Bug 255761

Summary: [GTK] Crash in WebCore::BackgroundPainter::calculateBackgroundImageGeometry
Product: WebKit Reporter: Michael Catanzaro <mcatanzaro>
Component: WebKitGTKAssignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: bfulgham, bugs-noreply, koivisto, mcatanzaro, simon.fraser, zalan
Priority: P2    
Version: WebKit Nightly Build   
Hardware: PC   
OS: Linux   
Attachments:
Description Flags
Full backtrace none

Description Michael Catanzaro 2023-04-20 20:09:43 PDT 
Created attachment 466023 [details]
Full backtrace

Using WebKitGTK 2.41.2 (262949@main), load https://www.ksl.com/article/50624749/hero-uhp-sergeant-praised-for-stopping-wrong-way-driver and the web process will always crash:

#0  WTF::RefPtr<WebCore::WeakPtrImplWithEventTargetData, WTF::RawPtrTraits<WebCore::WeakPtrImplWithEventTargetData>, WTF::DefaultRefDerefTraits<WebCore::WeakPtrImplWithEventTargetData> >::operator bool() const (this=0x10)
    at WTF/Headers/wtf/RefPtr.h:92
#1  WTF::WeakPtr<WebCore::Node, WebCore::WeakPtrImplWithEventTargetData>::get() const (this=0x10)
    at WTF/Headers/wtf/WeakPtr.h:127
#2  WTF::WeakPtr<WebCore::Node, WebCore::WeakPtrImplWithEventTargetData>::operator->() const (this=0x10)
    at WTF/Headers/wtf/WeakPtr.h:140
#3  WebCore::RenderObject::document() const (this=0x0)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderObject.h:509
#4  WebCore::RenderObject::view() const (this=0x0)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderObject.h:488
#5  WebCore::BackgroundPainter::calculateBackgroundImageGeometry(WebCore::RenderBoxModelObject const&, WebCore::RenderLayerModelObject const*, WebCore::FillLayer const&, WebCore::LayoutPoint const&, WebCore::LayoutRect const&)
    (renderer=..., paintContainer=0x0, fillLayer=..., paintOffset=..., borderBoxRect=...)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/BackgroundPainter.cpp:510
#6  0x00007fc8790f68e4 in WebCore::RenderLayerBacking::updateDirectlyCompositedBackgroundImage(WebCore::PaintedContentsInfo&, bool&) (this=0x7fc85e448100, contentsInfo=..., didUpdateContentsRect=@0x7ffef129ba70: true)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderLayerBacking.cpp:2735
#7  0x00007fc8790f1833 in WebCore::RenderLayerBacking::updateDirectlyCompositedBoxDecorations(WebCore::PaintedContentsInfo&, bool&) (this=0x7fc85e448100, contentsInfo=..., didUpdateContentsRect=@0x7ffef129ba70: true)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderLayerBacking.cpp:1713
#8  WebCore::RenderLayerBacking::updateConfiguration(WebCore::RenderLayer const*)
    (this=0x7fc85e448100, compositingAncestor=<optimized out>)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderLayerBacking.cpp:1107
#9  0x00007fc879100ba3 in WebCore::RenderLayerCompositor::updateBackingAndHierarchy(WebCore::RenderLayer&, WTF::Vector<WTF::Ref<WebCore::GraphicsLayer, WTF::RawPtrTraits<WebCore::GraphicsLayer> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::RenderLayerCompositor::UpdateBackingTraversalState&, WebCore::ScrollingTreeState&, WTF::OptionSet<WebCore::RenderLayerCompositor::UpdateLevel>)
    (this=0x7fc85e0200e0, layer=..., childLayersOfEnclosingLayer=..., traversalState=..., scrollingTreeState=..., updateLevel=...) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderLayerCompositor.cpp:1364
#10 0x00007fc879100f61 in WebCore::RenderLayerCompositor::updateBackingAndHierarchy(WebCore::RenderLayer&, WTF::Vector<WTF::Ref<WebCore::GraphicsLayer, WTF::RawPtrTraits<WebCore::GraphicsLayer> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::RenderLayerCompositor::UpdateBackingTraversalState&, WebCore::ScrollingTreeState&, WTF::OptionSet<WebCore::RenderLayerCompositor::UpdateLevel>)
    (this=0x7fc85e0200e0, layer=..., childLayersOfEnclosingLayer=..., traversalState=..., scrollingTreeState=..., updateLevel=...) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderLayerCompositor.cpp:1439 

I'll attach a full backtrace.

Notably, the second parameter to BackgroundPainter::calculateBackgroundImageGeometry is nullptr. And the first and second parameters are both the same, so that means the first parameter is an invalid reference. The calls to renderBox() in RenderLayerBacking::updateDirectlyCompositedBackgroundImage are apparently returning nullptr.
Comment 1 Michael Catanzaro 2023-04-20 20:14:47 PDT 
Looks like this code was last touched in 254301@main (but I have not tested to see if that is to blame).
Comment 2 Simon Fraser (smfr) 2023-04-20 20:17:32 PDT 
FYI Cocoa platforms don’t use updateDirectlyCompositedBackgroundImage().
Comment 3 Michael Catanzaro 2023-04-20 20:33:47 PDT 
This naive patch avoids the crash (but I doubt it's the correct solution):

diff --git a/Source/WebCore/rendering/RenderLayerBacking.cpp b/Source/WebCore/rendering/RenderLayerBacking.cpp
index d182f008bfdd..3628348a4d60 100644
--- a/Source/WebCore/rendering/RenderLayerBacking.cpp
+++ b/Source/WebCore/rendering/RenderLayerBacking.cpp
@@ -2730,6 +2730,9 @@ void RenderLayerBacking::updateDirectlyCompositedBackgroundImage(PaintedContents
         return;
     }
 
+    if (!renderBox())
+        return;
+
     auto backgroundBox = LayoutRect { backgroundBoxForSimpleContainerPainting() };
     // FIXME: Absolute paint location is required here.
     auto geometry = BackgroundPainter::calculateBackgroundImageGeometry(*renderBox(), renderBox(), style.backgroundLayers(), { }, backgroundBox);

> FYI Cocoa platforms don’t use updateDirectlyCompositedBackgroundImage().

Uh, OK, let's move to WebKitGTK component then.