[Webkit-unassigned] [Bug 272150] New: [WPE] Crash on ThreadedCompositor::renderLayerTree() during video playlist transitions

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Apr 4 05:03:37 PDT 2024 

https://bugs.webkit.org/show_bug.cgi?id=272150

            Bug ID: 272150
           Summary: [WPE] Crash on ThreadedCompositor::renderLayerTree()
                    during video playlist transitions
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit2
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: psaavedra at igalia.com
                CC: kkinnunen at apple.com

```
#0  0x00007fff2d0e25e4 in WebCore::TextureMapperLayer::paintSelf(WebCore::TextureMapperPaintOptions&) () from /devel-wk/usr/lib/libWPEWebKit-2.0.so.1.3.1
#1  0x00007fff2d0e6344 in WebCore::TextureMapperLayer::paintSelfAndChildren(WebCore::TextureMapperPaintOptions&) () from /devel-wk/usr/lib/libWPEWebKit-2.0.so.1.3.1
#2  0x00007fff2d0e6248 in WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions&) () from /devel-wk/usr/lib/libWPEWebKit-2.0.so.1.3.1
#3  0x00007fff2d0e6374 in WebCore::TextureMapperLayer::paintSelfAndChildren(WebCore::TextureMapperPaintOptions&) () from /devel-wk/usr/lib/libWPEWebKit-2.0.so.1.3.1
#4  0x00007fff2d0e6248 in WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions&) () from /devel-wk/usr/lib/libWPEWebKit-2.0.so.1.3.1
#5  0x00007fff2d0e6374 in WebCore::TextureMapperLayer::paintSelfAndChildren(WebCore::TextureMapperPaintOptions&) () from /devel-wk/usr/lib/libWPEWebKit-2.0.so.1.3.1
#6  0x00007fff2d0e6248 in WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions&) () from /devel-wk/usr/lib/libWPEWebKit-2.0.so.1.3.1
#7  0x00007fff2d0e6374 in WebCore::TextureMapperLayer::paintSelfAndChildren(WebCore::TextureMapperPaintOptions&) () from /devel-wk/usr/lib/libWPEWebKit-2.0.so.1.3.1
#8  0x00007fff2d0e6248 in WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions&) () from /devel-wk/usr/lib/libWPEWebKit-2.0.so.1.3.1
#9  0x00007fff2d0e6374 in WebCore::TextureMapperLayer::paintSelfAndChildren(WebCore::TextureMapperPaintOptions&) () from /devel-wk/usr/lib/libWPEWebKit-2.0.so.1.3.1
#10 0x00007fff2d0e6248 in WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions&) () from /devel-wk/usr/lib/libWPEWebKit-2.0.so.1.3.1
#11 0x00007fff2d0e6374 in WebCore::TextureMapperLayer::paintSelfAndChildren(WebCore::TextureMapperPaintOptions&) () from /devel-wk/usr/lib/libWPEWebKit-2.0.so.1.3.1
#12 0x00007fff2d0e6248 in WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions&) () from /devel-wk/usr/lib/libWPEWebKit-2.0.so.1.3.1
#13 0x00007fff2d0e6374 in WebCore::TextureMapperLayer::paintSelfAndChildren(WebCore::TextureMapperPaintOptions&) () from /devel-wk/usr/lib/libWPEWebKit-2.0.so.1.3.1
#14 0x00007fff2d0e6248 in WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions&) () from /devel-wk/usr/lib/libWPEWebKit-2.0.so.1.3.1
#15 0x00007fff2d0e6374 in WebCore::TextureMapperLayer::paintSelfAndChildren(WebCore::TextureMapperPaintOptions&) () from /devel-wk/usr/lib/libWPEWebKit-2.0.so.1.3.1
#16 0x00007fff2d0e6248 in WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions&) () from /devel-wk/usr/lib/libWPEWebKit-2.0.so.1.3.1
#17 0x00007fff2d0e6374 in WebCore::TextureMapperLayer::paintSelfAndChildren(WebCore::TextureMapperPaintOptions&) () from /devel-wk/usr/lib/libWPEWebKit-2.0.so.1.3.1
#18 0x00007fff2d0e6248 in WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions&) () from /devel-wk/usr/lib/libWPEWebKit-2.0.so.1.3.1
#19 0x00007fff2d0e75a0 in WebCore::TextureMapperLayer::paint(WebCore::TextureMapper&) () from /devel-wk/usr/lib/libWPEWebKit-2.0.so.1.3.1
#20 0x00007fff2b8db914 in WebKit::CoordinatedGraphicsScene::paintToCurrentGLContext(WebCore::TransformationMatrix const&, WebCore::FloatRect const&, bool) () from /devel-wk/usr/lib/libWPEWebKit-2.0.so.1.3.1
#21 0x00007fff2b8dbb84 in WebKit::ThreadedCompositor::renderLayerTree() [clone .part.0] () from /devel-wk/usr/lib/libWPEWebKit-2.0.so.1.3.1
#22 0x00007fff2d0970c0 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::{lambda(void*)#1}::_FUN(void*) () from /devel-wk/usr/lib/libWPEWebKit-2.0.so.1.3.1
#23 0x00007fff2d09797c in WTF::RunLoop::{lambda(_GSource*, int (*)(void*), void*)#1}::_FUN(_GSource*, int (*)(void*), void*) () from /devel-wk/usr/lib/libWPEWebKit-2.0.so.1.3.1
#24 0x00007fff2a719714 in g_main_dispatch (context=context at entry=0x7ffec0000b70) at /usr/src/debug/glib-2.0/1_2.78.1-r0/glib/gmain.c:3476
#25 0x00007fff2a71d138 in g_main_context_dispatch_unlocked (context=0x7ffec0000b70) at /usr/src/debug/glib-2.0/1_2.78.1-r0/glib/gmain.c:4284
#26 g_main_context_iterate_unlocked (context=0x7ffec0000b70, block=block at entry=1, dispatch=dispatch at entry=1, self=<optimized out>) at /usr/src/debug/glib-2.0/1_2.78.1-r0/glib/gmain.c:4349
#27 0x00007fff2a71dc00 in g_main_loop_run (loop=0x7ffec0000da0) at /usr/src/debug/glib-2.0/1_2.78.1-r0/glib/gmain.c:4551
#28 0x00007fff2d097b34 in WTF::RunLoop::run() () from /devel-wk/usr/lib/libWPEWebKit-2.0.so.1.3.1
#29 0x00007fff2d036b30 in WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) () from /devel-wk/usr/lib/libWPEWebKit-2.0.so.1.3.1
#30 0x00007fff2d09bfd4 in WTF::wtfThreadEntryPoint(void*) () from /devel-wk/usr/lib/libWPEWebKit-2.0.so.1.3.1
#31 0x00007fff2ac7f594 in start_thread (arg=0x7fff2a9d8760) at pthread_create.c:444
#32 0x00007fff2ace824c in thread_start () at ../sysdeps/unix/sysv/linux/aarch64/clone3.S:76
```

The crash happens because a invalid memory access in the line `contentsLayer->paintToTextureMapper(options.textureMapper, m_state.contentsRect, transform, options.opacity);` inside TextureMapperLayer::paint(TextureMapper& textureMapper)Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp.



Steps for reproducing the issue:

* Go to https://people.igalia.com/psaavedra/demo-igalia-videos/
* Click on cursors (->) for iterate from one video to the next.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240404/c31b162d/attachment.htm>

More information about the webkit-unassigned mailing list