[webkit-changes] [249609] trunk/Source/WebCore

[bfulgham]

Title: [249609] trunk/Source/WebCore

Revision

249609

Author

bfulg...@apple.com

Date

2019-09-06 22:59:38 -0700 (Fri, 06 Sep 2019)

Log Message

[FTW] Minor cleanups to avoid crashes during web browsing
https://bugs.webkit.org/show_bug.cgi?id=201572

Reviewed by Alexey Proskuryakov.

This patch addresses a few crashes seen when doing general web browsing using
the FTW build of WebKit:

1. ImageBuffer::sinkIntoImage was attempting to use a render target after WTFMoving it elsewhere.
2. ImageBuffer::copyNativeImage was not properly checking the type of the render
   target to make sure it was suitable for Bitmap operations.
3. BackingStoreBackendDirect2DImpl::scroll would crash if the scroll offset was
   outside the bounds of the current view. In that case, it would attempt to allocate
   a zero-size texture, which triggered a crash.

* platform/graphics/win/BackingStoreBackendDirect2DImpl.cpp:
(WebCore::BackingStoreBackendDirect2DImpl::scroll):
* platform/graphics/win/ImageBufferDirect2D.cpp:
(WebCore::ImageBuffer::sinkIntoImage):
(WebCore::ImageBuffer::copyNativeImage const):

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/platform/graphics/win/BackingStoreBackendDirect2DImpl.cpp
• trunk/Source/WebCore/platform/graphics/win/ImageBufferDirect2D.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (249608 => 249609)

--- trunk/Source/WebCore/ChangeLog	2019-09-07 05:42:11 UTC (rev 249608)
+++ trunk/Source/WebCore/ChangeLog	2019-09-07 05:59:38 UTC (rev 249609)
@@ -1,3 +1,26 @@
+2019-09-06  Brent Fulgham  <bfulg...@apple.com>
+
+        [FTW] Minor cleanups to avoid crashes during web browsing
+        https://bugs.webkit.org/show_bug.cgi?id=201572
+
+        Reviewed by Alexey Proskuryakov.
+
+        This patch addresses a few crashes seen when doing general web browsing using
+        the FTW build of WebKit:
+
+        1. ImageBuffer::sinkIntoImage was attempting to use a render target after WTFMoving it elsewhere.
+        2. ImageBuffer::copyNativeImage was not properly checking the type of the render
+           target to make sure it was suitable for Bitmap operations.
+        3. BackingStoreBackendDirect2DImpl::scroll would crash if the scroll offset was
+           outside the bounds of the current view. In that case, it would attempt to allocate
+           a zero-size texture, which triggered a crash.
+
+        * platform/graphics/win/BackingStoreBackendDirect2DImpl.cpp:
+        (WebCore::BackingStoreBackendDirect2DImpl::scroll):
+        * platform/graphics/win/ImageBufferDirect2D.cpp:
+        (WebCore::ImageBuffer::sinkIntoImage):
+        (WebCore::ImageBuffer::copyNativeImage const):
+
 2019-09-06  Wenson Hsieh  <wenson_hs...@apple.com>
 
         Incorrect selection rect revealed after pasting images in a contenteditable element

Modified: trunk/Source/WebCore/platform/graphics/win/BackingStoreBackendDirect2DImpl.cpp (249608 => 249609)

--- trunk/Source/WebCore/platform/graphics/win/BackingStoreBackendDirect2DImpl.cpp	2019-09-07 05:42:11 UTC (rev 249608)
+++ trunk/Source/WebCore/platform/graphics/win/BackingStoreBackendDirect2DImpl.cpp	2019-09-07 05:59:38 UTC (rev 249609)
@@ -69,6 +69,9 @@
     sourceRect.move(-scrollOffset);
     sourceRect.intersect(scrollRect);
 
+    if (sourceRect.isEmpty())
+        return;
+
     if (!m_scrollSurface || scrollRect.size() != m_scrollSurfaceSize) {
 #ifndef _NDEBUG
         ASSERT(m_size.width() >= scrollRect.size().width());

Modified: trunk/Source/WebCore/platform/graphics/win/ImageBufferDirect2D.cpp (249608 => 249609)

--- trunk/Source/WebCore/platform/graphics/win/ImageBufferDirect2D.cpp	2019-09-07 05:42:11 UTC (rev 249608)
+++ trunk/Source/WebCore/platform/graphics/win/ImageBufferDirect2D.cpp	2019-09-07 05:59:38 UTC (rev 249609)
@@ -194,8 +194,12 @@
     IntSize backingStoreSize = imageBuffer->m_data.backingStoreSize;
     float resolutionScale = imageBuffer->m_resolutionScale;
 
-    auto bitmapTarget = reinterpret_cast<ID2D1BitmapRenderTarget*>(imageBuffer->context().platformContext()->renderTarget());
-    return createBitmapImageAfterScalingIfNeeded(bitmapTarget, sinkIntoNativeImage(WTFMove(imageBuffer)), internalSize, logicalSize, backingStoreSize, resolutionScale, preserveResolution);
+    COMPtr<ID2D1BitmapRenderTarget> bitmapTarget;
+    HRESULT hr = imageBuffer->context().platformContext()->renderTarget()->QueryInterface(&bitmapTarget);
+    if (!SUCCEEDED(hr))
+        return nullptr;
+
+    return createBitmapImageAfterScalingIfNeeded(bitmapTarget.get(), sinkIntoNativeImage(WTFMove(imageBuffer)), internalSize, logicalSize, backingStoreSize, resolutionScale, preserveResolution);
 }
 
 BackingStoreCopy ImageBuffer::fastCopyImageMode()
@@ -211,10 +215,13 @@
 
 COMPtr<ID2D1Bitmap> ImageBuffer::copyNativeImage(BackingStoreCopy copyBehavior) const
 {
-    auto bitmapTarget = reinterpret_cast<ID2D1BitmapRenderTarget*>(context().platformContext());
+    COMPtr<ID2D1BitmapRenderTarget> bitmapTarget;
+    HRESULT hr = context().platformContext()->renderTarget()->QueryInterface(&bitmapTarget);
+    if (!SUCCEEDED(hr))
+        return nullptr;
 
     COMPtr<ID2D1Bitmap> image;
-    HRESULT hr = bitmapTarget->GetBitmap(&image);
+    hr = bitmapTarget->GetBitmap(&image);
     ASSERT(SUCCEEDED(hr));
 
     // FIXME: m_data.data is nullptr even when asking to copy backing store leading to test failures.

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes