Bug 232520

Summary: Web process shouldn't crash if ImageBuffer::ensureBackendCreated() fails
Product: WebKit Reporter: Myles C. Maxfield <mmaxfield>
Component: Layout and RenderingAssignee: Myles C. Maxfield <mmaxfield>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, commit-queue, heycam, simon.fraser, webkit-bug-importer, zalan
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 234680    
Bug Blocks: 225377    
Attachments:
Description Flags
Patch simon.fraser: review+

Description Myles C. Maxfield 2021-10-29 17:52:30 PDT 
RemoteLayerBackingStore::encode() assumes it can never fail, but it can. There may be other places, too.
Comment 1 Radar WebKit Bug Importer 2021-10-29 17:53:17 PDT 
<rdar://problem/84829995>
Comment 2 Myles C. Maxfield 2021-10-30 00:49:40 PDT 
Created attachment 442906 [details]
Patch
Comment 3 Cameron McCormack (:heycam) 2021-10-30 14:48:04 PDT 
Comment on attachment 442906 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=442906&action=review

> Source/WebKit/Shared/RemoteLayerTree/RemoteLayerBackingStore.mm:121
> +                if (auto* backend = m_frontBuffer.imageBuffer->ensureBackendCreated())

Since we do this check in all situations -- mapped IOSurface, non-mapped IOSurface, bitmap -- maybe do it once before the switch.
Comment 4 Myles C. Maxfield 2021-10-30 19:34:53 PDT 
Comment on attachment 442906 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=442906&action=review

>> Source/WebKit/Shared/RemoteLayerTree/RemoteLayerBackingStore.mm:121
>> +                if (auto* backend = m_frontBuffer.imageBuffer->ensureBackendCreated())
> 
> Since we do this check in all situations -- mapped IOSurface, non-mapped IOSurface, bitmap -- maybe do it once before the switch.

The third case below is slightly different, but yes I can hoist it somewhat.
Comment 5 Myles C. Maxfield 2021-10-30 19:37:31 PDT 
Committed r285088 (243730@main): <https://commits.webkit.org/243730@main>
Comment 6 WebKit Commit Bot 2021-12-25 02:11:56 PST 
Re-opened since this is blocked by bug 234680
Comment 7 Myles C. Maxfield 2022-01-07 11:53:54 PST 
The A/B test was using bogus data - before crashes were fixed, the memory data was reported from processes which didn't have the test page loaded. So, rolling this out was a mistake. Rolling back in now.
Comment 8 Myles C. Maxfield 2022-01-07 11:57:20 PST 
Committed r287775 (245835@trunk): <https://commits.webkit.org/245835@trunk>