254262 2023-03-22 02:44:12 -0700 RPI3 (32bits) ARMv7 NEON crashes on WebCore::TextureMapperLayer::paintWith3DRenderingContext() 2023-03-24 02:44:29 -0700 1 1 1 Unclassified WebKit New Bugs WebKit Nightly Build Unspecified Unspecified RESOLVED INVALID https://bugs.webkit.org/show_bug.cgi?id=244526 P2 Normal --- 1 psaavedra webkit-unassigned fujii oldest_to_newest 1943048 0 psaavedra 2023-03-22 02:44:12 -0700 .. using the VC4 mesa driver: ``` #0 0x6a096c22 in _mesa_update_renderbuffer_surface (ctx=ctx@entry=0x6bfc8020, rb=rb@entry=0x2476190) at ../mesa-22.0.3/src/mesa/main/renderbuffer.c:581 #1 0x6a087ed0 in render_texture (ctx=ctx@entry=0x6bfc8020, att=att@entry=0x24f3a04, fb=0x24f3858) at ../mesa-22.0.3/src/mesa/main/fbobject.c:451 #2 0x6a089320 in _mesa_update_texture_renderbuffer (ctx=ctx@entry=0x6bfc8020, fb=fb@entry=0x24f3858, att=att@entry=0x24f3a04) at ../mesa-22.0.3/src/mesa/main/fbobject.c:590 #3 0x6a08cad0 in set_texture_attachment (layered=0 '\000', layer=1778962583, samples=38787704, level=3553, texTarget=<optimized out>, texObj=0x24fda78, att=0x24f3a04, fb=0x24f3858, ctx=0x6bfc8020) at ../mesa-22.0.3/src/mesa/main/fbobject.c:631 #4 _mesa_framebuffer_texture (ctx=0x6bfc8020, fb=0x24f3858, attachment=36064, att=0x24f3a04, texObj=<optimized out>, textarget=<optimized out>, level=0, samples=0, layer=0, layered=0 '\000') at ../mesa-22.0.3/src/mesa/main/fbobject.c:4019 #5 0x6a08cdb0 in framebuffer_texture_with_dims (dims=3553, target=<optimized out>, framebuffer=<optimized out>, attachment=<optimized out>, textarget=<optimized out>, texture=<optimized out>, level=0, samples=0, layer=0, caller=0x0, dsa=false) at ../mesa-22.0.3/src/mesa/main/fbobject.c:4121 #6 0x6a08d096 in _mesa_FramebufferTexture2D (target=<optimized out>, attachment=<optimized out>, textarget=3553, texture=<optimized out>, level=0) at ../mesa-22.0.3/src/mesa/main/fbobject.c:4159 #7 0x74d28e58 in WebCore::BitmapTextureGL::createFboIfNeeded() [clone .part.0] () from /opt/browsers/1.0/sysroots/cortexa7t2hf-neon-vfpv4-poky-linux-gnueabi/usr/lib/libWPEWebKit-2.0.so.0.0.0 #8 0x74d29b0c in WebCore::BitmapTextureGL::bindAsSurface() () from /opt/browsers/1.0/sysroots/cortexa7t2hf-neon-vfpv4-poky-linux-gnueabi/usr/lib/libWPEWebKit-2.0.so.0.0.0 #9 0x74d2a984 in WebCore::TextureMapperGL::bindSurface(WebCore::BitmapTexture*) () from /opt/browsers/1.0/sysroots/cortexa7t2hf-neon-vfpv4-poky-linux-gnueabi/usr/lib/libWPEWebKit-2.0.so.0.0.0 #10 0x74d27c9c in WebCore::TextureMapperLayer::paintWith3DRenderingContext(WebCore::TextureMapperPaintOptions&) () from /opt/browsers/1.0/sysroots/cortexa7t2hf-neon-vfpv4-poky-linux-gnueabi/usr/lib/libWPEWebKit-2.0.so.0.0.0 #11 0x76e9e964 in ?? () from /opt/browsers/1.0/sysroots/cortexa7t2hf-neon-vfpv4-poky-linux-gnueabi/usr/lib/libWPEWebKit-2.0.so.0.0.0 ``` The crash seems a side-effect of: TextureMapper: Attach a depth buffer for BitmapTextureGL for 3D transform https://bugs.webkit.org/show_bug.cgi?id=244526 since this crash is not reproducible after a partial revert of the https://commits.webkit.org/255021@main commit. ``` diff diff --git a/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp b/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp index f891d9bc8c70..f627ebdecaf8 100644 --- a/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp +++ b/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp @@ -754,9 +754,10 @@ void TextureMapperLayer::paintRecursive(TextureMapperPaintOptions& options) SetForScope scopedOpacity(options.opacity, options.opacity * m_currentOpacity); - if (m_state.preserves3D) - paintWith3DRenderingContext(options); - else if (shouldBlend()) + if (shouldBlend()) paintUsingOverlapRegions(options); else paintSelfChildrenReplicaFilterAndMask(options); ``` 1943049 1 psaavedra 2023-03-22 02:46:14 -0700 The problem is reproducible on WPE using `cog -P wl https://webkit.org/blog-files/3d-transforms/poster-circle.html` 1943259 2 fujii 2023-03-22 19:04:18 -0700 glFramebufferTexture2D is used not only for 3D rendering context, but also for layers with filters and semi-transparent. Does css3/filters/effect-blur-hw.html also crash? glFramebufferTexture2D was used even before 255021@main. 1943664 3 psaavedra 2023-03-24 02:44:29 -0700 I will set this issue as invalid since I was not able to reproduce it yesterday but 2 days ago it was quite consistently. I am going to assume some mistake or some problem during the image generation. If I have another occurrence of it I will reopen the issue with the more information (including tests on css3/filters/effect-blur-hw.html ). Sorry Fujii Hironori for the noise.