[Webkit-unassigned] [Bug 275999] New: REGRESSION(276827 at main): Prevent BitmapImageSource from accessing a null ImageDecoder

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Jun 28 10:33:16 PDT 2024 

https://bugs.webkit.org/show_bug.cgi?id=275999

            Bug ID: 275999
           Summary: REGRESSION(276827 at main): Prevent BitmapImageSource
                    from accessing a null ImageDecoder
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Images
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: sabouhallawa at apple.com
                CC: sabouhallawa at apple.com

If BitmapImageSource returns EncodedDataStatus::Complete to CachedImage once and was able to get the size of this image, this owner BitmapImage will be marked a valid (not broken) image. It is supposed to always have a valid m_decoder pointer even if we call resetData() which deletes m_decoder because of memory pressure. resetData() will try to recreate the ImageDecoder from the Image encoded data. And it is supposed to be able to recreate it since it did create it before with the same encoded data.

It seems this assumption is not always correct. And we may not be able to recreate the ImageDecoder because of memory limitations.

Before 276827 at main we were able to handle this case safely. Below is the calling sequence we will go through to decode and draw an ImageFrame. In the old ImageSource::frameAtIndexCacheIfNeeded() if the decoder is null, we used to return null NativeImage without accessing the decoder:

ImageDrawResult BitmapImage::draw(GraphicsContext& context, const FloatRect& destRect, const FloatRect& requestedSrcRect, ImagePaintingOptions options)
{
    ...
    image = nativeImageAtIndexCacheIfNeeded(m_currentFrame, m_currentSubsamplingLevel, options.decodingMode());
    ...
}

RefPtr<NativeImage> BitmapImage::nativeImageAtIndexCacheIfNeeded(size_t index, SubsamplingLevel subsamplingLevel, const DecodingOptions& decodingOptions)
{
    ...
    return m_source->frameImageAtIndexCacheIfNeeded(index, subsamplingLevel, decodingOptions);
}


RefPtr<NativeImage> ImageSource::frameImageAtIndexCacheIfNeeded(size_t index, SubsamplingLevel subsamplingLevel, const DecodingOptions& decodingOptions)
{
    return frameAtIndexCacheIfNeeded(index, ImageFrame::Caching::MetadataAndImage, subsamplingLevel, decodingOptions).nativeImage();
}


const ImageFrame& ImageSource::frameAtIndexCacheIfNeeded(size_t index, ImageFrame::Caching caching, const std::optional<SubsamplingLevel>& subsamplingLevel, const DecodingOptions& decodingOptions)
{
    ...   
    ImageFrame& frame = m_frames[index];
    if (!isDecoderAvailable() || frameIsBeingDecodedAndIsCompatibleWithOptionsAtIndex(index, DecodingOptions(DecodingMode::Asynchronous)))
        return frame;
    ...
}

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240628/07c4c001/attachment-0001.htm>

More information about the webkit-unassigned mailing list