[Webkit-unassigned] [Bug 254117] [GTK] UI process crash in AcceleratedBackingStoreWayland::tryEnsureTexture

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Mar 22 08:33:05 PDT 2023 

https://bugs.webkit.org/show_bug.cgi?id=254117

--- Comment #9 from Michael Catanzaro <mcatanzaro at gnome.org> ---
So I discovered that I'm able to reproduce this crash reliably by attempting to log into gitlab.com, and managed to catch it under valgrind. Unfortunately it seems the GNOME runtime's debuginfo for libwayland-server.so is broken. But here is what I've got:

==3== Invalid read of size 8
==3==    at 0xEA37814: releaseImage (view-backend-exportable-fdo-egl.cpp:250)
==3==    by 0xEA37814: wpe_view_backend_exportable_fdo_egl_dispatch_release_exported_image (view-backend-exportable-fdo-egl.cpp:330)
==3==    by 0x6B519A2: WebKit::AcceleratedBackingStoreWayland::tryEnsureTexture(unsigned int&, WebCore::IntSize&) (Source/WebKit/UIProcess/gtk/AcceleratedBackingStoreWayland.cpp:408)
==3==    by 0x6B51D32: WebKit::AcceleratedBackingStoreWayland::snapshot(_GdkSnapshot*) (Source/WebKit/UIProcess/gtk/AcceleratedBackingStoreWayland.cpp:485)
==3==    by 0x6AB6B39: webkitWebViewBaseSnapshot(_GtkWidget*, _GdkSnapshot*) (Source/WebKit/UIProcess/API/gtk/WebKitWebViewBase.cpp:757)
==3==    by 0x501CB37: gtk_widget_create_render_node (gtkwidget.c:11777)
==3==    by 0x501F5AB: gtk_widget_do_snapshot (gtkwidget.c:11817)
==3==    by 0x502B3D1: gtk_widget_snapshot_child (gtkwidget.c:12238)
==3==    by 0x4F5F2B6: gtk_overlay_snapshot_child (gtkoverlay.c:201)
==3==    by 0x4F5F2B6: gtk_overlay_snapshot (gtkoverlay.c:224)
==3==    by 0x501C72A: gtk_widget_create_render_node (gtkwidget.c:11782)
==3==    by 0x501F5AB: gtk_widget_do_snapshot (gtkwidget.c:11817)
==3==    by 0x502B3D1: gtk_widget_snapshot_child (gtkwidget.c:12238)
==3==    by 0x502B47D: gtk_widget_real_snapshot (gtkwidget.c:757)
==3==  Address 0x89a0e640 is 16 bytes inside a block of size 48 free'd
==3==    at 0x484989F: operator delete(void*) (vg_replace_malloc.c:935)
==3==    by 0xF176D37: ??? (in /usr/lib/x86_64-linux-gnu/libwayland-server.so.0.21.0)
==3==    by 0xF1749CF: ??? (in /usr/lib/x86_64-linux-gnu/libwayland-server.so.0.21.0)
==3==    by 0xF17DBD2: ??? (in /usr/lib/x86_64-linux-gnu/libwayland-server.so.0.21.0)
==3==    by 0xF17DC1D: ??? (in /usr/lib/x86_64-linux-gnu/libwayland-server.so.0.21.0)
==3==    by 0xF174D82: wl_client_destroy (in /usr/lib/x86_64-linux-gnu/libwayland-server.so.0.21.0)
==3==    by 0xF17410C: ??? (in /usr/lib/x86_64-linux-gnu/libwayland-server.so.0.21.0)
==3==    by 0xF177FB7: ??? (in /usr/lib/x86_64-linux-gnu/libwayland-server.so.0.21.0)
==3==    by 0xF1796D0: wl_event_loop_dispatch (in /usr/lib/x86_64-linux-gnu/libwayland-server.so.0.21.0)
==3==    by 0xEA38A6A: operator() (ws.cpp:77)
==3==    by 0xEA38A6A: WS::ServerSource::{lambda(_GSource*, int (*)(void*), void*)#3}::_FUN(_GSource*, int (*)(void*), void*) (ws.cpp:86)
==3==    by 0x4AA1D48: g_main_dispatch (gmain.c:3460)
==3==    by 0x4AA1D48: g_main_context_dispatch (gmain.c:4200)
==3==    by 0x4AA22A7: g_main_context_iterate.constprop.0 (gmain.c:4276)
==3==  Block was alloc'd at
==3==    at 0x4847003: operator new(unsigned long) (vg_replace_malloc.c:434)
==3==    by 0xEA3748A: exportBuffer (view-backend-exportable-fdo-egl.cpp:212)
==3==    by 0xEA3748A: (anonymous namespace)::ClientBundleEGL::exportBuffer(linux_dmabuf_buffer const*) (view-backend-exportable-fdo-egl.cpp:201)
==3==    by 0xBC25055: ffi_call_unix64 (unix64.S:104)
==3==    by 0xBC23ADC: ffi_call_int (ffi64.c:673)
==3==    by 0xBC242B2: ffi_call (ffi64.c:710)
==3==    by 0xF17BE41: ??? (in /usr/lib/x86_64-linux-gnu/libwayland-server.so.0.21.0)
==3==    by 0xF1744B5: ??? (in /usr/lib/x86_64-linux-gnu/libwayland-server.so.0.21.0)
==3==    by 0xF177FB7: ??? (in /usr/lib/x86_64-linux-gnu/libwayland-server.so.0.21.0)
==3==    by 0xF1796D0: wl_event_loop_dispatch (in /usr/lib/x86_64-linux-gnu/libwayland-server.so.0.21.0)
==3==    by 0xEA38A6A: operator() (ws.cpp:77)
==3==    by 0xEA38A6A: WS::ServerSource::{lambda(_GSource*, int (*)(void*), void*)#3}::_FUN(_GSource*, int (*)(void*), void*) (ws.cpp:86)
==3==    by 0x4AA1D48: g_main_dispatch (gmain.c:3460)
==3==    by 0x4AA1D48: g_main_context_dispatch (gmain.c:4200)
==3==    by 0x4AA22A7: g_main_context_iterate.constprop.0 (gmain.c:4276)

Unfortunately we don't really know what's going on when freening the "16 bytes inside a block of size 48 free'd" due to all the ??? frames due to broken debuginfo. However, that's the dispatch callback of WS::ServerSource::s_sourceFuncs, so surely it's being deleted during the call to wl_event_loop_dispatch. That doesn't really tell us as much as I had hoped, though. :/

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230322/b235fc4e/attachment-0001.htm>

More information about the webkit-unassigned mailing list