[webkit-reviews] review granted: [Bug 239107] REGRESSION(r282117): RemoteRenderingBackend::willDestroyImageBuffer() can crash if the RemoteRenderingBackend has already been destroyed : [Attachment 457713] Patch

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Apr 15 14:04:30 PDT 2022


Simon Fraser (smfr) <simon.fraser at apple.com> has granted Said Abou-Hallawa
<sabouhallawa at apple.com>'s request for review:
Bug 239107: REGRESSION(r282117):
RemoteRenderingBackend::willDestroyImageBuffer() can crash if the
RemoteRenderingBackend has already been destroyed
https://bugs.webkit.org/show_bug.cgi?id=239107

Attachment 457713: Patch

https://bugs.webkit.org/attachment.cgi?id=457713&action=review




--- Comment #11 from Simon Fraser (smfr) <simon.fraser at apple.com> ---
Comment on attachment 457713
  --> https://bugs.webkit.org/attachment.cgi?id=457713
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=457713&action=review

> Source/WebKit/GPUProcess/graphics/RemoteResourceCache.cpp:97
> +    // Unwind the context's state stack before destruction, since calls to
restore may not have
> +    // been flushed yet, or the web process may have terminated.
> +    auto& context = imageBuffer.context();
> +    while (context.stackSize())
> +	   context.restore();

It's weird for this code, which uses the ImageBuffer's GraphicsContext, to live
here. This should be moved into an ImageBuffer function.


More information about the webkit-reviews mailing list