[Webkit-unassigned] [Bug 254262] New: RPI3 (32bits) ARMv7 NEON crashes on WebCore::TextureMapperLayer::paintWith3DRenderingContext()

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Mar 22 02:44:12 PDT 2023 

https://bugs.webkit.org/show_bug.cgi?id=254262

            Bug ID: 254262
           Summary: RPI3 (32bits) ARMv7 NEON crashes on
                    WebCore::TextureMapperLayer::paintWith3DRenderingConte
                    xt()
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: psaavedra at igalia.com

.. using the VC4 mesa driver: 

```
#0  0x6a096c22 in _mesa_update_renderbuffer_surface (ctx=ctx at entry=0x6bfc8020, rb=rb at entry=0x2476190) at ../mesa-22.0.3/src/mesa/main/renderbuffer.c:581
#1  0x6a087ed0 in render_texture (ctx=ctx at entry=0x6bfc8020, att=att at entry=0x24f3a04, fb=0x24f3858) at ../mesa-22.0.3/src/mesa/main/fbobject.c:451
#2  0x6a089320 in _mesa_update_texture_renderbuffer (ctx=ctx at entry=0x6bfc8020, fb=fb at entry=0x24f3858, att=att at entry=0x24f3a04) at ../mesa-22.0.3/src/mesa/main/fbobject.c:590
#3  0x6a08cad0 in set_texture_attachment (layered=0 '\000', layer=1778962583, samples=38787704, level=3553, texTarget=<optimized out>, texObj=0x24fda78, att=0x24f3a04, fb=0x24f3858, ctx=0x6bfc8020)
    at ../mesa-22.0.3/src/mesa/main/fbobject.c:631
#4  _mesa_framebuffer_texture (ctx=0x6bfc8020, fb=0x24f3858, attachment=36064, att=0x24f3a04, texObj=<optimized out>, textarget=<optimized out>, level=0, samples=0, layer=0, layered=0 '\000')
    at ../mesa-22.0.3/src/mesa/main/fbobject.c:4019
#5  0x6a08cdb0 in framebuffer_texture_with_dims (dims=3553, target=<optimized out>, framebuffer=<optimized out>, attachment=<optimized out>, textarget=<optimized out>, texture=<optimized out>, level=0, samples=0, layer=0, caller=0x0, 
    dsa=false) at ../mesa-22.0.3/src/mesa/main/fbobject.c:4121
#6  0x6a08d096 in _mesa_FramebufferTexture2D (target=<optimized out>, attachment=<optimized out>, textarget=3553, texture=<optimized out>, level=0) at ../mesa-22.0.3/src/mesa/main/fbobject.c:4159
#7  0x74d28e58 in WebCore::BitmapTextureGL::createFboIfNeeded() [clone .part.0] () from /opt/browsers/1.0/sysroots/cortexa7t2hf-neon-vfpv4-poky-linux-gnueabi/usr/lib/libWPEWebKit-2.0.so.0.0.0
#8  0x74d29b0c in WebCore::BitmapTextureGL::bindAsSurface() () from /opt/browsers/1.0/sysroots/cortexa7t2hf-neon-vfpv4-poky-linux-gnueabi/usr/lib/libWPEWebKit-2.0.so.0.0.0
#9  0x74d2a984 in WebCore::TextureMapperGL::bindSurface(WebCore::BitmapTexture*) () from /opt/browsers/1.0/sysroots/cortexa7t2hf-neon-vfpv4-poky-linux-gnueabi/usr/lib/libWPEWebKit-2.0.so.0.0.0
#10 0x74d27c9c in WebCore::TextureMapperLayer::paintWith3DRenderingContext(WebCore::TextureMapperPaintOptions&) () from /opt/browsers/1.0/sysroots/cortexa7t2hf-neon-vfpv4-poky-linux-gnueabi/usr/lib/libWPEWebKit-2.0.so.0.0.0
#11 0x76e9e964 in ?? () from /opt/browsers/1.0/sysroots/cortexa7t2hf-neon-vfpv4-poky-linux-gnueabi/usr/lib/libWPEWebKit-2.0.so.0.0.0
```

The crash seems a side-effect of:

  TextureMapper: Attach a depth buffer for BitmapTextureGL for 3D transform
  https://bugs.webkit.org/show_bug.cgi?id=244526

since this crash is not reproducible after a partial revert of the https://commits.webkit.org/255021@main commit.


``` diff
diff --git a/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp b/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp
index f891d9bc8c70..f627ebdecaf8 100644
--- a/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp
+++ b/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp
@@ -754,9 +754,10 @@ void TextureMapperLayer::paintRecursive(TextureMapperPaintOptions& options)

     SetForScope scopedOpacity(options.opacity, options.opacity * m_currentOpacity);

-    if (m_state.preserves3D)
-        paintWith3DRenderingContext(options);
-    else if (shouldBlend())
+    if (shouldBlend())
         paintUsingOverlapRegions(options);
     else
         paintSelfChildrenReplicaFilterAndMask(options);
```

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230322/97373dfe/attachment.htm>

More information about the webkit-unassigned mailing list