[Webkit-unassigned] [Bug 271477] REGRESSION(2.44): [GTK] Eclipse crashes when rendering tooltips: gdk_window_create_gl_context: assertion 'GDK_IS_WINDOW (window)' failed in WebKit::AcceleratedBackingStoreDMABuf::ensureGLContext

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Jun 12 21:43:30 PDT 2024 

https://bugs.webkit.org/show_bug.cgi?id=271477

oreo6391 at gmail.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |oreo6391 at gmail.com

--- Comment #4 from oreo6391 at gmail.com ---
Created attachment 471668

  --> https://bugs.webkit.org/attachment.cgi?id=471668&action=review

Backtrace of gdk_window_create_gl_context() error with G_DEBUG=fatal-criticals

I reproduced this on Void Linux, the backtrace is attached as a text file.

After updating to 2.44.x from 2.42.x, in some circumstances gdk_window_create_gl_context() fails where it previously did not with the message "Gdk-CRITICAL **: 21:29:29.313: gdk_window_create_gl_context: assertion 'GDK_IS_WINDOW (window)' failed".

Shortly after that, libwebkit2gtk crashes due to a nullptr dereference on the following line:
WebKit::AcceleratedBackingStoreDMABuf::ensureGLContext ()
    at ../Source/WebKit/UIProcess/gtk/AcceleratedBackingStoreDMABuf.cpp:537

https://github.com/WebKit/WebKit/blob/webkitgtk-2.44.2/Source/WebKit/UIProcess/gtk/AcceleratedBackingStoreDMABuf.cpp#L537

It appears that after updating from 2.42.x to 2.44.x gtk_widget_get_window() can get called here without a realized window, resulting in it returning a nullptr (also while leaving the error pointer null), this gets passed in to gdk_window_create_gl_context() which cannot create a gl context for a null window, which causes libwebkit2gtk to try to abort while printing the message from the error pointer, which results in it dereferencing the null error pointer value and crashing.

Btw, this bug affects nyxt as well: https://github.com/atlas-engineer/nyxt/issues/3393
I'm not sure how to reproduce it consistently with nyxt though.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240613/6732e266/attachment-0001.htm>

More information about the webkit-unassigned mailing list