Bug 238846 - ImageBitmapRenderingContext::setOutputBitmap() can trigger accelerated drawing in the webcontent process
Summary: ImageBitmapRenderingContext::setOutputBitmap() can trigger accelerated drawin...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Canvas (show other bugs)
Version: Safari Technology Preview
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Matt Woodrow
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2022-04-05 15:59 PDT by Simon Fraser (smfr)
Modified: 2022-04-11 15:15 PDT (History)
10 users (show)

See Also:

Attachments
Testcase (848 bytes, text/html)
2022-04-05 21:17 PDT, Simon Fraser (smfr) 		no flags Details
Patch (2.92 KB, patch)
2022-04-07 18:26 PDT, Matt Woodrow 		no flags Details | Formatted Diff | Diff
Patch (3.19 KB, patch)
2022-04-07 18:36 PDT, Matt Woodrow 		no flags Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Simon Fraser (smfr) 2022-04-05 15:59:10 PDT 
ImageBitmapRenderingContext::setOutputBitmap() makes an accelerated buffer, but doesn't use the RenderingPurpose::Canvas option, so can trigger accelerated rendering in the web process. This will break when IOKit blocking is enabled.
Comment 1 Radar WebKit Bug Importer 2022-04-05 15:59:39 PDT 
<rdar://problem/91321000>
Comment 2 Simon Fraser (smfr) 2022-04-05 21:17:12 PDT 
Created attachment 456780 [details]
Testcase
Comment 3 Matt Woodrow 2022-04-06 18:47:53 PDT 
I can't seem to reproduce any failures here, though we're definitely allocating an IOSurface from the WebContent process.

Since this only happens when we don't have an actual image bitmap (and are just allocated a blank backing store), can we just drop hardware acceleration?

Passing RenderingPurpose::Canvas seems like it wouldn't help, since that parameter is only taken into account if we also pass a window via the CreationContext param.
Comment 4 Simon Fraser (smfr) 2022-04-07 13:27:29 PDT 
I confirm your findings:

* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
  * frame #0: 0x00000001e00ff320 IOSurface`IOSurfaceCreate
    frame #1: 0x00000001165d0f04 WebCore`WebCore::IOSurface::create(WebCore::IOSurfacePool*, WebCore::IntSize, WebCore::IntSize, WebCore::DestinationColorSpace const&, WebCore::IOSurface::Format) + 372
    frame #2: 0x0000000117651e64 WebCore`WebCore::ImageBufferIOSurfaceBackend::create(WebCore::ImageBufferBackend::Parameters const&, WebCore::ImageBuffer::CreationContext const&) + 328
    frame #3: 0x00000001165ddf44 WebCore`WTF::RefPtr<WebCore::IOSurfaceImageBuffer, WTF::RawPtrTraits<WebCore::IOSurfaceImageBuffer>, WTF::DefaultRefDerefTraits<WebCore::IOSurfaceImageBuffer> > WebCore::ConcreteImageBuffer<WebCore::ImageBufferIOSurfaceBackend>::create<WebCore::IOSurfaceImageBuffer>(WebCore::FloatSize const&, float, WebCore::DestinationColorSpace const&, WebCore::PixelFormat, WebCore::ImageBuffer::CreationContext const&) + 84
    frame #4: 0x00000001170c2bb4 WebCore`WebCore::ImageBitmapRenderingContext::setOutputBitmap(WTF::RefPtr<WebCore::ImageBitmap, WTF::RawPtrTraits<WebCore::ImageBitmap>, WTF::DefaultRefDerefTraits<WebCore::ImageBitmap> >) + 296
    frame #5: 0x00000001170c2918 WebCore`WebCore::ImageBitmapRenderingContext::create(WebCore::CanvasBase&, WebCore::ImageBitmapRenderingContextSettings&&) + 232
    frame #6: 0x0000000116f87c5c WebCore`WebCore::HTMLCanvasElement::getContext(JSC::JSGlobalObject&, WTF::String const&, WTF::FixedVector<JSC::Strong<JSC::Unknown, (JSC::ShouldStrongDestructorGrabLock)0> >&&) + 980
    frame #7: 0x0000000115fc65ac WebCore`WebCore::jsHTMLCanvasElementPrototypeFunction_getContext(JSC::JSGlobalObject*, JSC::CallFrame*) + 328
    frame #8: 0x0000000bece6c204
    frame #9: 0x0000000bece64248
    frame #10: 0x0000000bece64248
    frame #11: 0x0000000bece64848
    frame #12: 0x000000010dcaba84 JavaScriptCore`JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 520
    frame #13: 0x000000010df438f0 JavaScriptCore`JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 104
    frame #14: 0x0000000116992974 WebCore`WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) + 936
    frame #15: 0x0000000116d17068 WebCore`WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::RawPtrTraits<WebCore::RegisteredEventListener>, WTF::DefaultRefDerefTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 2ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase) + 556
    frame #16: 0x0000000116d16ad8 WebCore`WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) + 520
    frame #17: 0x0000000116d0b820 WebCore`WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) + 240
    frame #18: 0x0000000116d0a94c WebCore`WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) + 824
    frame #19: 0x0000000116fbd964 WebCore`WebCore::HTMLImageLoader::dispatchLoadEvent() + 356
    frame #20: 0x000000011731e004 WebCore`WebCore::ImageLoader::dispatchPendingLoadEvent() + 112
    frame #21: 0x000000011731dcc0 WebCore`WebCore::ImageLoader::dispatchPendingEvent(WebCore::EventSender<WebCore::ImageLoader>*) + 100
    frame #22: 0x000000011731e208 WebCore`WebCore::EventSender<WebCore::ImageLoader>::dispatchPendingEvents(WebCore::Page*) + 284
    frame #23: 0x0000000116ca96dc WebCore`WebCore::Document::implicitClose() + 484
Comment 5 Simon Fraser (smfr) 2022-04-07 14:41:38 PDT 
And the surface allocation does fail:

2022-04-07 14:40:37.611544-0700 0x1bd2     Error       0x0                  487    0    com.apple.WebKit.WebContent: (IOSurface) IOSurface creation failed. IOSurface open failed: e00002e2  (likely sandbox violation)
2022-04-07 14:40:37.611785-0700 0x1bd2     Error       0x0                  487    0    com.apple.WebKit.WebContent: (WebCore) [com.apple.WebKit:Layers] IOSurface creation failed for size: (200 300) and format: (0)
Comment 6 Matt Woodrow 2022-04-07 18:26:18 PDT 
Created attachment 456999 [details]
Patch
Comment 7 Matt Woodrow 2022-04-07 18:36:44 PDT 
Created attachment 457001 [details]
Patch
Comment 8 EWS 2022-04-11 15:15:21 PDT 
Committed r292729 (249514@main): <https://commits.webkit.org/249514@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 457001 [details].