Bug 254942

Summary:

REGRESSION(262518@main) [cairo] Crash under GraphicsContextGL::paintToCanvas

Product:

WebKit

Reporter:

Fujii Hironori <Hironori.Fujii>

Component:

Platform

Assignee:

Fujii Hironori <Hironori.Fujii>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

djg, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
WIP patch	none
Patch of using cairo_image_surface_create (doesn't work as expected)	none

Description Fujii Hironori 2023-04-03 13:44:31 PDT

Windows port is crashing for some WebGL tests after 262518@main.

Regressions: Unexpected crashes (42)
  webgl/2.0.0/conformance/canvas/draw-static-webgl-to-multiple-canvas-test.html [ Crash ]
  webgl/2.0.0/conformance/canvas/draw-webgl-to-canvas-test.html [ Crash ]
  webgl/2.0.0/conformance/canvas/to-data-url-test.html [ Crash ]
  webgl/2.0.0/conformance/textures/misc/texture-hd-dpi.html [ Crash ]
  webgl/2.0.0/conformance2/textures/canvas_sub_rectangle/tex-2d-r11f_g11f_b10f-rgb-float.html [ Crash ]
  webgl/2.0.0/conformance2/textures/canvas_sub_rectangle/tex-2d-r11f_g11f_b10f-rgb-half_float.html [ Crash ]
  webgl/2.0.0/conformance2/textures/canvas_sub_rectangle/tex-2d-r11f_g11f_b10f-rgb-unsigned_int_10f_11f_11f_rev.html [ Crash ]
  webgl/2.0.0/conformance2/textures/canvas_sub_rectangle/tex-2d-r16f-red-float.html [ Crash ]
  webgl/2.0.0/conformance2/textures/canvas_sub_rectangle/tex-2d-r16f-red-half_float.html [ Crash ]
  webgl/2.0.0/conformance2/textures/canvas_sub_rectangle/tex-2d-r32f-red-float.html [ Crash ]
  webgl/2.0.0/conformance2/textures/canvas_sub_rectangle/tex-2d-r8-red-unsigned_byte.html [ Crash ]
  webgl/2.0.0/conformance2/textures/canvas_sub_rectangle/tex-2d-r8ui-red_integer-unsigned_byte.html [ Crash ]
  webgl/2.0.0/conformance2/textures/canvas_sub_rectangle/tex-2d-rg16f-rg-float.html [ Crash ]
  webgl/2.0.0/conformance2/textures/canvas_sub_rectangle/tex-2d-rg16f-rg-half_float.html [ Crash ]
  webgl/2.0.0/conformance2/textures/canvas_sub_rectangle/tex-2d-rg32f-rg-float.html [ Crash ]
  webgl/2.0.0/conformance2/textures/canvas_sub_rectangle/tex-2d-rg8-rg-unsigned_byte.html [ Crash ]
  webgl/2.0.0/conformance2/textures/canvas_sub_rectangle/tex-2d-rg8ui-rg_integer-unsigned_byte.html [ Crash ]
  webgl/2.0.0/conformance2/textures/canvas_sub_rectangle/tex-2d-rgb16f-rgb-float.html [ Crash ]
  webgl/2.0.0/conformance2/textures/canvas_sub_rectangle/tex-2d-rgb16f-rgb-half_float.html [ Crash ]
  webgl/2.0.0/conformance2/textures/canvas_sub_rectangle/tex-2d-rgb32f-rgb-float.html [ Crash ]
  webgl/2.0.0/conformance2/textures/canvas_sub_rectangle/tex-2d-rgb565-rgb-unsigned_byte.html [ Crash ]
  webgl/2.0.0/conformance2/textures/canvas_sub_rectangle/tex-2d-rgb565-rgb-unsigned_short_5_6_5.html [ Crash ]
  webgl/2.0.0/conformance2/textures/canvas_sub_rectangle/tex-2d-rgb5_a1-rgba-unsigned_byte.html [ Crash ]
  webgl/2.0.0/conformance2/textures/canvas_sub_rectangle/tex-2d-rgb5_a1-rgba-unsigned_short_5_5_5_1.html [ Crash ]
  webgl/2.0.0/conformance2/textures/canvas_sub_rectangle/tex-2d-rgb8-rgb-unsigned_byte.html [ Crash ]
  webgl/2.0.0/conformance2/textures/canvas_sub_rectangle/tex-2d-rgb8ui-rgb_integer-unsigned_byte.html [ Crash ]
  webgl/2.0.0/conformance2/textures/canvas_sub_rectangle/tex-2d-rgb9_e5-rgb-float.html [ Crash ]
  webgl/2.0.0/conformance2/textures/canvas_sub_rectangle/tex-2d-rgb9_e5-rgb-half_float.html [ Crash ]
  webgl/2.0.0/conformance2/textures/canvas_sub_rectangle/tex-2d-rgba16f-rgba-float.html [ Crash ]
  webgl/2.0.0/conformance2/textures/canvas_sub_rectangle/tex-2d-rgba16f-rgba-half_float.html [ Crash ]
  webgl/2.0.0/conformance2/textures/canvas_sub_rectangle/tex-2d-rgba32f-rgba-float.html [ Crash ]
  webgl/2.0.0/conformance2/textures/canvas_sub_rectangle/tex-2d-rgba4-rgba-unsigned_short_4_4_4_4.html [ Crash ]
  webgl/2.0.0/conformance2/textures/canvas_sub_rectangle/tex-2d-rgba8-rgba-unsigned_byte.html [ Crash ]
  webgl/2.0.0/conformance2/textures/canvas_sub_rectangle/tex-2d-rgba8ui-rgba_integer-unsigned_byte.html [ Crash ]
  webgl/2.0.y/conformance/canvas/to-data-url-test.html [ Crash ]
  webgl/2.0.y/conformance/ogles/GL/abs/abs_001_to_006.html [ Crash ]
  webgl/2.0.y/conformance/ogles/GL/acos/acos_001_to_006.html [ Crash ]
  webgl/2.0.y/conformance/ogles/GL/default/default_001_to_001.html [ Crash ]
  webgl/2.0.y/conformance/ogles/GL/degrees/degrees_001_to_006.html [ Crash ]
  webgl/2.0.y/conformance/ogles/GL/min/min_001_to_006.html [ Crash ]
  webgl/2.0.y/conformance/ogles/GL/mix/mix_001_to_006.html [ Crash ]
  webgl/draw-webgl-to-context2d-memory-test.html [ Crash ]

Call stack:

> [Inline Frame] cairo.dll!scaled_nearest_scanline_8888_8888_cover_SRC(unsigned int * dst, const unsigned int * w, int vx, int) Line 1185	C
> [Inline Frame] cairo.dll!scaled_nearest_scanline_8888_8888_cover_SRC_8888_8888_cover_SRC_wrapper(const unsigned char * src, unsigned int * vx, const unsigned int *) Line 1185	C
> cairo.dll!fast_composite_scaled_nearest_8888_8888_cover_SRC(pixman_implementation_t * imp, pixman_composite_info_t * info) Line 1185	C
> cairo.dll!pixman_image_composite32(pixman_op_t op, pixman_image * src, pixman_image * mask, pixman_image * dest, int src_x, int src_y, int mask_x, int mask_y, int dest_x, int dest_y, int width, int height) Line 700	C
> cairo.dll!composite_boxes(void * _dst, _cairo_operator op, _cairo_surface * abstract_src, _cairo_surface * abstract_mask, int src_x, int src_y, int mask_x, int mask_y, int dst_x, int dst_y, _cairo_boxes_t * boxes, const _cairo_rectangle_int * extents) Line 538	C
> cairo.dll!composite_aligned_boxes(const cairo_spans_compositor * compositor, const _cairo_composite_rectangles * extents, _cairo_boxes_t * boxes) Line 688	C
> cairo.dll!clip_and_composite_boxes(const cairo_spans_compositor * compositor, _cairo_composite_rectangles * extents, _cairo_boxes_t * boxes) Line 883	C
> cairo.dll!_cairo_spans_compositor_paint(const cairo_compositor * _compositor, _cairo_composite_rectangles * extents) Line 1000	C
> cairo.dll!_cairo_compositor_paint(const cairo_compositor * compositor, _cairo_surface * surface, _cairo_operator op, const _cairo_pattern * source, const _cairo_clip * clip) Line 67	C
> cairo.dll!_cairo_image_surface_paint(void * abstract_surface, _cairo_operator op, const _cairo_pattern * source, const _cairo_clip * clip) Line 947	C
> cairo.dll!_cairo_surface_paint(_cairo_surface * surface, _cairo_operator op, const _cairo_pattern * source, const _cairo_clip * clip) Line 2213	C
> cairo.dll!_cairo_gstate_paint(_cairo_gstate * gstate) Line 1100	C
> cairo.dll!_cairo_default_context_paint_with_alpha(void * abstract_cr, double alpha) Line 996	C
> cairo.dll!cairo_paint_with_alpha(_cairo * cr, double alpha) Line 2301	C
> WebCore.dll!WebCore::Cairo::drawPatternToCairoContext(_cairo * cr, _cairo_pattern * pattern, const WebCore::FloatRect & destRect, float alpha) Line 157	C++
> WebCore.dll!WebCore::Cairo::drawSurface(WebCore::GraphicsContextCairo & platformContext, _cairo_surface * surface, const WebCore::FloatRect & destRect, const WebCore::FloatRect & originalSrcRect, WebCore::InterpolationQuality imageInterpolationQuality, float globalAlpha, const WebCore::Cairo::ShadowState & shadowState, WebCore::Cairo::OrientationSizing orientationSizing) Line 946	C++
> WebCore.dll!WebCore::Cairo::drawPlatformImage(WebCore::GraphicsContextCairo & platformContext, _cairo_surface * surface, const WebCore::FloatRect & destRect, const WebCore::FloatRect & srcRect, const WebCore::ImagePaintingOptions & options, float globalAlpha, const WebCore::Cairo::ShadowState & shadowState) Line 850	C++
> WebCore.dll!WebCore::GraphicsContextCairo::drawNativeImageInternal(WebCore::NativeImage & nativeImage, const WebCore::FloatSize & __formal, const WebCore::FloatRect & destRect, const WebCore::FloatRect & srcRect, const WebCore::ImagePaintingOptions & options) Line 148	C++
> WebCore.dll!WebCore::NativeImage::draw(WebCore::GraphicsContext & context, const WebCore::FloatSize & imageSize, const WebCore::FloatRect & destinationRect, const WebCore::FloatRect & sourceRect, const WebCore::ImagePaintingOptions & options) Line 69	C++
> WebCore.dll!WebCore::GraphicsContext::drawNativeImage(WebCore::NativeImage & image, const WebCore::FloatSize & imageSize, const WebCore::FloatRect & destination, const WebCore::FloatRect & source, const WebCore::ImagePaintingOptions & options) Line 281	C++
> WebCore.dll!WebCore::GraphicsContextGL::paintToCanvas(WebCore::NativeImage & image, const WebCore::IntSize & canvasSize, WebCore::GraphicsContext & context) Line 707	C++
> WebKit2.dll!WebKit::RemoteGraphicsContextGL::paintNativeImageToImageBuffer::__l2::<lambda_1>::operator()() Line 271	C++
> WebKit2.dll!WTF::Detail::CallableWrapper<`WebKit::RemoteGraphicsContextGL::paintNativeImageToImageBuffer'::`2'::<lambda_1>,void>::call() Line 53	C++
> WebKit2.dll!WTF::Function<void __cdecl(void)>::operator()() Line 83	C++
> WebKit2.dll!IPC::StreamConnectionWorkQueue::processStreams() Line 151	C++
> WebKit2.dll!IPC::StreamConnectionWorkQueue::startProcessingThread::__l2::<lambda_1>::operator()() Line 117	C++
> WebKit2.dll!WTF::Detail::CallableWrapper<`IPC::StreamConnectionWorkQueue::startProcessingThread'::`2'::<lambda_1>,void>::call() Line 53	C++
> WTF.dll!WTF::Function<void __cdecl(void)>::operator()() Line 83	C++
> WTF.dll!WTF::Thread::entryPoint(WTF::Thread::NewThreadContext * newThreadContext) Line 250	C++
> WTF.dll!WTF::wtfThreadEntryPoint(void * data) Line 151	C++
> ucrtbase.dll!00007ff8990e1bb2()	Unknown
> kernel32.dll!00007ff89b087614()	Unknown
> ntdll.dll!00007ff89b1c26a1()	Unknown

Comment 1 Dan Glastonbury 2023-04-03 16:43:50 PDT

Please let me know if I can assist with fixing this.

Comment 2 Fujii Hironori 2023-04-03 19:37:44 PDT

Created attachment 465756 [details]
WIP patch

GraphicsContextGLANGLE::withDrawingBufferAsNativeImage has to retain pixelBuffer until the function `func` is called.
Is this a cairo specific problem?

Comment 3 Fujii Hironori 2023-04-03 19:40:58 PDT

Created attachment 465757 [details]
Patch of using cairo_image_surface_create (doesn't work as expected)

Using cairo_image_surface_create instead of cairo_image_surface_create_for_data can avoid crashing.
But, a lot of tests fail.
It seems that GraphicsContextGL::createNativeImageFromPixelBuffer has to return a NativeImage that is using the given pixel buffer.

Comment 4 Fujii Hironori 2023-04-03 20:34:22 PDT

(In reply to Fujii Hironori from comment #2)
> Is this a cairo specific problem?

GraphicsContextGLCG.cpp retains the given PixelBuffer into dataProvider.
https://github.com/WebKit/WebKit/blob/565c294fbf5fe2ba6ef15fbb52f561bd5b7e1420/Source/WebCore/platform/graphics/cg/GraphicsContextGLCG.cpp#L527-L528

Comment 5 Fujii Hironori 2023-04-03 22:47:43 PDT

Pull request: https://github.com/WebKit/WebKit/pull/12365

Comment 6 EWS 2023-04-04 05:17:19 PDT

Committed 262575@main (fc5e0e6a297b): <https://commits.webkit.org/262575@main>

Reviewed commits have been landed. Closing PR #12365 and removing active labels.

Comment 7 Radar WebKit Bug Importer 2023-04-04 05:18:17 PDT

<rdar://problem/107607083>