[webkit-changes] [WebKit/WebKit] 807850: Crash in WebGLRenderingContextBase::reshape when c...

Thu Aug 10 18:47:49 PDT 2023

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 807850b2a46175ffa1434a242589b2c792a04df7
      https://github.com/WebKit/WebKit/commit/807850b2a46175ffa1434a242589b2c792a04df7
  Author: Kimmo Kinnunen <kkinnunen at apple.com>
  Date:   2023-08-10 (Thu, 10 Aug 2023)

  Changed paths:
    M LayoutTests/platform/glib/TestExpectations
    A LayoutTests/webgl/webgl-fail-after-context-creation-no-crash-expected.txt
    A LayoutTests/webgl/webgl-fail-after-context-creation-no-crash.html
    R LayoutTests/webgl/webgl-fail-remote-context-ipc-buffer-allocation-no-crash-expected.txt
    R LayoutTests/webgl/webgl-fail-remote-context-ipc-buffer-allocation-no-crash.html
    M Source/WebCore/html/canvas/OESVertexArrayObject.cpp
    M Source/WebCore/html/canvas/WebGL2RenderingContext.cpp
    M Source/WebCore/html/canvas/WebGL2RenderingContext.h
    M Source/WebCore/html/canvas/WebGLContextAttributes.idl
    M Source/WebCore/html/canvas/WebGLContextGroup.h
    M Source/WebCore/html/canvas/WebGLRenderingContext.cpp
    M Source/WebCore/html/canvas/WebGLRenderingContext.h
    M Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp
    M Source/WebCore/html/canvas/WebGLRenderingContextBase.h
    M Source/WebCore/html/canvas/WebGLTransformFeedback.cpp
    M Source/WebCore/html/canvas/WebGLTransformFeedback.h
    M Source/WebCore/html/canvas/WebGLVertexArrayObject.cpp
    M Source/WebCore/html/canvas/WebGLVertexArrayObject.h
    M Source/WebCore/html/canvas/WebGLVertexArrayObjectOES.cpp
    M Source/WebCore/html/canvas/WebGLVertexArrayObjectOES.h
    M Source/WebCore/platform/graphics/GraphicsContextGL.cpp
    M Source/WebCore/platform/graphics/GraphicsContextGL.h
    M Source/WebCore/platform/graphics/GraphicsContextGLAttributes.h
    M Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in
    M Source/WebKit/WebProcess/GPU/graphics/RemoteGraphicsContextGLProxy.cpp

  Log Message:
  -----------
  Crash in WebGLRenderingContextBase::reshape when context is lost during initialization
https://bugs.webkit.org/show_bug.cgi?id=258958
rdar://111695432

Reviewed by Dan Glastonbury.

Any synchoronous, result returning RemoteGraphicsContextGLProxy call may
fail, returning empty result. The WebGLRenderingContextBase /
WebGL2RenderingContext initialization did not account for this. This
would lead to scenario where querying for, say, MAX_VIEWPORT_DIMS would
return 0.

If the context loss happened before GraphicsContextGL::setClient() was
done, WebGLRenderingContextBase would not mark the rendering context
state lost.

This would happen, for example, in case where new context would be
created on a GPUP that was hung. The initialization message (WasCreated)
would never arrive, and timeout would mark the context lost. The caller
would not notice this and initialize the context with viewport
dimensions zero. Later, reshape would abort due to width std::clamp
having min dimension 1 and max 0.

Fix by:
- Move the setClient() after initialization, so that general purpose
  context loss behavior is not triggered for initialization. The
  failure to reinitialize after context loss must not trigger the
  general logic, e.g. the context lost event.
- Track the RemoteGraphicsContextGLProxy context loss state in new
  function GraphicsContextGL::isContextLost(). This allows detecting
  the context loss without having the Client installed.
- Write GL calls in the initialization path with the expectation that
  any call can fail. This means avoid using the public API, since
  the isContextLost() is inconsistent for the initialization.
- When reinitializing a lost context, reset the context loss state
  only if the initialization succeeds.

Other parts of WebGL calls still suffer from the problem of not
expecting any call to fail. These will be addressed in other patches.

* LayoutTests/webgl/webgl-fail-after-context-creation-no-crash-expected.txt: Added.
* LayoutTests/webgl/webgl-fail-after-context-creation-no-crash.html: Added.
* LayoutTests/webgl/webgl-fail-remote-context-ipc-buffer-allocation-no-crash-expected.txt: Removed.
* LayoutTests/webgl/webgl-fail-remote-context-ipc-buffer-allocation-no-crash.html: Removed.
* Source/WebCore/html/canvas/OESVertexArrayObject.cpp:
(WebCore::OESVertexArrayObject::createVertexArrayOES):
* Source/WebCore/html/canvas/WebGL2RenderingContext.cpp:
(WebCore::WebGL2RenderingContext::create):
(WebCore::WebGL2RenderingContext::initializeContextState):
(WebCore::WebGL2RenderingContext::initializeVertexArrayObjects):
(WebCore::WebGL2RenderingContext::createTransformFeedback):
(WebCore::WebGL2RenderingContext::createVertexArray):
(WebCore::WebGL2RenderingContext::WebGL2RenderingContext): Deleted.
(WebCore::WebGL2RenderingContext::initializeNewContext): Deleted.
* Source/WebCore/html/canvas/WebGL2RenderingContext.h:
* Source/WebCore/html/canvas/WebGLContextAttributes.idl:
* Source/WebCore/html/canvas/WebGLContextGroup.h:
* Source/WebCore/html/canvas/WebGLRenderingContext.cpp:
(WebCore::WebGLRenderingContext::create):
(WebCore::WebGLRenderingContext::initializeVertexArrayObjects):
(WebCore::WebGLRenderingContext::WebGLRenderingContext): Deleted.
* Source/WebCore/html/canvas/WebGLRenderingContext.h:
* Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp:
(WebCore::WebGLRenderingContextBase::create):
(WebCore::WebGLRenderingContextBase::WebGLRenderingContextBase):
(WebCore::WebGLRenderingContextBase::initializeNewContext):
(WebCore::WebGLRenderingContextBase::initializeContextState):
(WebCore::WebGLRenderingContextBase::addActivityStateChangeObserverIfNecessary):
(WebCore::WebGLRenderingContextBase::setBoundVertexArrayObject):
(WebCore::WebGLRenderingContextBase::addSharedObject):
(WebCore::WebGLRenderingContextBase::maybeRestoreContext):
(WebCore::WebGLRenderingContextBase::setGraphicsContextGL): Deleted.
* Source/WebCore/html/canvas/WebGLRenderingContextBase.h:
* Source/WebCore/html/canvas/WebGLTransformFeedback.cpp:
(WebCore::WebGLTransformFeedback::create):
(WebCore::WebGLTransformFeedback::WebGLTransformFeedback):
* Source/WebCore/html/canvas/WebGLTransformFeedback.h:
* Source/WebCore/html/canvas/WebGLVertexArrayObject.cpp:
(WebCore::WebGLVertexArrayObject::create):
(WebCore::WebGLVertexArrayObject::WebGLVertexArrayObject):
* Source/WebCore/html/canvas/WebGLVertexArrayObject.h:
* Source/WebCore/html/canvas/WebGLVertexArrayObjectOES.cpp:
(WebCore::WebGLVertexArrayObjectOES::createDefault):
(WebCore::WebGLVertexArrayObjectOES::createUser):
(WebCore::WebGLVertexArrayObjectOES::WebGLVertexArrayObjectOES):
(WebCore::WebGLVertexArrayObjectOES::create): Deleted.
* Source/WebCore/html/canvas/WebGLVertexArrayObjectOES.h:
* Source/WebCore/platform/graphics/GraphicsContextGL.cpp:
(WebCore::GraphicsContextGL::forceContextLost):
* Source/WebCore/platform/graphics/GraphicsContextGL.h:
(WebCore::GraphicsContextGL::isContextLost const):
* Source/WebCore/platform/graphics/GraphicsContextGLAttributes.h:
* Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in:
* Source/WebKit/WebProcess/GPU/graphics/RemoteGraphicsContextGLProxy.cpp:
(WebKit::RemoteGraphicsContextGLProxy::create):
(WebKit::RemoteGraphicsContextGLProxy::initializeIPC):

Canonical link: https://commits.webkit.org/266803@main