Bug 252435

Summary: [GTK] gdk_memory_texture_new: assertion 'width > 0' failed in cairoSurfaceToGdkTexture
Product: WebKit Reporter: Michael Catanzaro <mcatanzaro>
Component: WebKitGTKAssignee: Michael Catanzaro <mcatanzaro>
Status: RESOLVED FIXED    
Severity: Normal CC: bugs-noreply, mcatanzaro
Priority: P2    
Version: WebKit Nightly Build   
Hardware: PC   
OS: Linux   
See Also: https://bugs.webkit.org/show_bug.cgi?id=258918

Description Michael Catanzaro 2023-02-16 15:02:35 PST 
Reproducer: visit https://dor.mo.gov/forms/?formName=&category=&year=99 and wait until the page loads. It will hit a critical:

#0  _g_log_abort (breakpoint=1) at ../../../../Projects/glib/glib/gmessages.c:558
#1  0x00007f6466d6d739 in g_logv (log_domain=0x7f6466735efb "Gdk", log_level=G_LOG_LEVEL_CRITICAL, 
    format=0x7f6466dec60f "%s: assertion '%s' failed", args=0x7ffd73989de8)
    at ../../../../Projects/glib/glib/gmessages.c:1418
#2  0x00007f6466d6d830 in g_log (log_domain=0x7f6466735efb "Gdk", log_level=G_LOG_LEVEL_CRITICAL, 
    format=0x7f6466dec60f "%s: assertion '%s' failed") at ../../../../Projects/glib/glib/gmessages.c:1460
#3  0x00007f6466d7088d in g_return_if_fail_warning (log_domain=0x7f6466735efb "Gdk", 
    pretty_function=0x7f6466736080 <__func__.2> "gdk_memory_texture_new", expression=0x7f6466735ef1 "width > 0")
    at ../../../../Projects/glib/glib/gmessages.c:2930
#4  0x00007f64665a3cce in gdk_memory_texture_new (width=0, height=0, format=GDK_MEMORY_B8G8R8A8_PREMULTIPLIED, 
    bytes=0x110c6e0, stride=0) at ../../../../Projects/gtk/gdk/gdkmemorytexture.c:150
#5  0x00007f6463ae646a in WebCore::cairoSurfaceToGdkTexture (
    surface=surface@entry=0x7f6465c6dbe0 <_cairo_surface_nil_invalid_size.lto_priv.0>)
    at /home/mcatanzaro/Projects/WebKit/Source/WebCore/platform/graphics/gtk/GdkCairoUtilities.cpp:56
#6  0x00007f64622c5e86 in webkit_web_view_get_snapshot_finish (webView=<optimized out>, result=0x1a38400, 
    error=0x7ffd73989fd0) at /home/mcatanzaro/Projects/WebKit/Source/WebKit/UIProcess/API/glib/WebKitWebView.cpp:4897
#7  0x00007f6466f050f6 in on_snapshot_ready (web_view=0x74e6e0, result=0x1a38400, task=0x1b2b480)
    at ../../../../Projects/epiphany/lib/ephy-snapshot-service.c:425
#8  0x00007f6466add58a in g_task_return_now (task=0x1a38400) at ../../../../Projects/glib/gio/gtask.c:1309
#9  0x00007f6466add6d6 in g_task_return (task=0x1a38400, type=G_TASK_RETURN_SUCCESS)
    at ../../../../Projects/glib/gio/gtask.c:1378
#10 0x00007f6466ade2df in g_task_return_pointer (task=0x1a38400, 
    result=0x7f6465c6dbe0 <_cairo_surface_nil_invalid_size.lto_priv.0>, 
    result_destroy=0x7f6465bf07a0 <INT_cairo_surface_destroy>) at ../../../../Projects/glib/gio/gtask.c:1812
#11 0x00007f64622c943d in webkit_web_view_get_snapshot::$_9::operator() (handle=..., this=<optimized out>)
    at /home/mcatanzaro/Projects/WebKit/Source/WebKit/UIProcess/API/glib/WebKitWebView.cpp:4867
#12 WTF::Detail::CallableWrapper<webkit_web_view_get_snapshot::$_9, void, WebKit::ShareableBitmapHandle const&>::call
    (this=0x7f645200c0f0, in=...) at WTF/Headers/wtf/Function.h:53
#13 0x00007f646222dbe7 in WTF::Function<void (WebKit::ShareableBitmapHandle const&)>::operator()(WebKit::ShareableBitmapHandle const&) const (in=..., this=<optimized out>) at WTF/Headers/wtf/Function.h:82
#14 WTF::CompletionHandler<void (WebKit::ShareableBitmapHandle const&)>::operator()(WebKit::ShareableBitmapHandle const&) (this=0x7f645200c328, in=...) at WTF/Headers/wtf/CompletionHandler.h:75
#15 std::__invoke_impl<void, WTF::CompletionHandler<void (WebKit::ShareableBitmapHandle const&)>, WebKit::ShareableBitmapHandle>(std::__invoke_other, WTF::CompletionHandler<void (WebKit::ShareableBitmapHandle const&)>&&, WebKit::ShareableBitmapHandle&&) (__f=..., __args=...)
    at /usr/bin/../lib/gcc/x86_64-redhat-linux/12/../../../../include/c++/12/bits/invoke.h:61
#16 std::__invoke<WTF::CompletionHandler<void (WebKit::ShareableBitmapHandle const&)>, WebKit::ShareableBitmapHandle>(WTF::CompletionHandler<void (WebKit::ShareableBitmapHandle const&)>&&, WebKit::ShareableBitmapHandle&&) (__fn=..., 
    __args=...) at /usr/bin/../lib/gcc/x86_64-redhat-linux/12/../../../../include/c++/12/bits/invoke.h:96
#17 std::__apply_impl<WTF::CompletionHandler<void (WebKit::ShareableBitmapHandle const&)>, std::tuple<WebKit::ShareableBitmapHandle>, 0ul>(WTF::CompletionHandler<void (WebKit::ShareableBitmapHandle const&)>&&, std::tuple<WebKit::ShareableBitmapHandle>&&, std::integer_sequence<unsigned long, 0ul>) (__f=..., __t=...)
    at /usr/bin/../lib/gcc/x86_64-redhat-linux/12/../../../../include/c++/12/tuple:1852
#18 std::apply<WTF::CompletionHandler<void (WebKit::ShareableBitmapHandle const&)>, std::tuple<WebKit::ShareableBitmapHandle> >(WTF::CompletionHandler<void (WebKit::ShareableBitmapHandle const&)>&&, std::tuple<WebKit::ShareableBitmapHandle>&&) (__f=..., __t=...) at /usr/bin/../lib/gcc/x86_64-redhat-linux/12/../../../../include/c++/12/tuple:1863
#19 IPC::Connection::callReply<Messages::WebPage::TakeSnapshot, WTF::CompletionHandler<void (WebKit::ShareableBitmapHandle const&)> >(IPC::Decoder&, WTF::CompletionHandler<void (WebKit::ShareableBitmapHandle const&)>&&) (decoder=..., 
    completionHandler=...) at /home/mcatanzaro/Projects/WebKit/Source/WebKit/Platform/IPC/Connection.h:704
#20 0x00007f64621a3c26 in WTF::Function<void (IPC::Decoder*)>::operator()(IPC::Decoder*) const (in=0x0, 
    this=<optimized out>) at WTF/Headers/wtf/Function.h:82
#21 WTF::CompletionHandler<void (IPC::Decoder*)>::operator()(IPC::Decoder*) (this=<optimized out>, in=0x0)
--Type <RET> for more, q to quit, c to continue without paging--c
    at WTF/Headers/wtf/CompletionHandler.h:75
#22 WebKit::AuxiliaryProcessProxy::sendMessage(WTF::UniqueRef<IPC::Encoder>&&, WTF::OptionSet<IPC::SendOption>, std::optional<IPC::Connection::AsyncReplyHandler>, WebKit::AuxiliaryProcessProxy::ShouldStartProcessThrottlerActivity)::$_1::operator()(IPC::Decoder*) (this=<optimized out>, decoder=0x0) at /home/mcatanzaro/Projects/WebKit/Source/WebKit/UIProcess/AuxiliaryProcessProxy.cpp:219
#23 WTF::Detail::CallableWrapper<WebKit::AuxiliaryProcessProxy::sendMessage(WTF::UniqueRef<IPC::Encoder>&&, WTF::OptionSet<IPC::SendOption>, std::optional<IPC::Connection::AsyncReplyHandler>, WebKit::AuxiliaryProcessProxy::ShouldStartProcessThrottlerActivity)::$_1, void, IPC::Decoder*>::call(IPC::Decoder*) (this=<optimized out>, in=0x0) at WTF/Headers/wtf/Function.h:53
#24 0x00007f6462142485 in WTF::Function<void (IPC::Decoder*)>::operator()(IPC::Decoder*) const (in=0x7f6452118270, this=<optimized out>) at WTF/Headers/wtf/Function.h:82
#25 WTF::CompletionHandler<void (IPC::Decoder*)>::operator()(IPC::Decoder*) (this=0x7ffd7398a178, in=0x7f6452118270) at WTF/Headers/wtf/CompletionHandler.h:75
#26 IPC::Connection::dispatchMessage (this=0x7f645215c1a0, decoder=...) at /home/mcatanzaro/Projects/WebKit/Source/WebKit/Platform/IPC/Connection.cpp:1179
#27 0x00007f6462142606 in IPC::Connection::dispatchMessage (this=0x7f645215c1a0, message=std::unique_ptr<IPC::Decoder> = {...}) at /home/mcatanzaro/Projects/WebKit/Source/WebKit/Platform/IPC/Connection.cpp:1245
#28 0x00007f6462142b82 in IPC::Connection::dispatchIncomingMessages (this=0x7f645215c1a0) at /home/mcatanzaro/Projects/WebKit/Source/WebKit/Platform/IPC/Connection.cpp:1355
#29 0x00007f6460eba31c in WTF::Function<void ()>::operator()() const (this=<optimized out>) at /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/Function.h:82
#30 WTF::RunLoop::performWork (this=0x7f64520100e0) at /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/RunLoop.cpp:147
#31 0x00007f6460f1b8c6 in WTF::RunLoop::RunLoop()::$_1::operator()(void*) const (userData=0x1, userData@entry=0x7f64520100e0, this=<optimized out>) at /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:80
#32 WTF::RunLoop::RunLoop()::$_1::__invoke(void*) (userData=0x1, userData@entry=0x7f64520100e0) at /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:79
#33 0x00007f6460f1adfa in WTF::RunLoop::$_0::operator() (source=0x7717c0, callback=0x7f6460f1b8c0 <WTF::RunLoop::RunLoop()::$_1::__invoke(void*)>, userData=0x7f64520100e0, this=<optimized out>) at /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:53
#34 WTF::RunLoop::$_0::__invoke (source=0x7717c0, callback=0x7f6460f1b8c0 <WTF::RunLoop::RunLoop()::$_1::__invoke(void*)>, userData=0x7f64520100e0) at /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:45
#35 0x00007f6466d6071b in g_main_dispatch (context=0x732a90) at ../../../../Projects/glib/glib/gmain.c:3460
#36 0x00007f6466d6168f in g_main_context_dispatch (context=0x732a90) at ../../../../Projects/glib/glib/gmain.c:4200
#37 0x00007f6466d61882 in g_main_context_iterate (context=0x732a90, block=1, dispatch=1, self=0x738950) at ../../../../Projects/glib/glib/gmain.c:4276
#38 0x00007f6466d61946 in g_main_context_iteration (context=0x732a90, may_block=1) at ../../../../Projects/glib/glib/gmain.c:4343
#39 0x00007f6466b1edc2 in g_application_run (application=0x777240, argc=1, argv=0x7ffd7398a668) at ../../../../Projects/glib/gio/gapplication.c:2573
#40 0x0000000000404d48 in main (argc=1, argv=0x7ffd7398a668) at ../../../../Projects/epiphany/src/ephy-main.c:434
Comment 1 Michael Catanzaro 2023-02-16 15:15:48 PST 
So an initial fix is:

diff --git a/Source/WebCore/platform/graphics/gtk/GdkCairoUtilities.cpp b/Source/WebCore/platform/graphics/gtk/GdkCairoUtilities.cpp
index 299bea86401d..43c20263e429 100644
--- a/Source/WebCore/platform/graphics/gtk/GdkCairoUtilities.cpp
+++ b/Source/WebCore/platform/graphics/gtk/GdkCairoUtilities.cpp
@@ -48,6 +48,8 @@ GRefPtr<GdkTexture> cairoSurfaceToGdkTexture(cairo_surface_t* surface)
     ASSERT(cairo_image_surface_get_format(surface) == CAIRO_FORMAT_ARGB32);
     auto width = cairo_image_surface_get_width(surface);
     auto height = cairo_image_surface_get_height(surface);
+    if (width <= 0 || height <= 0)
+        return nullptr;
     auto stride = cairo_image_surface_get_stride(surface);
     auto* data = cairo_image_surface_get_data(surface);
     GRefPtr<GBytes> bytes = adoptGRef(g_bytes_new_with_free_func(data, height * stride, [](gpointer data) {

But then Epiphany crashes later on in ephy_snapshot_service_prepare_snapshot() in basically the same way, and it doesn't look like Epiphany, fault. Problem is webkit_web_view_get_snapshot_finish() can return nullptr without setting the error parameter. I think we should set WEBKIT_SNAPSHOT_ERROR_FAILED_TO_CREATE error when returning nullptr, does that sound OK?
Comment 2 Michael Catanzaro 2023-02-17 16:17:32 PST 
Pull request: https://github.com/WebKit/WebKit/pull/10310
Comment 3 EWS 2024-02-01 07:45:41 PST 
Committed 273907@main (39559cbd2d25): <https://commits.webkit.org/273907@main>

Reviewed commits have been landed. Closing PR #10310 and removing active labels.