NEW255761
[GTK] Crash in WebCore::BackgroundPainter::calculateBackgroundImageGeometry 
https://bugs.webkit.org/show_bug.cgi?id=255761
Summary [GTK] Crash in WebCore::BackgroundPainter::calculateBackgroundImageGeometry
Michael Catanzaro
Reported 2023-04-20 20:09:43 PDT
Created attachment 466023 [details] Full backtrace Using WebKitGTK 2.41.2 (262949@main), load https://www.ksl.com/article/50624749/hero-uhp-sergeant-praised-for-stopping-wrong-way-driver and the web process will always crash: #0 WTF::RefPtr<WebCore::WeakPtrImplWithEventTargetData, WTF::RawPtrTraits<WebCore::WeakPtrImplWithEventTargetData>, WTF::DefaultRefDerefTraits<WebCore::WeakPtrImplWithEventTargetData> >::operator bool() const (this=0x10) at WTF/Headers/wtf/RefPtr.h:92 #1 WTF::WeakPtr<WebCore::Node, WebCore::WeakPtrImplWithEventTargetData>::get() const (this=0x10) at WTF/Headers/wtf/WeakPtr.h:127 #2 WTF::WeakPtr<WebCore::Node, WebCore::WeakPtrImplWithEventTargetData>::operator->() const (this=0x10) at WTF/Headers/wtf/WeakPtr.h:140 #3 WebCore::RenderObject::document() const (this=0x0) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderObject.h:509 #4 WebCore::RenderObject::view() const (this=0x0) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderObject.h:488 #5 WebCore::BackgroundPainter::calculateBackgroundImageGeometry(WebCore::RenderBoxModelObject const&, WebCore::RenderLayerModelObject const*, WebCore::FillLayer const&, WebCore::LayoutPoint const&, WebCore::LayoutRect const&) (renderer=..., paintContainer=0x0, fillLayer=..., paintOffset=..., borderBoxRect=...) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/BackgroundPainter.cpp:510 #6 0x00007fc8790f68e4 in WebCore::RenderLayerBacking::updateDirectlyCompositedBackgroundImage(WebCore::PaintedContentsInfo&, bool&) (this=0x7fc85e448100, contentsInfo=..., didUpdateContentsRect=@0x7ffef129ba70: true) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderLayerBacking.cpp:2735 #7 0x00007fc8790f1833 in WebCore::RenderLayerBacking::updateDirectlyCompositedBoxDecorations(WebCore::PaintedContentsInfo&, bool&) (this=0x7fc85e448100, contentsInfo=..., didUpdateContentsRect=@0x7ffef129ba70: true) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderLayerBacking.cpp:1713 #8 WebCore::RenderLayerBacking::updateConfiguration(WebCore::RenderLayer const*) (this=0x7fc85e448100, compositingAncestor=<optimized out>) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderLayerBacking.cpp:1107 #9 0x00007fc879100ba3 in WebCore::RenderLayerCompositor::updateBackingAndHierarchy(WebCore::RenderLayer&, WTF::Vector<WTF::Ref<WebCore::GraphicsLayer, WTF::RawPtrTraits<WebCore::GraphicsLayer> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::RenderLayerCompositor::UpdateBackingTraversalState&, WebCore::ScrollingTreeState&, WTF::OptionSet<WebCore::RenderLayerCompositor::UpdateLevel>) (this=0x7fc85e0200e0, layer=..., childLayersOfEnclosingLayer=..., traversalState=..., scrollingTreeState=..., updateLevel=...) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderLayerCompositor.cpp:1364 #10 0x00007fc879100f61 in WebCore::RenderLayerCompositor::updateBackingAndHierarchy(WebCore::RenderLayer&, WTF::Vector<WTF::Ref<WebCore::GraphicsLayer, WTF::RawPtrTraits<WebCore::GraphicsLayer> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::RenderLayerCompositor::UpdateBackingTraversalState&, WebCore::ScrollingTreeState&, WTF::OptionSet<WebCore::RenderLayerCompositor::UpdateLevel>) (this=0x7fc85e0200e0, layer=..., childLayersOfEnclosingLayer=..., traversalState=..., scrollingTreeState=..., updateLevel=...) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderLayerCompositor.cpp:1439 I'll attach a full backtrace. Notably, the second parameter to BackgroundPainter::calculateBackgroundImageGeometry is nullptr. And the first and second parameters are both the same, so that means the first parameter is an invalid reference. The calls to renderBox() in RenderLayerBacking::updateDirectlyCompositedBackgroundImage are apparently returning nullptr.
Attachments
Full backtrace (68.61 KB, text/plain)
2023-04-20 20:09 PDT, Michael Catanzaro 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Michael Catanzaro
Comment 1 2023-04-20 20:14:47 PDT
Looks like this code was last touched in 254301@main (but I have not tested to see if that is to blame).
Simon Fraser (smfr)
Comment 2 2023-04-20 20:17:32 PDT
FYI Cocoa platforms don’t use updateDirectlyCompositedBackgroundImage().
Michael Catanzaro
Comment 3 2023-04-20 20:33:47 PDT
This naive patch avoids the crash (but I doubt it's the correct solution): diff --git a/Source/WebCore/rendering/RenderLayerBacking.cpp b/Source/WebCore/rendering/RenderLayerBacking.cpp index d182f008bfdd..3628348a4d60 100644 --- a/Source/WebCore/rendering/RenderLayerBacking.cpp +++ b/Source/WebCore/rendering/RenderLayerBacking.cpp @@ -2730,6 +2730,9 @@ void RenderLayerBacking::updateDirectlyCompositedBackgroundImage(PaintedContents return; } + if (!renderBox()) + return; + auto backgroundBox = LayoutRect { backgroundBoxForSimpleContainerPainting() }; // FIXME: Absolute paint location is required here. auto geometry = BackgroundPainter::calculateBackgroundImageGeometry(*renderBox(), renderBox(), style.backgroundLayers(), { }, backgroundBox); > FYI Cocoa platforms don’t use updateDirectlyCompositedBackgroundImage(). Uh, OK, let's move to WebKitGTK component then.
Note You need to log in before you can comment on or make changes to this bug.