[webkit-changes] [269285] trunk/Source/WebCore

[cdumez]

Title: [269285] trunk/Source/WebCore

Revision

269285

Author

cdu...@apple.com

Date

2020-11-02 20:20:38 -0800 (Mon, 02 Nov 2020)

Log Message

Crash under WebGLRenderingContextBase::scheduleTaskToDispatchContextLostEvent()
https://bugs.webkit.org/show_bug.cgi?id=218474

Reviewed by Geoffrey Garen.

After r269227, event loop tasks can get executed even after the script execution context
has been stopped. This introduce a flaky crash under:
WebGLRenderingContextBase::scheduleTaskToDispatchContextLostEvent()

This patch updates the function to not attempt to dispatch the event after the context
has been stopped.

No new tests, covered by the following tests that are flaky crashing in debug:
- webgl/1.0.3/conformance/glsl/misc/non-ascii-comments.vert.html
- webgl/2.0.0/conformance/glsl/bugs/sampler-array-using-loop-index.html

* html/canvas/WebGLRenderingContextBase.cpp:
(WebCore::WebGLRenderingContextBase::scheduleTaskToDispatchContextLostEvent):

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (269284 => 269285)

--- trunk/Source/WebCore/ChangeLog	2020-11-03 03:39:58 UTC (rev 269284)
+++ trunk/Source/WebCore/ChangeLog	2020-11-03 04:20:38 UTC (rev 269285)
@@ -1,5 +1,26 @@
 2020-11-02  Chris Dumez  <cdu...@apple.com>
 
+        Crash under WebGLRenderingContextBase::scheduleTaskToDispatchContextLostEvent()
+        https://bugs.webkit.org/show_bug.cgi?id=218474
+
+        Reviewed by Geoffrey Garen.
+
+        After r269227, event loop tasks can get executed even after the script execution context
+        has been stopped. This introduce a flaky crash under:
+        WebGLRenderingContextBase::scheduleTaskToDispatchContextLostEvent()
+
+        This patch updates the function to not attempt to dispatch the event after the context
+        has been stopped.
+
+        No new tests, covered by the following tests that are flaky crashing in debug:
+        - webgl/1.0.3/conformance/glsl/misc/non-ascii-comments.vert.html
+        - webgl/2.0.0/conformance/glsl/bugs/sampler-array-using-loop-index.html
+
+        * html/canvas/WebGLRenderingContextBase.cpp:
+        (WebCore::WebGLRenderingContextBase::scheduleTaskToDispatchContextLostEvent):
+
+2020-11-02  Chris Dumez  <cdu...@apple.com>
+
         REGRESSION (r269214): ASSERTION FAILED: m_state == CLOSED in WebCore::EventSource::abortConnectionAttempt
         https://bugs.webkit.org/show_bug.cgi?id=218457
         <rdar://problem/70963581>

Modified: trunk/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp (269284 => 269285)

--- trunk/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp	2020-11-03 03:39:58 UTC (rev 269284)
+++ trunk/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp	2020-11-03 04:20:38 UTC (rev 269285)
@@ -7408,6 +7408,9 @@
 
     // It is safe to capture |this| because we keep the canvas element alive and it owns |this|.
     queueTaskKeepingObjectAlive(*canvas, TaskSource::WebGL, [this, canvas] {
+        if (isContextStopped())
+            return;
+
         auto event = WebGLContextEvent::create(eventNames().webglcontextlostEvent, Event::CanBubble::No, Event::IsCancelable::Yes, emptyString());
         canvas->dispatchEvent(event);
         m_restoreAllowed = event->defaultPrevented();

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes