ImageBitmapRenderingContext::setOutputBitmap() makes an accelerated buffer, but doesn't use the RenderingPurpose::Canvas option, so can trigger accelerated rendering in the web process. This will break when IOKit blocking is enabled.
<rdar://problem/91321000>
Created attachment 456780 [details] Testcase
I can't seem to reproduce any failures here, though we're definitely allocating an IOSurface from the WebContent process. Since this only happens when we don't have an actual image bitmap (and are just allocated a blank backing store), can we just drop hardware acceleration? Passing RenderingPurpose::Canvas seems like it wouldn't help, since that parameter is only taken into account if we also pass a window via the CreationContext param.
I confirm your findings: * thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1 * frame #0: 0x00000001e00ff320 IOSurface`IOSurfaceCreate frame #1: 0x00000001165d0f04 WebCore`WebCore::IOSurface::create(WebCore::IOSurfacePool*, WebCore::IntSize, WebCore::IntSize, WebCore::DestinationColorSpace const&, WebCore::IOSurface::Format) + 372 frame #2: 0x0000000117651e64 WebCore`WebCore::ImageBufferIOSurfaceBackend::create(WebCore::ImageBufferBackend::Parameters const&, WebCore::ImageBuffer::CreationContext const&) + 328 frame #3: 0x00000001165ddf44 WebCore`WTF::RefPtr<WebCore::IOSurfaceImageBuffer, WTF::RawPtrTraits<WebCore::IOSurfaceImageBuffer>, WTF::DefaultRefDerefTraits<WebCore::IOSurfaceImageBuffer> > WebCore::ConcreteImageBuffer<WebCore::ImageBufferIOSurfaceBackend>::create<WebCore::IOSurfaceImageBuffer>(WebCore::FloatSize const&, float, WebCore::DestinationColorSpace const&, WebCore::PixelFormat, WebCore::ImageBuffer::CreationContext const&) + 84 frame #4: 0x00000001170c2bb4 WebCore`WebCore::ImageBitmapRenderingContext::setOutputBitmap(WTF::RefPtr<WebCore::ImageBitmap, WTF::RawPtrTraits<WebCore::ImageBitmap>, WTF::DefaultRefDerefTraits<WebCore::ImageBitmap> >) + 296 frame #5: 0x00000001170c2918 WebCore`WebCore::ImageBitmapRenderingContext::create(WebCore::CanvasBase&, WebCore::ImageBitmapRenderingContextSettings&&) + 232 frame #6: 0x0000000116f87c5c WebCore`WebCore::HTMLCanvasElement::getContext(JSC::JSGlobalObject&, WTF::String const&, WTF::FixedVector<JSC::Strong<JSC::Unknown, (JSC::ShouldStrongDestructorGrabLock)0> >&&) + 980 frame #7: 0x0000000115fc65ac WebCore`WebCore::jsHTMLCanvasElementPrototypeFunction_getContext(JSC::JSGlobalObject*, JSC::CallFrame*) + 328 frame #8: 0x0000000bece6c204 frame #9: 0x0000000bece64248 frame #10: 0x0000000bece64248 frame #11: 0x0000000bece64848 frame #12: 0x000000010dcaba84 JavaScriptCore`JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 520 frame #13: 0x000000010df438f0 JavaScriptCore`JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 104 frame #14: 0x0000000116992974 WebCore`WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) + 936 frame #15: 0x0000000116d17068 WebCore`WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::RawPtrTraits<WebCore::RegisteredEventListener>, WTF::DefaultRefDerefTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 2ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase) + 556 frame #16: 0x0000000116d16ad8 WebCore`WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) + 520 frame #17: 0x0000000116d0b820 WebCore`WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) + 240 frame #18: 0x0000000116d0a94c WebCore`WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) + 824 frame #19: 0x0000000116fbd964 WebCore`WebCore::HTMLImageLoader::dispatchLoadEvent() + 356 frame #20: 0x000000011731e004 WebCore`WebCore::ImageLoader::dispatchPendingLoadEvent() + 112 frame #21: 0x000000011731dcc0 WebCore`WebCore::ImageLoader::dispatchPendingEvent(WebCore::EventSender<WebCore::ImageLoader>*) + 100 frame #22: 0x000000011731e208 WebCore`WebCore::EventSender<WebCore::ImageLoader>::dispatchPendingEvents(WebCore::Page*) + 284 frame #23: 0x0000000116ca96dc WebCore`WebCore::Document::implicitClose() + 484
And the surface allocation does fail: 2022-04-07 14:40:37.611544-0700 0x1bd2 Error 0x0 487 0 com.apple.WebKit.WebContent: (IOSurface) IOSurface creation failed. IOSurface open failed: e00002e2 (likely sandbox violation) 2022-04-07 14:40:37.611785-0700 0x1bd2 Error 0x0 487 0 com.apple.WebKit.WebContent: (WebCore) [com.apple.WebKit:Layers] IOSurface creation failed for size: (200 300) and format: (0)
Created attachment 456999 [details] Patch
Created attachment 457001 [details] Patch
Committed r292729 (249514@main): <https://commits.webkit.org/249514@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 457001 [details].