Bug 255761 - [GTK] Crash in WebCore::BackgroundPainter::calculateBackgroundImageGeometry
Summary: [GTK] Crash in WebCore::BackgroundPainter::calculateBackgroundImageGeometry
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKitGTK (show other bugs)
Version: WebKit Nightly Build
Hardware: PC Linux
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-04-20 20:09 PDT by Michael Catanzaro
Modified: 2023-04-20 20:34 PDT (History)
6 users (show)

See Also:

Attachments
Full backtrace (68.61 KB, text/plain)
2023-04-20 20:09 PDT, Michael Catanzaro 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Catanzaro 2023-04-20 20:09:43 PDT 
Created attachment 466023 [details]
Full backtrace

Using WebKitGTK 2.41.2 (262949@main), load https://www.ksl.com/article/50624749/hero-uhp-sergeant-praised-for-stopping-wrong-way-driver and the web process will always crash:

#0  WTF::RefPtr<WebCore::WeakPtrImplWithEventTargetData, WTF::RawPtrTraits<WebCore::WeakPtrImplWithEventTargetData>, WTF::DefaultRefDerefTraits<WebCore::WeakPtrImplWithEventTargetData> >::operator bool() const (this=0x10)
    at WTF/Headers/wtf/RefPtr.h:92
#1  WTF::WeakPtr<WebCore::Node, WebCore::WeakPtrImplWithEventTargetData>::get() const (this=0x10)
    at WTF/Headers/wtf/WeakPtr.h:127
#2  WTF::WeakPtr<WebCore::Node, WebCore::WeakPtrImplWithEventTargetData>::operator->() const (this=0x10)
    at WTF/Headers/wtf/WeakPtr.h:140
#3  WebCore::RenderObject::document() const (this=0x0)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderObject.h:509
#4  WebCore::RenderObject::view() const (this=0x0)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderObject.h:488
#5  WebCore::BackgroundPainter::calculateBackgroundImageGeometry(WebCore::RenderBoxModelObject const&, WebCore::RenderLayerModelObject const*, WebCore::FillLayer const&, WebCore::LayoutPoint const&, WebCore::LayoutRect const&)
    (renderer=..., paintContainer=0x0, fillLayer=..., paintOffset=..., borderBoxRect=...)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/BackgroundPainter.cpp:510
#6  0x00007fc8790f68e4 in WebCore::RenderLayerBacking::updateDirectlyCompositedBackgroundImage(WebCore::PaintedContentsInfo&, bool&) (this=0x7fc85e448100, contentsInfo=..., didUpdateContentsRect=@0x7ffef129ba70: true)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderLayerBacking.cpp:2735
#7  0x00007fc8790f1833 in WebCore::RenderLayerBacking::updateDirectlyCompositedBoxDecorations(WebCore::PaintedContentsInfo&, bool&) (this=0x7fc85e448100, contentsInfo=..., didUpdateContentsRect=@0x7ffef129ba70: true)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderLayerBacking.cpp:1713
#8  WebCore::RenderLayerBacking::updateConfiguration(WebCore::RenderLayer const*)
    (this=0x7fc85e448100, compositingAncestor=<optimized out>)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderLayerBacking.cpp:1107
#9  0x00007fc879100ba3 in WebCore::RenderLayerCompositor::updateBackingAndHierarchy(WebCore::RenderLayer&, WTF::Vector<WTF::Ref<WebCore::GraphicsLayer, WTF::RawPtrTraits<WebCore::GraphicsLayer> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::RenderLayerCompositor::UpdateBackingTraversalState&, WebCore::ScrollingTreeState&, WTF::OptionSet<WebCore::RenderLayerCompositor::UpdateLevel>)
    (this=0x7fc85e0200e0, layer=..., childLayersOfEnclosingLayer=..., traversalState=..., scrollingTreeState=..., updateLevel=...) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderLayerCompositor.cpp:1364
#10 0x00007fc879100f61 in WebCore::RenderLayerCompositor::updateBackingAndHierarchy(WebCore::RenderLayer&, WTF::Vector<WTF::Ref<WebCore::GraphicsLayer, WTF::RawPtrTraits<WebCore::GraphicsLayer> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::RenderLayerCompositor::UpdateBackingTraversalState&, WebCore::ScrollingTreeState&, WTF::OptionSet<WebCore::RenderLayerCompositor::UpdateLevel>)
    (this=0x7fc85e0200e0, layer=..., childLayersOfEnclosingLayer=..., traversalState=..., scrollingTreeState=..., updateLevel=...) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderLayerCompositor.cpp:1439 

I'll attach a full backtrace.

Notably, the second parameter to BackgroundPainter::calculateBackgroundImageGeometry is nullptr. And the first and second parameters are both the same, so that means the first parameter is an invalid reference. The calls to renderBox() in RenderLayerBacking::updateDirectlyCompositedBackgroundImage are apparently returning nullptr.
Comment 1 Michael Catanzaro 2023-04-20 20:14:47 PDT 
Looks like this code was last touched in 254301@main (but I have not tested to see if that is to blame).
Comment 2 Simon Fraser (smfr) 2023-04-20 20:17:32 PDT 
FYI Cocoa platforms don’t use updateDirectlyCompositedBackgroundImage().
Comment 3 Michael Catanzaro 2023-04-20 20:33:47 PDT 
This naive patch avoids the crash (but I doubt it's the correct solution):

diff --git a/Source/WebCore/rendering/RenderLayerBacking.cpp b/Source/WebCore/rendering/RenderLayerBacking.cpp
index d182f008bfdd..3628348a4d60 100644
--- a/Source/WebCore/rendering/RenderLayerBacking.cpp
+++ b/Source/WebCore/rendering/RenderLayerBacking.cpp
@@ -2730,6 +2730,9 @@ void RenderLayerBacking::updateDirectlyCompositedBackgroundImage(PaintedContents
         return;
     }
 
+    if (!renderBox())
+        return;
+
     auto backgroundBox = LayoutRect { backgroundBoxForSimpleContainerPainting() };
     // FIXME: Absolute paint location is required here.
     auto geometry = BackgroundPainter::calculateBackgroundImageGeometry(*renderBox(), renderBox(), style.backgroundLayers(), { }, backgroundBox);

> FYI Cocoa platforms don’t use updateDirectlyCompositedBackgroundImage().

Uh, OK, let's move to WebKitGTK component then.