[webkit-changes] [276895] trunk

Mon, 03 May 2021 02:29:56 -0700

Title: [276895] trunk
Revision
276895
Author
[email protected]
Date
2021-05-03 02:29:48 -0700 (Mon, 03 May 2021)

Log Message

Decoding an SVG off the main thread causes a crash
https://bugs.webkit.org/show_bug.cgi?id=206055

Reviewed by Darin Adler.

LayoutTests/imported/w3c:

Rebaseline OffscreenCanvas SVG tests.

* web-platform-tests/html/canvas/offscreen/drawing-images-to-the-canvas/2d.drawImage.zerosource.image.worker-expected.txt:

Source/WebCore:

Use BitmapImage::create instead of Image::create in ImageBitmap. This
bypasses use of SVGImage and PDFDocumentImage, which are not safe to
use off the main thread.

No new tests, rebaselined existing tests.

* html/ImageBitmap.cpp:
(WebCore::ImageBitmap::createFromBuffer):
  Use BitmapImage instead of Image.

* platform/graphics/Image.cpp:
(WebCore::Image::create):
  Add main-thread assert on Image creation.

LayoutTests:

Enable OffscreenCanvas SVG tests.

* platform/glib/TestExpectations:

Modified Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (276894 => 276895)


--- trunk/LayoutTests/ChangeLog	2021-05-03 09:24:34 UTC (rev 276894)
+++ trunk/LayoutTests/ChangeLog	2021-05-03 09:29:48 UTC (rev 276895)
@@ -1,3 +1,14 @@
+2021-05-03  Chris Lord  <[email protected]>
+
+        Decoding an SVG off the main thread causes a crash
+        https://bugs.webkit.org/show_bug.cgi?id=206055
+
+        Reviewed by Darin Adler.
+
+        Enable OffscreenCanvas SVG tests.
+
+        * platform/glib/TestExpectations:
+
 2021-05-03  Diego Pino Garcia  <[email protected]>
 
         [GLIB][GTK] Unreviewed test gardening. Updated expectations with latest failures from GTK release bot.

Modified: trunk/LayoutTests/imported/w3c/ChangeLog (276894 => 276895)


--- trunk/LayoutTests/imported/w3c/ChangeLog	2021-05-03 09:24:34 UTC (rev 276894)
+++ trunk/LayoutTests/imported/w3c/ChangeLog	2021-05-03 09:29:48 UTC (rev 276895)
@@ -1,3 +1,14 @@
+2021-05-03  Chris Lord  <[email protected]>
+
+        Decoding an SVG off the main thread causes a crash
+        https://bugs.webkit.org/show_bug.cgi?id=206055
+
+        Reviewed by Darin Adler.
+
+        Rebaseline OffscreenCanvas SVG tests.
+
+        * web-platform-tests/html/canvas/offscreen/drawing-images-to-the-canvas/2d.drawImage.zerosource.image.worker-expected.txt:
+
 2021-05-02  Sam Weinig  <[email protected]>
 
         Consider removing imported/w3c/canvas and canvas/philip (Part 2)

Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/html/canvas/offscreen/drawing-images-to-the-canvas/2d.drawImage.zerosource.image.worker-expected.txt (276894 => 276895)


--- trunk/LayoutTests/imported/w3c/web-platform-tests/html/canvas/offscreen/drawing-images-to-the-canvas/2d.drawImage.zerosource.image.worker-expected.txt	2021-05-03 09:24:34 UTC (rev 276894)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/html/canvas/offscreen/drawing-images-to-the-canvas/2d.drawImage.zerosource.image.worker-expected.txt	2021-05-03 09:29:48 UTC (rev 276895)
@@ -1,3 +1,3 @@
 
-PASS drawImage with zero-sized source rectangle from image throws INDEX_SIZE_ERR
+PASS drawImage with zero-sized source rectangle from image draws nothing without exception

Modified: trunk/LayoutTests/platform/glib/TestExpectations (276894 => 276895)


--- trunk/LayoutTests/platform/glib/TestExpectations	2021-05-03 09:24:34 UTC (rev 276894)
+++ trunk/LayoutTests/platform/glib/TestExpectations	2021-05-03 09:29:48 UTC (rev 276895)
@@ -710,8 +710,6 @@
 webkit.org/b/203146 fast/canvas/offscreen-enabled.html [ Pass ]
 webkit.org/b/203146 http/wpt/offscreen-canvas [ Pass ]
 webkit.org/b/203146 imported/w3c/web-platform-tests/html/canvas/offscreen [ Pass ]
-webkit.org/b/206055 imported/w3c/web-platform-tests/html/canvas/offscreen/drawing-images-to-the-canvas/2d.drawImage.svg.worker.html [ Skip ]
-webkit.org/b/206055 imported/w3c/web-platform-tests/html/canvas/offscreen/drawing-images-to-the-canvas/2d.drawImage.zerosource.image.worker.html [ Skip ]
 
 # Console log lines may appear in a different order so we silence them.
 imported/w3c/web-platform-tests/html/canvas/offscreen/convert-to-blob/offscreencanvas.convert.to.blob.w.html [ DumpJSConsoleLogInStdErr ]

Modified: trunk/Source/WebCore/ChangeLog (276894 => 276895)


--- trunk/Source/WebCore/ChangeLog	2021-05-03 09:24:34 UTC (rev 276894)
+++ trunk/Source/WebCore/ChangeLog	2021-05-03 09:29:48 UTC (rev 276895)
@@ -1,3 +1,24 @@
+2021-05-03  Chris Lord  <[email protected]>
+
+        Decoding an SVG off the main thread causes a crash
+        https://bugs.webkit.org/show_bug.cgi?id=206055
+
+        Reviewed by Darin Adler.
+
+        Use BitmapImage::create instead of Image::create in ImageBitmap. This
+        bypasses use of SVGImage and PDFDocumentImage, which are not safe to
+        use off the main thread.
+
+        No new tests, rebaselined existing tests.
+
+        * html/ImageBitmap.cpp:
+        (WebCore::ImageBitmap::createFromBuffer):
+          Use BitmapImage instead of Image.
+
+        * platform/graphics/Image.cpp:
+        (WebCore::Image::create):
+          Add main-thread assert on Image creation.
+
 2021-05-03  Rob Buis  <[email protected]>
 
         getPropertyValue for url path doesn't return the "#" character

Modified: trunk/Source/WebCore/html/ImageBitmap.cpp (276894 => 276895)


--- trunk/Source/WebCore/html/ImageBitmap.cpp	2021-05-03 09:24:34 UTC (rev 276894)
+++ trunk/Source/WebCore/html/ImageBitmap.cpp	2021-05-03 09:29:48 UTC (rev 276895)
@@ -736,12 +736,7 @@
 
     auto sharedBuffer = SharedBuffer::create(static_cast<const char*>(arrayBuffer->data()), arrayBuffer->byteLength());
     auto observer = ImageBitmapImageObserver::create(mimeType, expectedContentLength, sourceURL);
-    auto image = Image::create(observer.get());
-    if (!image) {
-        promise.reject(InvalidStateError, "The type of the argument to createImageBitmap is not supported");
-        return;
-    }
-
+    auto image = BitmapImage::create(observer.ptr());
     auto result = image->setData(sharedBuffer.copyRef(), true);
     if (result != EncodedDataStatus::Complete) {
         promise.reject(InvalidStateError, "Cannot decode the data in the argument to createImageBitmap");
@@ -762,7 +757,7 @@
     }
 
     FloatRect destRect(FloatPoint(), outputSize);
-    bitmapData->context().drawImage(*image, destRect, sourceRectangle.releaseReturnValue(), { interpolationQualityForResizeQuality(options.resizeQuality), imageOrientationForOrientation(options.imageOrientation) });
+    bitmapData->context().drawImage(image, destRect, sourceRectangle.releaseReturnValue(), { interpolationQualityForResizeQuality(options.resizeQuality), imageOrientationForOrientation(options.imageOrientation) });
 
     OptionSet<SerializationState> serializationState = SerializationState::OriginClean;
     if (alphaPremultiplicationForPremultiplyAlpha(options.premultiplyAlpha) == AlphaPremultiplication::Premultiplied)

Modified: trunk/Source/WebCore/platform/graphics/Image.cpp (276894 => 276895)


--- trunk/Source/WebCore/platform/graphics/Image.cpp	2021-05-03 09:24:34 UTC (rev 276894)
+++ trunk/Source/WebCore/platform/graphics/Image.cpp	2021-05-03 09:29:48 UTC (rev 276895)
@@ -64,6 +64,10 @@
 
 RefPtr<Image> Image::create(ImageObserver& observer)
 {
+    // SVGImage and PDFDocumentImage are not safe to use off the main thread.
+    // Workers can use BitmapImage directly.
+    ASSERT(isMainThread());
+
     auto mimeType = observer.mimeType();
     if (mimeType == "image/svg+xml")
         return SVGImage::create(observer);

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to