Bug 254262

Summary: RPI3 (32bits) ARMv7 NEON crashes on WebCore::TextureMapperLayer::paintWith3DRenderingContext()
Product: WebKit Reporter: Pablo Saavedra <psaavedra>
Component: New BugsAssignee: Nobody <webkit-unassigned>
Status: RESOLVED INVALID    
Severity: Normal CC: Hironori.Fujii
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=244526

Description Pablo Saavedra 2023-03-22 02:44:12 PDT 
.. using the VC4 mesa driver: 

```
#0  0x6a096c22 in _mesa_update_renderbuffer_surface (ctx=ctx@entry=0x6bfc8020, rb=rb@entry=0x2476190) at ../mesa-22.0.3/src/mesa/main/renderbuffer.c:581
#1  0x6a087ed0 in render_texture (ctx=ctx@entry=0x6bfc8020, att=att@entry=0x24f3a04, fb=0x24f3858) at ../mesa-22.0.3/src/mesa/main/fbobject.c:451
#2  0x6a089320 in _mesa_update_texture_renderbuffer (ctx=ctx@entry=0x6bfc8020, fb=fb@entry=0x24f3858, att=att@entry=0x24f3a04) at ../mesa-22.0.3/src/mesa/main/fbobject.c:590
#3  0x6a08cad0 in set_texture_attachment (layered=0 '\000', layer=1778962583, samples=38787704, level=3553, texTarget=<optimized out>, texObj=0x24fda78, att=0x24f3a04, fb=0x24f3858, ctx=0x6bfc8020)
    at ../mesa-22.0.3/src/mesa/main/fbobject.c:631
#4  _mesa_framebuffer_texture (ctx=0x6bfc8020, fb=0x24f3858, attachment=36064, att=0x24f3a04, texObj=<optimized out>, textarget=<optimized out>, level=0, samples=0, layer=0, layered=0 '\000')
    at ../mesa-22.0.3/src/mesa/main/fbobject.c:4019
#5  0x6a08cdb0 in framebuffer_texture_with_dims (dims=3553, target=<optimized out>, framebuffer=<optimized out>, attachment=<optimized out>, textarget=<optimized out>, texture=<optimized out>, level=0, samples=0, layer=0, caller=0x0, 
    dsa=false) at ../mesa-22.0.3/src/mesa/main/fbobject.c:4121
#6  0x6a08d096 in _mesa_FramebufferTexture2D (target=<optimized out>, attachment=<optimized out>, textarget=3553, texture=<optimized out>, level=0) at ../mesa-22.0.3/src/mesa/main/fbobject.c:4159
#7  0x74d28e58 in WebCore::BitmapTextureGL::createFboIfNeeded() [clone .part.0] () from /opt/browsers/1.0/sysroots/cortexa7t2hf-neon-vfpv4-poky-linux-gnueabi/usr/lib/libWPEWebKit-2.0.so.0.0.0
#8  0x74d29b0c in WebCore::BitmapTextureGL::bindAsSurface() () from /opt/browsers/1.0/sysroots/cortexa7t2hf-neon-vfpv4-poky-linux-gnueabi/usr/lib/libWPEWebKit-2.0.so.0.0.0
#9  0x74d2a984 in WebCore::TextureMapperGL::bindSurface(WebCore::BitmapTexture*) () from /opt/browsers/1.0/sysroots/cortexa7t2hf-neon-vfpv4-poky-linux-gnueabi/usr/lib/libWPEWebKit-2.0.so.0.0.0
#10 0x74d27c9c in WebCore::TextureMapperLayer::paintWith3DRenderingContext(WebCore::TextureMapperPaintOptions&) () from /opt/browsers/1.0/sysroots/cortexa7t2hf-neon-vfpv4-poky-linux-gnueabi/usr/lib/libWPEWebKit-2.0.so.0.0.0
#11 0x76e9e964 in ?? () from /opt/browsers/1.0/sysroots/cortexa7t2hf-neon-vfpv4-poky-linux-gnueabi/usr/lib/libWPEWebKit-2.0.so.0.0.0
```

The crash seems a side-effect of:

  TextureMapper: Attach a depth buffer for BitmapTextureGL for 3D transform
  https://bugs.webkit.org/show_bug.cgi?id=244526

since this crash is not reproducible after a partial revert of the https://commits.webkit.org/255021@main commit.


``` diff
diff --git a/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp b/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp
index f891d9bc8c70..f627ebdecaf8 100644
--- a/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp
+++ b/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp
@@ -754,9 +754,10 @@ void TextureMapperLayer::paintRecursive(TextureMapperPaintOptions& options)
 
     SetForScope scopedOpacity(options.opacity, options.opacity * m_currentOpacity);
 
-    if (m_state.preserves3D)
-        paintWith3DRenderingContext(options);
-    else if (shouldBlend())
+    if (shouldBlend())
         paintUsingOverlapRegions(options);
     else
         paintSelfChildrenReplicaFilterAndMask(options);
```
Comment 1 Pablo Saavedra 2023-03-22 02:46:14 PDT 
The problem  is  reproducible on WPE  using `cog -P wl https://webkit.org/blog-files/3d-transforms/poster-circle.html`
Comment 2 Fujii Hironori 2023-03-22 19:04:18 PDT 
glFramebufferTexture2D is used not only for 3D rendering context, but also for layers with filters and semi-transparent.
Does css3/filters/effect-blur-hw.html also crash?
glFramebufferTexture2D was used even before 255021@main.
Comment 3 Pablo Saavedra 2023-03-24 02:44:29 PDT 
I will set this issue as invalid since I was not able to reproduce it yesterday but 2 days ago it was quite consistently.

I am going to assume some mistake or some problem during the image generation.

If I have another occurrence of it I will reopen the issue with the more information (including tests on css3/filters/effect-blur-hw.html ).


Sorry Fujii Hironori for the noise.