Bug 238846

Summary: ImageBitmapRenderingContext::setOutputBitmap() can trigger accelerated drawing in the webcontent process
Product: WebKit Reporter: Simon Fraser (smfr) <simon.fraser>
Component: CanvasAssignee: Matt Woodrow <mattwoodrow>
Status: RESOLVED FIXED    
Severity: Normal CC: cdumez, changseok, dino, esprehn+autocc, ews-watchlist, gyuyoung.kim, heycam, mattwoodrow, simon.fraser, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: Safari Technology Preview   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=218482
Attachments:
Description Flags
Testcase
none
Patch
none
Patch none

Simon Fraser (smfr)
Reported 2022-04-05 15:59:10 PDT
ImageBitmapRenderingContext::setOutputBitmap() makes an accelerated buffer, but doesn't use the RenderingPurpose::Canvas option, so can trigger accelerated rendering in the web process. This will break when IOKit blocking is enabled.
Attachments
Testcase (848 bytes, text/html)
2022-04-05 21:17 PDT, Simon Fraser (smfr) 		no flags
Details
Patch (2.92 KB, patch)
2022-04-07 18:26 PDT, Matt Woodrow 		no flags
DetailsFormatted DiffDiff
Patch (3.19 KB, patch)
2022-04-07 18:36 PDT, Matt Woodrow 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2022-04-05 15:59:39 PDT
<rdar://problem/91321000>
Simon Fraser (smfr)
Comment 2 2022-04-05 21:17:12 PDT
Created attachment 456780 [details] Testcase
Matt Woodrow
Comment 3 2022-04-06 18:47:53 PDT
I can't seem to reproduce any failures here, though we're definitely allocating an IOSurface from the WebContent process. Since this only happens when we don't have an actual image bitmap (and are just allocated a blank backing store), can we just drop hardware acceleration? Passing RenderingPurpose::Canvas seems like it wouldn't help, since that parameter is only taken into account if we also pass a window via the CreationContext param.
Simon Fraser (smfr)
Comment 4 2022-04-07 13:27:29 PDT
I confirm your findings: * thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1 * frame #0: 0x00000001e00ff320 IOSurface`IOSurfaceCreate frame #1: 0x00000001165d0f04 WebCore`WebCore::IOSurface::create(WebCore::IOSurfacePool*, WebCore::IntSize, WebCore::IntSize, WebCore::DestinationColorSpace const&, WebCore::IOSurface::Format) + 372 frame #2: 0x0000000117651e64 WebCore`WebCore::ImageBufferIOSurfaceBackend::create(WebCore::ImageBufferBackend::Parameters const&, WebCore::ImageBuffer::CreationContext const&) + 328 frame #3: 0x00000001165ddf44 WebCore`WTF::RefPtr<WebCore::IOSurfaceImageBuffer, WTF::RawPtrTraits<WebCore::IOSurfaceImageBuffer>, WTF::DefaultRefDerefTraits<WebCore::IOSurfaceImageBuffer> > WebCore::ConcreteImageBuffer<WebCore::ImageBufferIOSurfaceBackend>::create<WebCore::IOSurfaceImageBuffer>(WebCore::FloatSize const&, float, WebCore::DestinationColorSpace const&, WebCore::PixelFormat, WebCore::ImageBuffer::CreationContext const&) + 84 frame #4: 0x00000001170c2bb4 WebCore`WebCore::ImageBitmapRenderingContext::setOutputBitmap(WTF::RefPtr<WebCore::ImageBitmap, WTF::RawPtrTraits<WebCore::ImageBitmap>, WTF::DefaultRefDerefTraits<WebCore::ImageBitmap> >) + 296 frame #5: 0x00000001170c2918 WebCore`WebCore::ImageBitmapRenderingContext::create(WebCore::CanvasBase&, WebCore::ImageBitmapRenderingContextSettings&&) + 232 frame #6: 0x0000000116f87c5c WebCore`WebCore::HTMLCanvasElement::getContext(JSC::JSGlobalObject&, WTF::String const&, WTF::FixedVector<JSC::Strong<JSC::Unknown, (JSC::ShouldStrongDestructorGrabLock)0> >&&) + 980 frame #7: 0x0000000115fc65ac WebCore`WebCore::jsHTMLCanvasElementPrototypeFunction_getContext(JSC::JSGlobalObject*, JSC::CallFrame*) + 328 frame #8: 0x0000000bece6c204 frame #9: 0x0000000bece64248 frame #10: 0x0000000bece64248 frame #11: 0x0000000bece64848 frame #12: 0x000000010dcaba84 JavaScriptCore`JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 520 frame #13: 0x000000010df438f0 JavaScriptCore`JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 104 frame #14: 0x0000000116992974 WebCore`WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) + 936 frame #15: 0x0000000116d17068 WebCore`WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::RawPtrTraits<WebCore::RegisteredEventListener>, WTF::DefaultRefDerefTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 2ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase) + 556 frame #16: 0x0000000116d16ad8 WebCore`WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) + 520 frame #17: 0x0000000116d0b820 WebCore`WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) + 240 frame #18: 0x0000000116d0a94c WebCore`WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) + 824 frame #19: 0x0000000116fbd964 WebCore`WebCore::HTMLImageLoader::dispatchLoadEvent() + 356 frame #20: 0x000000011731e004 WebCore`WebCore::ImageLoader::dispatchPendingLoadEvent() + 112 frame #21: 0x000000011731dcc0 WebCore`WebCore::ImageLoader::dispatchPendingEvent(WebCore::EventSender<WebCore::ImageLoader>*) + 100 frame #22: 0x000000011731e208 WebCore`WebCore::EventSender<WebCore::ImageLoader>::dispatchPendingEvents(WebCore::Page*) + 284 frame #23: 0x0000000116ca96dc WebCore`WebCore::Document::implicitClose() + 484
Simon Fraser (smfr)
Comment 5 2022-04-07 14:41:38 PDT
And the surface allocation does fail: 2022-04-07 14:40:37.611544-0700 0x1bd2 Error 0x0 487 0 com.apple.WebKit.WebContent: (IOSurface) IOSurface creation failed. IOSurface open failed: e00002e2 (likely sandbox violation) 2022-04-07 14:40:37.611785-0700 0x1bd2 Error 0x0 487 0 com.apple.WebKit.WebContent: (WebCore) [com.apple.WebKit:Layers] IOSurface creation failed for size: (200 300) and format: (0)
Matt Woodrow
Comment 6 2022-04-07 18:26:18 PDT
Created attachment 456999 [details] Patch
Matt Woodrow
Comment 7 2022-04-07 18:36:44 PDT
Created attachment 457001 [details] Patch
EWS
Comment 8 2022-04-11 15:15:21 PDT
Committed r292729 (249514@main): <https://commits.webkit.org/249514@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 457001 [details].
Note You need to log in before you can comment on or make changes to this bug.