312211 – REGRESSION(308505@main) - Crash in WebCore::IOSurface::createPlatformContext

RESOLVED FIXED312211

REGRESSION(308505@main) - Crash in WebCore::IOSurface::createPlatformContext

https://bugs.webkit.org/show_bug.cgi?id=312211

Summary REGRESSION(308505@main) - Crash in WebCore::IOSurface::createPlatformContext

Matt Woodrow

Reported 2026-04-13 17:17:29 PDT

HTMLCanvasElement::toBlob calls encodeData(makeRenderingResultsAvailable()… which passes a RefPtr<ImageBuffer>&&. encodeData then calls ImageBuffer::sinkIntoNativeImage which consumes the ImageBuffer, and takes m_surface out of the backend. Later on we try to flush the ImageBuffer, and crash because it’s in an invalid state. <rdar://173305815>

Attachments
Add attachment proposed patch, testcase, etc.

Matt Woodrow

Comment 1 2026-04-13 17:19:40 PDT

Pull request: https://github.com/WebKit/WebKit/pull/62683

EWS

Comment 2 2026-04-15 14:54:20 PDT

Committed 311322@main (89356ad2cb98): <https://commits.webkit.org/311322@main> Reviewed commits have been landed. Closing PR #62683 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component Canvas

Assignee

Matt Woodrow

Reported

2026-04-13 17:17 PDT

Modified

2026-04-15 14:54 PDT History

CC List

2 users Show

URL

Keywords InRadar

Depends on

Blocks