[webkit-changes] [WebKit/WebKit] 62d001: OffscreenCanvas.transferToImageBitmap() crashes af...

Fri, 13 Mar 2026 00:38:31 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 62d001fb2754976db94ffa8a1a47c07f7804b9f0
      
https://github.com/WebKit/WebKit/commit/62d001fb2754976db94ffa8a1a47c07f7804b9f0
  Author: Ruthvik Konda <[email protected]>
  Date:   2026-03-13 (Fri, 13 Mar 2026)

  Changed paths:
    A 
LayoutTests/fast/canvas/offscreen-webgl-transfer-after-navigation-crash-expected.txt
    A 
LayoutTests/fast/canvas/offscreen-webgl-transfer-after-navigation-crash.html
    M Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp

  Log Message:
  -----------
  OffscreenCanvas.transferToImageBitmap() crashes after navigation when WebGL 
context is lost
https://bugs.webkit.org/show_bug.cgi?id=309828
rdar://171699663

Reviewed by Kimmo Kinnunen.

Add missing isContextLost() guard to 
WebGLRenderingContextBase::transferToImageBuffer().

When an OffscreenCanvas with a WebGL context calls transferToImageBitmap() after
navigation.navigate(), the document teardown calls stop() which force-loses the
context and destroys the GraphicsContextGL. transferToImageBuffer() then 
accesses
m_defaultFramebuffer->size() which dereferences the null graphicsContextGL 
pointer.

Every other method that accesses m_defaultFramebuffer->size() 
(drawingBufferWidth,
drawingBufferHeight, drawingBufferToPixelBuffer) already guards with 
isContextLost().
transferToImageBuffer() was missing this guard since commit 163003d0cfa2 
refactored
it to use m_defaultFramebuffer->size() directly.

Added layout test that creates a WebGL OffscreenCanvas, triggers navigation, 
then
calls transferToImageBitmap(). Without the fix, the WebContent process crashes 
during
document teardown. With the fix, the isContextLost() guard returns early and 
the test
completes without crashing.

Test: fast/canvas/offscreen-webgl-transfer-after-navigation-crash.html

* 
LayoutTests/fast/canvas/offscreen-webgl-transfer-after-navigation-crash-expected.txt:
 Added.
* LayoutTests/fast/canvas/offscreen-webgl-transfer-after-navigation-crash.html: 
Added.
* Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp:
(WebCore::WebGLRenderingContextBase::transferToImageBuffer):

Canonical link: https://commits.webkit.org/309187@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to