[Google3 Bug]: [Crash Report] `anonymous namespace'::PolygonInfo::AppendVertex-dead1d17

[calebmah]

Help us understand the severity of this issue

• causing severe production issues e.g. malfunctions or data loss
• blocking next binary release
• blocking a client feature launch within a quarter
• nice-to-have but does not block a launch within the next quarter

Steps to reproduce

Unable to verify detailed reproduction steps, see b/475054280 for full crash report

This crash happens when using Impeller on iOS. From crash logs, appears to happen when rendering DrawRoundRect with blurred shadow.

Likely an issue in the PolygonInfo::AppendVertex function within impeller/entity/geometry/shadow_path_geometry.cc. This possibly happens because the code attempts to access the .back() element of an empty vector on line 1362.

Expected results

The application should render the UI element and its associated shadow correctly without crashing.

Actual results

The application crashes with an EXC_BAD_ACCESS in impeller::PolygonInfo::AppendVertex (See b/475054280 for full crash report).

Code sample

Code sample

// shadow_path_geometry.cc:1362
uint16_t PolygonInfo::AppendVertex(const Point& vertex, Scalar gaussian) {
  FML_DCHECK(gaussian >= 0.0f && gaussian <= 1.0f);
  uint16_t index = vertices_.size();
  FML_DCHECK(index == gaussians_.size());
  // ...
  if (gaussian == gaussians_.back() && vertex == vertices_.back()) { // <--- CRASH HERE
    return index - 1;
  }
  // ...
}

Potential fix:

  if (!vertices_.empty() && gaussian == gaussians_.back() && vertex == vertices_.back()) {

Screenshots or Video

No response

Logs

Logs

0x00000001074255cc (Flutter - shadow_path_geometry.cc: 1362)	(anonymous namespace)::PolygonInfo::AppendVertex(impeller::TPoint<float> const&, float)
0x00000001073a8d20 (Flutter - shadow_path_geometry.cc: 1268)	impeller::Canvas::AttemptDrawBlurredPathSource(impeller::PathSource const&, impeller::Paint const&)
0x00000001073a8d20 (Flutter - shadow_path_geometry.cc: 1268)	impeller::Canvas::AttemptDrawBlurredPathSource(impeller::PathSource const&, impeller::Paint const&)
0x00000001073af154 (Flutter - canvas.cc: 623)	impeller::Canvas::DrawRoundRect(impeller::RoundRect const&, impeller::Paint const&)
0x000000010710ce70 (Flutter - display_list.cc: 205)	flutter::DisplayList::Dispatch(flutter::DlOpReceiver&, impeller::TRect<float> const&) const
0x00000001073b4bf0 (Flutter - dl_dispatcher.cc: 825)	impeller::DlDispatcherBase::drawDisplayList(sk_sp<flutter::DisplayList>, float)
0x000000010710ca5c (Flutter - dl_op_records.h: 990)	flutter::DrawDisplayListOp::dispatch(flutter::DlOpReceiver&) const
0x000000010710cdf0 (Flutter - display_list.cc: 185)	flutter::DisplayList::Dispatch(flutter::DlOpReceiver&, impeller::TRect<float> const&) const
0x00000001073ba594 (Flutter - dl_dispatcher.cc: 1328)	impeller::RenderToTarget(impeller::ContentContext&, impeller::RenderTarget, sk_sp<flutter::DisplayList> const&, impeller::TRect<float>, bool, bool)
0x0000000107502168 (Flutter - gpu_surface_metal_impeller.mm: 178)	std::_fl::__function::__func<fml::internal::CopyableLambda<flutter::GPUSurfaceMetalImpeller::AcquireFrameFromCAMetalLayer(impeller::TSize<int> const&)::$_0>, std::_fl::allocator<fml::internal::CopyableLambda<flutter::GPUSurfaceMetalImpeller::AcquireFrameFromCAMetalLayer(impeller::TSize<int> const&)::$_0>>, bool (flutter::SurfaceFrame&, flutter::DlCanvas*)>::operator()(flutter::SurfaceFrame&, flutter::DlCanvas*&&)
0x00000001072fdb20 (Flutter - function.h: 436)	flutter::SurfaceFrame::Submit()
0x000000010703b7a4 (Flutter - FlutterPlatformViewsController.mm: 726)	-[FlutterPlatformViewsController submitFrame:withIosContext:]
0x000000010707ab58 (Flutter - ios_external_view_embedder.mm: 86)	flutter::IOSExternalViewEmbedder::SubmitFlutterView(long long, GrDirectContext*, std::_fl::shared_ptr<impeller::AiksContext> const&, std::_fl::unique_ptr<flutter::SurfaceFrame, std::_fl::default_delete<flutter::SurfaceFrame>>)
0x0000000107449cc8 (Flutter - rasterizer.cc: 807)	flutter::Rasterizer::DrawToSurfacesUnsafe(flutter::FrameTimingsRecorder&, std::_fl::vector<std::_fl::unique_ptr<flutter::LayerTreeTask, std::_fl::default_delete<flutter::LayerTreeTask>>, std::_fl::allocator<std::_fl::unique_ptr<flutter::LayerTreeTask, std::_fl::default_delete<flutter::LayerTreeTask>>>>)
0x000000010744a0d8 (Flutter - rasterizer.cc: 613)	std::_fl::__function::__func<flutter::Rasterizer::DrawToSurfaces(flutter::FrameTimingsRecorder&, std::_fl::vector<std::_fl::unique_ptr<flutter::LayerTreeTask, std::_fl::default_delete<flutter::LayerTreeTask>>, std::_fl::allocator<std::_fl::unique_ptr<flutter::LayerTreeTask, std::_fl::default_delete<flutter::LayerTreeTask>>>>)::$_1, std::_fl::allocator<flutter::Rasterizer::DrawToSurfaces(flutter::FrameTimingsRecorder&, std::_fl::vector<std::_fl::unique_ptr<flutter::LayerTreeTask, std::_fl::default_delete<flutter::LayerTreeTask>>, std::_fl::allocator<std::_fl::unique_ptr<flutter::LayerTreeTask, std::_fl::default_delete<flutter::LayerTreeTask>>>>)::$_1>, void ()>::operator()()
0x00000001070a5da4 (Flutter - function.h: 436)	fml::SyncSwitch::Execute(fml::SyncSwitch::Handlers const&) const
0x00000001074494dc (Flutter - rasterizer.cc: 605)	flutter::Rasterizer::DrawToSurfaces(flutter::FrameTimingsRecorder&, std::_fl::vector<std::_fl::unique_ptr<flutter::LayerTreeTask, std::_fl::default_delete<flutter::LayerTreeTask>>, std::_fl::allocator<std::_fl::unique_ptr<flutter::LayerTreeTask, std::_fl::default_delete<flutter::LayerTreeTask>>>>)
0x000000010744ae84 (Flutter - rasterizer.cc: 507)	std::_fl::__function::__func<flutter::Rasterizer::Draw(std::_fl::shared_ptr<flutter::Pipeline<flutter::FrameItem>> const&)::$_0, std::_fl::allocator<flutter::Rasterizer::Draw(std::_fl::shared_ptr<flutter::Pipeline<flutter::FrameItem>> const&)::$_0>, void (std::_fl::unique_ptr<flutter::FrameItem, std::_fl::default_delete<flutter::FrameItem>>)>::operator()(std::_fl::unique_ptr<flutter::FrameItem, std::_fl::default_delete<flutter::FrameItem>>&&)
0x000000010744a6f8 (Flutter - function.h: 436)	flutter::Rasterizer::Draw(std::_fl::shared_ptr<flutter::Pipeline<flutter::FrameItem>> const&)
0x0000000107461bb8 (Flutter - shell.cc: 1412)	std::_fl::__function::__func<fml::internal::CopyableLambda<flutter::Shell::OnAnimatorDraw(std::_fl::shared_ptr<flutter::Pipeline<flutter::FrameItem>>)::$_0>, std::_fl::allocator<fml::internal::CopyableLambda<flutter::Shell::OnAnimatorDraw(std::_fl::shared_ptr<flutter::Pipeline<flutter::FrameItem>>)::$_0>>, void ()>::operator()()
0x00000001070a41f8 (Flutter - function.h: 436)	fml::MessageLoopImpl::FlushTasks(fml::FlushType)
0x00000001070a810c (Flutter - message_loop_impl.cc: 139)	fml::MessageLoopDarwin::OnTimerFire(__CFRunLoopTimer*, fml::MessageLoopDarwin*)
0x0000000191976bfc (CoreFoundation + 0x0004dbfc)	__CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__
0x00000001919768bc (CoreFoundation + 0x0004d8bc)	__CFRunLoopDoTimer
0x0000000191976430 (CoreFoundation + 0x0004d430)	__CFRunLoopDoTimers
0x0000000191946ab8 (CoreFoundation + 0x0001dab8)	__CFRunLoopRun
0x0000000191945a68 (CoreFoundation + 0x0001ca68)	_CFRunLoopRunSpecificWithOptions
0x00000001070a81fc (Flutter - message_loop_darwin.mm: 51)	fml::MessageLoopDarwin::Run()
0x00000001070a7850 (Flutter - message_loop_impl.cc: 94)	std::_fl::__function::__func<fml::Thread::Thread(std::_fl::function<void (fml::Thread::ThreadConfig const&)> const&, fml::Thread::ThreadConfig const&)::$_0, std::_fl::allocator<fml::Thread::Thread(std::_fl::function<void (fml::Thread::ThreadConfig const&)> const&, fml::Thread::ThreadConfig const&)::$_0>, void ()>::operator()()
0x00000001070a755c (Flutter - function.h: 436)	fml::ThreadHandle::ThreadHandle(std::_fl::function<void ()>&&)::$_0::__invoke(void*)
0x00000001ee20f448 (libsystem_pthread.dylib + 0x00004448)	_pthread_start

Flutter Doctor output

Doctor output

NA

[jason-simmons]

@flar - also see b/474194275

[calebmah]

Looks like this affects Android as well in b/474463878

[flar]

Fixed by #180920