[webkit-changes] [285087] trunk

[mmaxfield]

Title: [285087] trunk

Revision

285087

Author

mmaxfi...@apple.com

Date

2021-10-30 19:24:17 -0700 (Sat, 30 Oct 2021)

Log Message

[GPU Process] Small ImageBuffers cause the web process to crash
https://bugs.webkit.org/show_bug.cgi?id=232470
<rdar://problem/84626560>

Reviewed by Tim Horton.

Source/WebKit:

The problem is when the (floating point) size < 1x1, but the size*resolution is >= 1x1.
In this situation, calculateSafeBackendSize() is correctly determining that this
isn't a zero-sized ImageBuffer, but when we go to actually pass the size to the GPU
process, we call this:

IntSize logicalSize() const override { return IntSize(m_parameters.logicalSize); }

So, the logical size gets truncated down to 0, and then the GPU process fails to allocate
the ImageBuffer, and then the web process blocks on the GPU process indefinitely, and then
eventually times out and then crashes. I'm going to deal with that last step (the crash
itself) in a secondary patch - if the web process doesn't hear from the GPU process, it
shouldn't crash.

This patch simply exposes a floatLogicalSize() function on ImageBuffer, so we can get
the full-fidelity logical size to pass that to the GPU process.

Test: compositing/device-pixel-image-buffer-hidpi.html

* WebProcess/GPU/graphics/RemoteRenderingBackendProxy.cpp:
(WebKit::RemoteRenderingBackendProxy::createRemoteImageBuffer):

LayoutTests:

* compositing/device-pixel-image-buffer-hidpi-expected.html: Added.
* compositing/device-pixel-image-buffer-hidpi.html: Added.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/Source/WebKit/ChangeLog
• trunk/Source/WebKit/WebProcess/GPU/graphics/RemoteRenderingBackendProxy.cpp

Added Paths

• trunk/LayoutTests/compositing/device-pixel-image-buffer-hidpi-expected.html
• trunk/LayoutTests/compositing/device-pixel-image-buffer-hidpi.html

Diff

Modified: trunk/LayoutTests/ChangeLog (285086 => 285087)

--- trunk/LayoutTests/ChangeLog	2021-10-31 01:24:38 UTC (rev 285086)
+++ trunk/LayoutTests/ChangeLog	2021-10-31 02:24:17 UTC (rev 285087)
@@ -1,3 +1,14 @@
+2021-10-30  Myles C. Maxfield  <mmaxfi...@apple.com>
+
+        [GPU Process] Small ImageBuffers cause the web process to crash
+        https://bugs.webkit.org/show_bug.cgi?id=232470
+        <rdar://problem/84626560>
+
+        Reviewed by Tim Horton.
+
+        * compositing/device-pixel-image-buffer-hidpi-expected.html: Added.
+        * compositing/device-pixel-image-buffer-hidpi.html: Added.
+
 2021-10-30  Chris Dumez  <cdu...@apple.com>
 
         [ BigSur wk2 Debug arm64 ] webaudio/AudioBufferSource/audiobuffersource-playbackrate.html is a flaky crash

Added: trunk/LayoutTests/compositing/device-pixel-image-buffer-hidpi-expected.html (0 => 285087)

--- trunk/LayoutTests/compositing/device-pixel-image-buffer-hidpi-expected.html	                        (rev 0)
+++ trunk/LayoutTests/compositing/device-pixel-image-buffer-hidpi-expected.html	2021-10-31 02:24:17 UTC (rev 285087)
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta name="viewport" content="width=device-width, initial-scale=1">
+</head>
+<body>
+This test passes if there is no crash. The crash might happen on a subsequent test.
+<div style="font-size: 20px; width: 50px; height: 0.5px; background: green; overflow: hidden;">Hello</div>
+</body>
+</html>

Added: trunk/LayoutTests/compositing/device-pixel-image-buffer-hidpi.html (0 => 285087)

--- trunk/LayoutTests/compositing/device-pixel-image-buffer-hidpi.html	                        (rev 0)
+++ trunk/LayoutTests/compositing/device-pixel-image-buffer-hidpi.html	2021-10-31 02:24:17 UTC (rev 285087)
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta name="viewport" content="width=device-width, initial-scale=1">
+</head>
+<body>
+This test passes if there is no crash. The crash might happen on a subsequent test.
+<div style="transform: translateZ(20px); font-size: 20px; width: 50px; height: 0.5px; background: green; overflow: hidden;">Hello</div>
+</body>
+</html>

Modified: trunk/Source/WebKit/ChangeLog (285086 => 285087)

--- trunk/Source/WebKit/ChangeLog	2021-10-31 01:24:38 UTC (rev 285086)
+++ trunk/Source/WebKit/ChangeLog	2021-10-31 02:24:17 UTC (rev 285087)
@@ -1,3 +1,32 @@
+2021-10-30  Myles C. Maxfield  <mmaxfi...@apple.com>
+
+        [GPU Process] Small ImageBuffers cause the web process to crash
+        https://bugs.webkit.org/show_bug.cgi?id=232470
+        <rdar://problem/84626560>
+
+        Reviewed by Tim Horton.
+
+        The problem is when the (floating point) size < 1x1, but the size*resolution is >= 1x1.
+        In this situation, calculateSafeBackendSize() is correctly determining that this
+        isn't a zero-sized ImageBuffer, but when we go to actually pass the size to the GPU
+        process, we call this:
+
+        IntSize logicalSize() const override { return IntSize(m_parameters.logicalSize); }
+
+        So, the logical size gets truncated down to 0, and then the GPU process fails to allocate
+        the ImageBuffer, and then the web process blocks on the GPU process indefinitely, and then
+        eventually times out and then crashes. I'm going to deal with that last step (the crash
+        itself) in a secondary patch - if the web process doesn't hear from the GPU process, it
+        shouldn't crash.
+
+        This patch simply exposes a floatLogicalSize() function on ImageBuffer, so we can get
+        the full-fidelity logical size to pass that to the GPU process.
+
+        Test: compositing/device-pixel-image-buffer-hidpi.html
+
+        * WebProcess/GPU/graphics/RemoteRenderingBackendProxy.cpp:
+        (WebKit::RemoteRenderingBackendProxy::createRemoteImageBuffer):
+
 2021-10-30  Chris Dumez  <cdu...@apple.com>
 
         Improve error handling in sendWithAsyncReply()

Modified: trunk/Source/WebKit/WebProcess/GPU/graphics/RemoteRenderingBackendProxy.cpp (285086 => 285087)

--- trunk/Source/WebKit/WebProcess/GPU/graphics/RemoteRenderingBackendProxy.cpp	2021-10-31 01:24:38 UTC (rev 285086)
+++ trunk/Source/WebKit/WebProcess/GPU/graphics/RemoteRenderingBackendProxy.cpp	2021-10-31 02:24:17 UTC (rev 285087)
@@ -127,7 +127,7 @@
 
 void RemoteRenderingBackendProxy::createRemoteImageBuffer(ImageBuffer& imageBuffer)
 {
-    sendToStream(Messages::RemoteRenderingBackend::CreateImageBuffer(imageBuffer.truncatedLogicalSize(), imageBuffer.renderingMode(), imageBuffer.resolutionScale(), imageBuffer.colorSpace(), imageBuffer.pixelFormat(), imageBuffer.renderingResourceIdentifier()));
+    sendToStream(Messages::RemoteRenderingBackend::CreateImageBuffer(imageBuffer.logicalSize(), imageBuffer.renderingMode(), imageBuffer.resolutionScale(), imageBuffer.colorSpace(), imageBuffer.pixelFormat(), imageBuffer.renderingResourceIdentifier()));
 }
 
 RefPtr<ImageBuffer> RemoteRenderingBackendProxy::createImageBuffer(const FloatSize& size, RenderingMode renderingMode, float resolutionScale, const DestinationColorSpace& colorSpace, PixelFormat pixelFormat)

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes