Skip to site navigation (Press enter)

[webkit-changes] [264931] trunk

dino Mon, 27 Jul 2020 11:00:03 -0700

Title: [264931] trunk

Revision: 264931
Author: d...@apple.com
Date: 2020-07-27 10:58:48 -0700 (Mon, 27 Jul 2020)

Log Message

Repeatable WebContent crash: WebCore::jsWebGLRenderingContextPrototypeFunctionGetError
https://bugs.webkit.org/show_bug.cgi?id=214814
rdar://59290537


Reviewed by Anders Carlsson.

Source/WebCore:

If a WebGL context was killed due to too many contexts
in the page, we would get a null pointer crash if
the page called getError() more than once on it.
This is an edge case not covered by the WebGL conformance
suite since the recyling behaviour is specific to our
implementation.

Test: fast/canvas/webgl/recycle-contexts.html

* html/canvas/WebGLRenderingContextBase.cpp:
(WebCore::WebGLRenderingContextBase::getError): Add a null check.

LayoutTests:

* fast/canvas/webgl/recycle-contexts-expected.html: Added.
* fast/canvas/webgl/recycle-contexts.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp

Added Paths

trunk/LayoutTests/fast/canvas/webgl/recycle-contexts-expected.html
trunk/LayoutTests/fast/canvas/webgl/recycle-contexts.html

Diff

Modified: trunk/LayoutTests/ChangeLog (264930 => 264931)


--- trunk/LayoutTests/ChangeLog	2020-07-27 17:31:00 UTC (rev 264930)
+++ trunk/LayoutTests/ChangeLog	2020-07-27 17:58:48 UTC (rev 264931)
@@ -1,3 +1,14 @@
+2020-07-27  Dean Jackson  <d...@apple.com>
+
+        Repeatable WebContent crash: WebCore::jsWebGLRenderingContextPrototypeFunctionGetError
+        https://bugs.webkit.org/show_bug.cgi?id=214814
+        rdar://59290537
+
+        Reviewed by Anders Carlsson.
+
+        * fast/canvas/webgl/recycle-contexts-expected.html: Added.
+        * fast/canvas/webgl/recycle-contexts.html: Added.
+
 2020-07-27  Youenn Fablet  <you...@apple.com>
 
         scaleResolutionDownBy has no effect on RTCRtpSender

Added: trunk/LayoutTests/fast/canvas/webgl/recycle-contexts-expected.html (0 => 264931)


--- trunk/LayoutTests/fast/canvas/webgl/recycle-contexts-expected.html	                        (rev 0)
+++ trunk/LayoutTests/fast/canvas/webgl/recycle-contexts-expected.html	2020-07-27 17:58:48 UTC (rev 264931)
@@ -0,0 +1,2 @@
+<!DOCTYPE html>
+<h1>Should not crash</h1>

Added: trunk/LayoutTests/fast/canvas/webgl/recycle-contexts.html (0 => 264931)


--- trunk/LayoutTests/fast/canvas/webgl/recycle-contexts.html	                        (rev 0)
+++ trunk/LayoutTests/fast/canvas/webgl/recycle-contexts.html	2020-07-27 17:58:48 UTC (rev 264931)
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<script>
+function run() {
+    const contexts = [];
+    for (let i = 0; i < 50; i++) {
+        const c = document.createElement("canvas");
+        const ctx = c.getContext("webgl");
+        ctx.clearColor(0, 1, 0, 1);
+        ctx.clear(ctx.COLOR_BUFFER_BIT);
+        contexts.push(ctx);
+    }
+    contexts.forEach(ctx => {
+        ctx.getError();
+        ctx.getError();
+        ctx.getError();
+        ctx.getError();
+    });
+}
+
+window.addEventListener("load", run, false);
+</script>
+<h1>Should not crash</h1>

Modified: trunk/Source/WebCore/ChangeLog (264930 => 264931)


--- trunk/Source/WebCore/ChangeLog	2020-07-27 17:31:00 UTC (rev 264930)
+++ trunk/Source/WebCore/ChangeLog	2020-07-27 17:58:48 UTC (rev 264931)
@@ -1,3 +1,23 @@
+2020-07-27  Dean Jackson  <d...@apple.com>
+
+        Repeatable WebContent crash: WebCore::jsWebGLRenderingContextPrototypeFunctionGetError
+        https://bugs.webkit.org/show_bug.cgi?id=214814
+        rdar://59290537
+
+        Reviewed by Anders Carlsson.
+
+        If a WebGL context was killed due to too many contexts
+        in the page, we would get a null pointer crash if
+        the page called getError() more than once on it.
+        This is an edge case not covered by the WebGL conformance
+        suite since the recyling behaviour is specific to our
+        implementation.
+
+        Test: fast/canvas/webgl/recycle-contexts.html
+
+        * html/canvas/WebGLRenderingContextBase.cpp:
+        (WebCore::WebGLRenderingContextBase::getError): Add a null check.
+
 2020-07-27  Youenn Fablet  <you...@apple.com>
 
         scaleResolutionDownBy has no effect on RTCRtpSender

Modified: trunk/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp (264930 => 264931)


--- trunk/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp	2020-07-27 17:31:00 UTC (rev 264930)
+++ trunk/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp	2020-07-27 17:58:48 UTC (rev 264931)
@@ -2879,7 +2879,7 @@
 
 GCGLenum WebGLRenderingContextBase::getError()
 {
-    if (m_isPendingPolicyResolution)
+    if (!m_context || m_isPendingPolicyResolution)
         return GraphicsContextGL::NO_ERROR;
     return m_context->getError();
 }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes