[Webkit-unassigned] [Bug 256262] HTMLCanvasElement is orphaned causing a HTMLDocument leak on YouTube video pages
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed May 3 16:52:14 PDT 2023
https://bugs.webkit.org/show_bug.cgi?id=256262
--- Comment #3 from Ryan Reno <rreno at apple.com> ---
YouTube appears to be drawing gradients in a canvas for use as background style information. It turns out that a CanvasRenderingContext2D will ref the HTMLCanvasElement when it is reffed. It also turns out that a CanvasGradient holds a Ref<> to the context.
CanvasStyle holds a Ref to a CanvasGradient. CanvasGradient holds a ref to CanvasRenderingContext. CanvasRenderingContext has a state stack which holds a Ref to a CanvasStyle.
In other words, a CanvasRenderingContext2D has a state stack which contains a circular reference to itself. This State object is never removed from the stack. I verified that the CanvasStyle is assigned to the State::fillStyle field but that the stack is never modified again from lldb.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230503/3ef1ac45/attachment.htm>
More information about the webkit-unassigned
mailing list