New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Last visit 21 days ago
Closed: Apr 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug

Blocking:
issue 563816



Sign in to add a comment

[OffscreenCanvas] Crash uploading canvas as WebGL texture

Reported by a...@scirra.com, Feb 25 2017

Issue description

UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3023.0 Safari/537.36

Steps to reproduce the problem:
Note: enable 'experimental canvas features' in chrome://flags

1. Visit https://www.scirra.com/labs/bugs/offscreencanvas-texture/
2. Click 'Crash'

What is the expected behavior?
The page creates an OffscreenCanvas with a WebGL context. When you click the button it creates a temporary DOM canvas and tries to upload it to a WebGL texture via texImage2D(). This should succeed.

What went wrong?
The texImage2D call crashes the whole browser tab.

Did this work before? N/A 

Does this work in other browsers? N/A

Chrome version: 58.0.3023.0  Channel: canary
OS Version: 10.0
Flash Version: Shockwave Flash 25.0 r0

Interestingly it also crashes Firefox Nightly.

 

Comment 1 by a...@chromium.org, Feb 27 2017

Labels: Needs-Triage-M58

Comment 2 by junov@chromium.org, Feb 27 2017

Labels: -Needs-Triage-M58 M-59
Owner: junov@chromium.org
Status: Assigned (was: Unconfirmed)

Comment 3 by junov@chromium.org, Mar 22 2017

Labels: -Pri-2 Pri-1

Comment 4 by junov@chromium.org, Mar 23 2017

Blocking: 563816

Comment 5 by xlai@chromium.org, Apr 6 2017

The crash came from  DCHECK_EQ(!canvas(), !!destinationSecurityOrigin); in 
CanvasRenderingContext::wouldTaintOrigin. I think it is because when I implemented this function I didn't consider the webgl case.

Comment 6 by xlai@chromium.org, Apr 7 2017

Owner: xlai@chromium.org
Status: Started (was: Assigned)
Project Member

Comment 7 by bugdroid1@chromium.org, Apr 13 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a618ae85f99de9dfcd3596d40e247b92b52eb745

commit a618ae85f99de9dfcd3596d40e247b92b52eb745
Author: xlai <xlai@chromium.org>
Date: Thu Apr 13 18:04:52 2017

Make OffscreenCanvas WebGL(2) context consider taintedness of image source

BUG= 696222 
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel

Review-Url: https://codereview.chromium.org/2806803003
Cr-Commit-Position: refs/heads/master@{#464467}

[add] https://crrev.com/a618ae85f99de9dfcd3596d40e247b92b52eb745/third_party/WebKit/LayoutTests/http/tests/security/cross-origin-OffscreenCanvasWebGL-texImage2D.html
[modify] https://crrev.com/a618ae85f99de9dfcd3596d40e247b92b52eb745/third_party/WebKit/Source/core/html/canvas/CanvasRenderingContext.cpp
[modify] https://crrev.com/a618ae85f99de9dfcd3596d40e247b92b52eb745/third_party/WebKit/Source/core/html/canvas/CanvasRenderingContext.h
[modify] https://crrev.com/a618ae85f99de9dfcd3596d40e247b92b52eb745/third_party/WebKit/Source/modules/canvas2d/CanvasRenderingContext2D.h
[modify] https://crrev.com/a618ae85f99de9dfcd3596d40e247b92b52eb745/third_party/WebKit/Source/modules/webgl/WebGL2RenderingContextBase.cpp
[modify] https://crrev.com/a618ae85f99de9dfcd3596d40e247b92b52eb745/third_party/WebKit/Source/modules/webgl/WebGL2RenderingContextBase.h
[modify] https://crrev.com/a618ae85f99de9dfcd3596d40e247b92b52eb745/third_party/WebKit/Source/modules/webgl/WebGL2RenderingContextBase.idl
[modify] https://crrev.com/a618ae85f99de9dfcd3596d40e247b92b52eb745/third_party/WebKit/Source/modules/webgl/WebGLRenderingContextBase.cpp
[modify] https://crrev.com/a618ae85f99de9dfcd3596d40e247b92b52eb745/third_party/WebKit/Source/modules/webgl/WebGLRenderingContextBase.h
[modify] https://crrev.com/a618ae85f99de9dfcd3596d40e247b92b52eb745/third_party/WebKit/Source/modules/webgl/WebGLRenderingContextBase.idl

Comment 8 by fs...@chromium.org, Apr 13 2017

Status: Fixed (was: Started)
ash@, you are rockstar for reporting this! xlai@, it's fixed! :)

Comment 9 by hdodda@chromium.org, Apr 18 2017

Cc: hdodda@chromium.org
Labels: Needs-Feedback
Tested on windows 10 & 7 using chrome Dev M59 #59.0.3071.9 and followed below steps to verify:

1.Enabled 'experimental canvas features' in chrome://flags 
2.Launched chrome and navigated to "https://www.scirra.com/labs/bugs/offscreencanvas-texture/" and clicked crash  , nothing happened and observed  console error message.

Attached screencast for reference.

@Could someone please check the attached screencast and confirm us if this is the expected result or steps to verify the issue if we had missed out anything.

Thanks!

696222.mp4
1.4 MB View Download

Comment 10 by a...@scirra.com, Apr 18 2017

This issue was marked fixed and I can verify it no longer reproduces in Canary, so I think it's all solved now?

Comment 11 by xlai@chromium.org, Apr 18 2017

Labels: -Needs-Feedback
Yes it's already resolved.

Sign in to add a comment