first parameter is an invalid reference. The calls to renderBox() in RenderLayerBacking::updateDirectlyCompositedBackgroundImage are apparently returning nullptr.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230421/e80f7a2e/attachment.htm>

More information about the webkit-unassigned mailing list