[OffscreenCanvas] Crash uploading canvas as WebGL texture
Reported by
a...@scirra.com,
Feb 25 2017
|
||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3023.0 Safari/537.36 Steps to reproduce the problem: Note: enable 'experimental canvas features' in chrome://flags 1. Visit https://www.scirra.com/labs/bugs/offscreencanvas-texture/ 2. Click 'Crash' What is the expected behavior? The page creates an OffscreenCanvas with a WebGL context. When you click the button it creates a temporary DOM canvas and tries to upload it to a WebGL texture via texImage2D(). This should succeed. What went wrong? The texImage2D call crashes the whole browser tab. Did this work before? N/A Does this work in other browsers? N/A Chrome version: 58.0.3023.0 Channel: canary OS Version: 10.0 Flash Version: Shockwave Flash 25.0 r0 Interestingly it also crashes Firefox Nightly.
,
Feb 27 2017
,
Mar 22 2017
,
Mar 23 2017
,
Apr 6 2017
The crash came from DCHECK_EQ(!canvas(), !!destinationSecurityOrigin); in CanvasRenderingContext::wouldTaintOrigin. I think it is because when I implemented this function I didn't consider the webgl case.
,
Apr 7 2017
,
Apr 13 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/a618ae85f99de9dfcd3596d40e247b92b52eb745 commit a618ae85f99de9dfcd3596d40e247b92b52eb745 Author: xlai <xlai@chromium.org> Date: Thu Apr 13 18:04:52 2017 Make OffscreenCanvas WebGL(2) context consider taintedness of image source BUG= 696222 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel Review-Url: https://codereview.chromium.org/2806803003 Cr-Commit-Position: refs/heads/master@{#464467} [add] https://crrev.com/a618ae85f99de9dfcd3596d40e247b92b52eb745/third_party/WebKit/LayoutTests/http/tests/security/cross-origin-OffscreenCanvasWebGL-texImage2D.html [modify] https://crrev.com/a618ae85f99de9dfcd3596d40e247b92b52eb745/third_party/WebKit/Source/core/html/canvas/CanvasRenderingContext.cpp [modify] https://crrev.com/a618ae85f99de9dfcd3596d40e247b92b52eb745/third_party/WebKit/Source/core/html/canvas/CanvasRenderingContext.h [modify] https://crrev.com/a618ae85f99de9dfcd3596d40e247b92b52eb745/third_party/WebKit/Source/modules/canvas2d/CanvasRenderingContext2D.h [modify] https://crrev.com/a618ae85f99de9dfcd3596d40e247b92b52eb745/third_party/WebKit/Source/modules/webgl/WebGL2RenderingContextBase.cpp [modify] https://crrev.com/a618ae85f99de9dfcd3596d40e247b92b52eb745/third_party/WebKit/Source/modules/webgl/WebGL2RenderingContextBase.h [modify] https://crrev.com/a618ae85f99de9dfcd3596d40e247b92b52eb745/third_party/WebKit/Source/modules/webgl/WebGL2RenderingContextBase.idl [modify] https://crrev.com/a618ae85f99de9dfcd3596d40e247b92b52eb745/third_party/WebKit/Source/modules/webgl/WebGLRenderingContextBase.cpp [modify] https://crrev.com/a618ae85f99de9dfcd3596d40e247b92b52eb745/third_party/WebKit/Source/modules/webgl/WebGLRenderingContextBase.h [modify] https://crrev.com/a618ae85f99de9dfcd3596d40e247b92b52eb745/third_party/WebKit/Source/modules/webgl/WebGLRenderingContextBase.idl
,
Apr 13 2017
ash@, you are rockstar for reporting this! xlai@, it's fixed! :)
,
Apr 18 2017
Tested on windows 10 & 7 using chrome Dev M59 #59.0.3071.9 and followed below steps to verify: 1.Enabled 'experimental canvas features' in chrome://flags 2.Launched chrome and navigated to "https://www.scirra.com/labs/bugs/offscreencanvas-texture/" and clicked crash , nothing happened and observed console error message. Attached screencast for reference. @Could someone please check the attached screencast and confirm us if this is the expected result or steps to verify the issue if we had missed out anything. Thanks!
,
Apr 18 2017
This issue was marked fixed and I can verify it no longer reproduces in Canary, so I think it's all solved now?
,
Apr 18 2017
Yes it's already resolved. |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by ajha@chromium.org
, Feb 27 2017