Changeset 294669 in webkit

Timestamp:

May 23, 2022 12:44:15 PM (2 years ago)

Author:

Alan Coon

Message:

Cherry-pick r294280. rdar://problem/87980543

REGRESSION(r249162): CanvasRenderingContext2DBase::drawImage() crashes if the image is animated and the first frame cannot be decoded
​https://bugs.webkit.org/show_bug.cgi?id=239113
rdar://87980543

Reviewed by Simon Fraser.

Source/WebCore:

CanvasRenderingContext2DBase::drawImage() needs to ensure the first frame
of the animated image can be decoded correctly before creating the temporary
static image. If the first frame can't be decoded, this function should return
immediately. This matches the behavior of this function before r249162.

The animated image decodes its frames asynchronously in a work queue. But
the first frame has to be decoded synchronously in the main run loop. So
to avoid running the image decoder in two different threads we are going
to keep the first and the current frame cached when we receive a memory
pressure warning. This should not increase the memory allocation of the
animated image because the numbers of cached frames increases quickly and
we keep all of them till a memory warning is received. But the memory
pressure warning will be received a little bit more often. This depends
on the memory size of the first frame.

To make the code more robust, make ImageSource take a Ref<NativeImage>
instead of taking a RefPtr<NativeImage>.

• html/canvas/CanvasRenderingContext2DBase.cpp: (WebCore::CanvasRenderingContext2DBase::drawImage):
• platform/graphics/BitmapImage.cpp: (WebCore::BitmapImage::BitmapImage): (WebCore::BitmapImage::destroyDecodedData):
• platform/graphics/BitmapImage.h:
• platform/graphics/ImageSource.cpp: (WebCore::ImageSource::ImageSource): (WebCore::ImageSource::destroyDecodedData): (WebCore::ImageSource::setNativeImage):
• platform/graphics/ImageSource.h: (WebCore::ImageSource::create): (WebCore::ImageSource::isDecoderAvailable const): (WebCore::ImageSource::destroyAllDecodedData): Deleted. (WebCore::ImageSource::destroyAllDecodedDataExcludeFrame): Deleted. (WebCore::ImageSource::destroyDecodedDataBeforeFrame): Deleted.

Source/WebKit:

• GPUProcess/graphics/RemoteDisplayListRecorder.cpp: (WebKit::RemoteDisplayListRecorder::drawSystemImage):

Canonical link: ​https://commits.webkit.org/250624@main
git-svn-id: ​https://svn.webkit.org/repository/webkit/trunk@294280 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Location:

branches/safari-7613.3.1.0-branch/Source

Files:

• WebCore/ChangeLog (modified) (1 diff)
• WebCore/html/canvas/CanvasRenderingContext2DBase.cpp (modified) (1 diff)
• WebCore/platform/graphics/BitmapImage.cpp (modified) (3 diffs)
• WebCore/platform/graphics/BitmapImage.h (modified) (2 diffs)
• WebCore/platform/graphics/ImageSource.cpp (modified) (3 diffs)
• WebCore/platform/graphics/ImageSource.h (modified) (5 diffs)
• WebKit/ChangeLog (modified) (1 diff)

branches/safari-7613.3.1.0-branch/Source/WebCore/ChangeLog

@@ +1 @@
+2022-05-23  Alan Coon  <alancoon@apple.com>
+
+        Cherry-pick r294280. rdar://problem/87980543
+
+    REGRESSION(r249162): CanvasRenderingContext2DBase::drawImage() crashes if the image is animated and the first frame cannot be decoded
+    https://bugs.webkit.org/show_bug.cgi?id=239113
+    rdar://87980543
+    
+    Reviewed by Simon Fraser.
+    
+    Source/WebCore:
+    
+    CanvasRenderingContext2DBase::drawImage() needs to ensure the first frame
+    of the animated image can be decoded correctly before creating the temporary
+    static image. If the first frame can't be decoded, this function should return
+    immediately. This matches the behavior of this function before r249162.
+    
+    The animated image decodes its frames asynchronously in a work queue. But
+    the first frame has to be decoded synchronously in the main run loop. So
+    to avoid running the image decoder in two different threads we are going
+    to keep the first and the current frame cached when we receive a memory
+    pressure warning. This should not increase the memory allocation of the
+    animated image because the numbers of cached frames increases quickly and
+    we keep all of them till a memory warning is received. But the memory
+    pressure warning will be received a little bit more often. This depends
+    on the memory size of the first frame.
+    
+    To make the code more robust, make ImageSource take a Ref<NativeImage>
+    instead of taking a RefPtr<NativeImage>.
+    
+    * html/canvas/CanvasRenderingContext2DBase.cpp:
+    (WebCore::CanvasRenderingContext2DBase::drawImage):
+    * platform/graphics/BitmapImage.cpp:
+    (WebCore::BitmapImage::BitmapImage):
+    (WebCore::BitmapImage::destroyDecodedData):
+    * platform/graphics/BitmapImage.h:
+    * platform/graphics/ImageSource.cpp:
+    (WebCore::ImageSource::ImageSource):
+    (WebCore::ImageSource::destroyDecodedData):
+    (WebCore::ImageSource::setNativeImage):
+    * platform/graphics/ImageSource.h:
+    (WebCore::ImageSource::create):
+    (WebCore::ImageSource::isDecoderAvailable const):
+    (WebCore::ImageSource::destroyAllDecodedData): Deleted.
+    (WebCore::ImageSource::destroyAllDecodedDataExcludeFrame): Deleted.
+    (WebCore::ImageSource::destroyDecodedDataBeforeFrame): Deleted.
+    
+    Source/WebKit:
+    
+    * GPUProcess/graphics/RemoteDisplayListRecorder.cpp:
+    (WebKit::RemoteDisplayListRecorder::drawSystemImage):
+    
+    Canonical link: https://commits.webkit.org/250624@main
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@294280 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2022-05-16  Said Abou-Hallawa  <said@apple.com>
+
+            REGRESSION(r249162): CanvasRenderingContext2DBase::drawImage() crashes if the image is animated and the first frame cannot be decoded
+            https://bugs.webkit.org/show_bug.cgi?id=239113
+            rdar://87980543
+
+            Reviewed by Simon Fraser.
+
+            CanvasRenderingContext2DBase::drawImage() needs to ensure the first frame
+            of the animated image can be decoded correctly before creating the temporary
+            static image. If the first frame can't be decoded, this function should return
+            immediately. This matches the behavior of this function before r249162.
+
+            The animated image decodes its frames asynchronously in a work queue. But
+            the first frame has to be decoded synchronously in the main run loop. So
+            to avoid running the image decoder in two different threads we are going
+            to keep the first and the current frame cached when we receive a memory
+            pressure warning. This should not increase the memory allocation of the
+            animated image because the numbers of cached frames increases quickly and
+            we keep all of them till a memory warning is received. But the memory
+            pressure warning will be received a little bit more often. This depends
+            on the memory size of the first frame.
+
+            To make the code more robust, make ImageSource take a Ref<NativeImage>
+            instead of taking a RefPtr<NativeImage>.
+
+            * html/canvas/CanvasRenderingContext2DBase.cpp:
+            (WebCore::CanvasRenderingContext2DBase::drawImage):
+            * platform/graphics/BitmapImage.cpp:
+            (WebCore::BitmapImage::BitmapImage):
+            (WebCore::BitmapImage::destroyDecodedData):
+            * platform/graphics/BitmapImage.h:
+            * platform/graphics/ImageSource.cpp:
+            (WebCore::ImageSource::ImageSource):
+            (WebCore::ImageSource::destroyDecodedData):
+            (WebCore::ImageSource::setNativeImage):
+            * platform/graphics/ImageSource.h:
+            (WebCore::ImageSource::create):
+            (WebCore::ImageSource::isDecoderAvailable const):
+            (WebCore::ImageSource::destroyAllDecodedData): Deleted.
+            (WebCore::ImageSource::destroyAllDecodedDataExcludeFrame): Deleted.
+            (WebCore::ImageSource::destroyDecodedDataBeforeFrame): Deleted.
+
 2022-05-23  Alan Coon  <alancoon@apple.com>
 

branches/safari-7613.3.1.0-branch/Source/WebCore/html/canvas/CanvasRenderingContext2DBase.cpp

@@ -1546 +1546 @@
     if (image->isBitmapImage()) {
         // Drawing an animated image to a canvas should draw the first frame (except for a few layout tests)
-        if (image->isAnimated() && !document.settings().animatedImageDebugCanvasDrawingEnabled())
+        if (image->isAnimated() && !document.settings().animatedImageDebugCanvasDrawingEnabled()) {
             image = BitmapImage::create(image->nativeImage());
+            if (!image)
+                return { };
+        }
         downcast<BitmapImage>(*image).updateFromSettings(document.settings());
     }

branches/safari-7613.3.1.0-branch/Source/WebCore/platform/graphics/BitmapImage.cpp

@@ -53 +53 @@
 }
 
-BitmapImage::BitmapImage(RefPtr<NativeImage>&& image, ImageObserver* observer)
-    : Image(observer)
-    , m_source(ImageSource::create(WTFMove(image)))
+BitmapImage::BitmapImage(Ref<NativeImage>&& image)
+    : m_source(ImageSource::create(WTFMove(image)))
 {
 }
@@ -78 +77 @@
     LOG(Images, "BitmapImage::%s - %p - url: %s", __FUNCTION__, this, sourceURL().string().utf8().data());
 
-    if (!destroyAll)
-        m_source->destroyDecodedDataBeforeFrame(m_currentFrame);
-    else if (!canDestroyDecodedData())
-        m_source->destroyAllDecodedDataExcludeFrame(m_currentFrame);
-    else {
-        m_source->destroyAllDecodedData();
+    if (!destroyAll) {
+        // Destroy all the frames between frame0 and m_currentFrame.
+        m_source->destroyDecodedData(1, m_currentFrame);
+    } else if (!canDestroyDecodedData()) {
+        // Destroy all the frames except frame0 and m_currentFrame.
+        m_source->destroyDecodedData(1, m_currentFrame);
+        m_source->destroyDecodedData(m_currentFrame + 1, frameCount());
+    } else {
+        m_source->destroyDecodedData(0, frameCount());
         m_currentFrameDecodingStatus = DecodingStatus::Invalid;
     }
@@ -229 +231 @@
         return ImageDrawResult::DidNothing;
 
-    
     auto srcRect = requestedSrcRect;
     auto preferredSize = size();

branches/safari-7613.3.1.0-branch/Source/WebCore/platform/graphics/BitmapImage.h

@@ -54 +54 @@
 class BitmapImage final : public Image {
 public:
-    static Ref<BitmapImage> create(PlatformImagePtr&& platformImage, ImageObserver* observer = nullptr)
-    {
-        return adoptRef(*new BitmapImage(NativeImage::create(WTFMove(platformImage)), observer));
-    }
-    static Ref<BitmapImage> create(RefPtr<NativeImage>&& nativeImage, ImageObserver* observer = nullptr)
-    {
-        return adoptRef(*new BitmapImage(WTFMove(nativeImage), observer));
+    static RefPtr<BitmapImage> create(PlatformImagePtr&& platformImage)
+    {
+        return create(NativeImage::create(WTFMove(platformImage)));
+    }
+    static RefPtr<BitmapImage> create(RefPtr<NativeImage>&& nativeImage)
+    {
+        if (!nativeImage)
+            return nullptr;
+        return create(nativeImage.releaseNonNull());
+    }
+    static Ref<BitmapImage> create(Ref<NativeImage>&& nativeImage)
+    {
+        return adoptRef(*new BitmapImage(WTFMove(nativeImage)));
     }
     static Ref<BitmapImage> create(ImageObserver* observer = nullptr)
@@ -155 +161 @@
 
 private:
-    WEBCORE_EXPORT BitmapImage(RefPtr<NativeImage>&&, ImageObserver* = nullptr);
+    WEBCORE_EXPORT BitmapImage(Ref<NativeImage>&&);
     WEBCORE_EXPORT BitmapImage(ImageObserver* = nullptr);
 

branches/safari-7613.3.1.0-branch/Source/WebCore/platform/graphics/ImageSource.cpp

@@ -45 +45 @@
 }
 
-ImageSource::ImageSource(RefPtr<NativeImage>&& nativeImage)
+ImageSource::ImageSource(Ref<NativeImage>&& nativeImage)
     : m_runLoop(RunLoop::current())
 {
@@ -121 +121 @@
 }
 
-void ImageSource::destroyDecodedData(size_t frameCount, size_t excludeFrame)
-{
+void ImageSource::destroyDecodedData(size_t begin, size_t end)
+{
+    if (begin >= end)
+        return;
+
+    ASSERT(end <= m_frames.size());
+
     unsigned decodedSize = 0;
 
-    ASSERT(frameCount <= m_frames.size());
-
-    for (size_t index = 0; index < frameCount; ++index) {
-        if (index == excludeFrame)
-            continue;
+    for (size_t index = begin; index < end; ++index)
         decodedSize += m_frames[index].clearImage();
-    }
 
     decodedSizeReset(decodedSize);
@@ -233 +233 @@
 }
 
-void ImageSource::setNativeImage(RefPtr<NativeImage>&& nativeImage)
+void ImageSource::setNativeImage(Ref<NativeImage>&& nativeImage)
 {
     ASSERT(m_frames.size() == 1);

branches/safari-7613.3.1.0-branch/Source/WebCore/platform/graphics/ImageSource.h

@@ -52 +52 @@
     }
 
-    static Ref<ImageSource> create(RefPtr<NativeImage>&& nativeImage)
+    static Ref<ImageSource> create(Ref<NativeImage>&& nativeImage)
     {
         return adoptRef(*new ImageSource(WTFMove(nativeImage)));
@@ -63 +63 @@
 
     unsigned decodedSize() const { return m_decodedSize; }
-    void destroyAllDecodedData() { destroyDecodedData(frameCount(), frameCount()); }
-    void destroyAllDecodedDataExcludeFrame(size_t excludeFrame) { destroyDecodedData(frameCount(), excludeFrame); }
-    void destroyDecodedDataBeforeFrame(size_t beforeFrame) { destroyDecodedData(beforeFrame, beforeFrame); }
+    void destroyDecodedData(size_t begin, size_t end);
     void destroyIncompleteDecodedData();
     void clearFrameBufferCache(size_t beforeFrame);
@@ -129 +127 @@
 private:
     ImageSource(BitmapImage*, AlphaOption = AlphaOption::Premultiplied, GammaAndColorProfileOption = GammaAndColorProfileOption::Applied);
-    ImageSource(RefPtr<NativeImage>&&);
+    ImageSource(Ref<NativeImage>&&);
 
     enum class MetadataType {
@@ -154 +152 @@
     bool ensureDecoderAvailable(FragmentedSharedBuffer* data);
     bool isDecoderAvailable() const { return m_decoder; }
-    void destroyDecodedData(size_t frameCount, size_t excludeFrame);
     void decodedSizeChanged(long long decodedSize);
     void didDecodeProperties(unsigned decodedPropertiesSize);
@@ -162 +159 @@
     void encodedDataStatusChanged(EncodedDataStatus);
 
-    void setNativeImage(RefPtr<NativeImage>&&);
+    void setNativeImage(Ref<NativeImage>&&);
     void cacheMetadataAtIndex(size_t, SubsamplingLevel, DecodingStatus = DecodingStatus::Invalid);
     void cachePlatformImageAtIndex(PlatformImagePtr&&, size_t, SubsamplingLevel, const DecodingOptions&, DecodingStatus = DecodingStatus::Invalid);

branches/safari-7613.3.1.0-branch/Source/WebKit/ChangeLog

@@ +1 @@
+2022-05-23  Alan Coon  <alancoon@apple.com>
+
+        Cherry-pick r294280. rdar://problem/87980543
+
+    REGRESSION(r249162): CanvasRenderingContext2DBase::drawImage() crashes if the image is animated and the first frame cannot be decoded
+    https://bugs.webkit.org/show_bug.cgi?id=239113
+    rdar://87980543
+    
+    Reviewed by Simon Fraser.
+    
+    Source/WebCore:
+    
+    CanvasRenderingContext2DBase::drawImage() needs to ensure the first frame
+    of the animated image can be decoded correctly before creating the temporary
+    static image. If the first frame can't be decoded, this function should return
+    immediately. This matches the behavior of this function before r249162.
+    
+    The animated image decodes its frames asynchronously in a work queue. But
+    the first frame has to be decoded synchronously in the main run loop. So
+    to avoid running the image decoder in two different threads we are going
+    to keep the first and the current frame cached when we receive a memory
+    pressure warning. This should not increase the memory allocation of the
+    animated image because the numbers of cached frames increases quickly and
+    we keep all of them till a memory warning is received. But the memory
+    pressure warning will be received a little bit more often. This depends
+    on the memory size of the first frame.
+    
+    To make the code more robust, make ImageSource take a Ref<NativeImage>
+    instead of taking a RefPtr<NativeImage>.
+    
+    * html/canvas/CanvasRenderingContext2DBase.cpp:
+    (WebCore::CanvasRenderingContext2DBase::drawImage):
+    * platform/graphics/BitmapImage.cpp:
+    (WebCore::BitmapImage::BitmapImage):
+    (WebCore::BitmapImage::destroyDecodedData):
+    * platform/graphics/BitmapImage.h:
+    * platform/graphics/ImageSource.cpp:
+    (WebCore::ImageSource::ImageSource):
+    (WebCore::ImageSource::destroyDecodedData):
+    (WebCore::ImageSource::setNativeImage):
+    * platform/graphics/ImageSource.h:
+    (WebCore::ImageSource::create):
+    (WebCore::ImageSource::isDecoderAvailable const):
+    (WebCore::ImageSource::destroyAllDecodedData): Deleted.
+    (WebCore::ImageSource::destroyAllDecodedDataExcludeFrame): Deleted.
+    (WebCore::ImageSource::destroyDecodedDataBeforeFrame): Deleted.
+    
+    Source/WebKit:
+    
+    * GPUProcess/graphics/RemoteDisplayListRecorder.cpp:
+    (WebKit::RemoteDisplayListRecorder::drawSystemImage):
+    
+    Canonical link: https://commits.webkit.org/250624@main
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@294280 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2022-05-16  Said Abou-Hallawa  <said@apple.com>
+
+            REGRESSION(r249162): CanvasRenderingContext2DBase::drawImage() crashes if the image is animated and the first frame cannot be decoded
+            https://bugs.webkit.org/show_bug.cgi?id=239113
+            rdar://87980543
+
+            Reviewed by Simon Fraser.
+
+            * GPUProcess/graphics/RemoteDisplayListRecorder.cpp:
+            (WebKit::RemoteDisplayListRecorder::drawSystemImage):
+
 2022-05-02  Alan Coon  <alancoon@apple.com>