[webkit-changes] [WebKit/WebKit] 82d104: Nullptr crash in ImageBitmap::createCompletionHand...

[mwyrzykowski]

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 82d104c1fefcc75f0723565c35978babf4b2af28
      https://github.com/WebKit/WebKit/commit/82d104c1fefcc75f0723565c35978babf4b2af28
  Author: Mike Wyrzykowski <mwyrzykowski at apple.com>
  Date:   2024-06-11 (Tue, 11 Jun 2024)

  Changed paths:
    A LayoutTests/http/wpt/2dcontext/imagebitmap/nullptrcrash-when-gpu-process-times-out-expected.txt
    A LayoutTests/http/wpt/2dcontext/imagebitmap/nullptrcrash-when-gpu-process-times-out.html
    M Source/WebCore/html/ImageBitmap.cpp

  Log Message:
  -----------
  Nullptr crash in ImageBitmap::createCompletionHandler when GPU process takes too long to initialize
https://bugs.webkit.org/show_bug.cgi?id=275325
<radar://129354725>

Reviewed by Said Abou-Hallawa.

BitmapImage::create returns nullptr when existingImageBitmap->buffer()->copyNativeImage()
returns nullptr. This resulted in a nullptr crash.

ImageBuffer::copyNativeImage() will return nullptr if the GPU process takes too long to initialize. This
occurs when the call to waitForAndDispatchImmediately() in RemoteImageBufferProxy::ensureBackend()
takes longer than the GPUP timeout which is 3_s. This reproduces easily in ASAN since process startup
takes longer in an ASAN build.

Fix this by returning a blank image buffer in this case as we do
if bitmapData is nullptr.

* Source/WebCore/html/ImageBitmap.cpp:
(WebCore::ImageBitmap::createCompletionHandler):

* LayoutTests/http/wpt/2dcontext/imagebitmap/nullptrcrash-when-gpu-process-times-out-expected.txt: Added.
* LayoutTests/http/wpt/2dcontext/imagebitmap/nullptrcrash-when-gpu-process-times-out.html: Renamed from LayoutTests/fast/webgpu/nocrash/fuzz-275325.html.
Add regression test.

Canonical link: https://commits.webkit.org/279924@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications