Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Starred by 2 users
Status: Fixed
Owner:
Closed: Apr 13
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug

Blocking:
issue 563816



Sign in to add a comment
[OffscreenCanvas] Crash uploading canvas as WebGL texture
Reported by a...@scirra.com, Feb 25 2017 Back to list
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3023.0 Safari/537.36

Steps to reproduce the problem:
Note: enable 'experimental canvas features' in chrome://flags

1. Visit https://www.scirra.com/labs/bugs/offscreencanvas-texture/
2. Click 'Crash'

What is the expected behavior?
The page creates an OffscreenCanvas with a WebGL context. When you click the button it creates a temporary DOM canvas and tries to upload it to a WebGL texture via texImage2D(). This should succeed.

What went wrong?
The texImage2D call crashes the whole browser tab.

Did this work before? N/A 

Does this work in other browsers? N/A

Chrome version: 58.0.3023.0  Channel: canary
OS Version: 10.0
Flash Version: Shockwave Flash 25.0 r0

Interestingly it also crashes Firefox Nightly.

 
Comment 1 by a...@chromium.org, Feb 27 2017
Labels: Needs-Triage-M58
Comment 2 by junov@chromium.org, Feb 27 2017
Labels: -Needs-Triage-M58 M-59
Owner: junov@chromium.org
Status: Assigned
Labels: -Pri-2 Pri-1
Blocking: 563816
The crash came from  DCHECK_EQ(!canvas(), !!destinationSecurityOrigin); in 
CanvasRenderingContext::wouldTaintOrigin. I think it is because when I implemented this function I didn't consider the webgl case.
Owner: xlai@chromium.org
Status: Started
Project Member Comment 7 by bugdroid1@chromium.org, Apr 13
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a618ae85f99de9dfcd3596d40e247b92b52eb745

commit a618ae85f99de9dfcd3596d40e247b92b52eb745
Author: xlai <xlai@chromium.org>
Date: Thu Apr 13 18:04:52 2017

Make OffscreenCanvas WebGL(2) context consider taintedness of image source

BUG= 696222 
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel

Review-Url: https://codereview.chromium.org/2806803003
Cr-Commit-Position: refs/heads/master@{#464467}

[add] https://crrev.com/a618ae85f99de9dfcd3596d40e247b92b52eb745/third_party/WebKit/LayoutTests/http/tests/security/cross-origin-OffscreenCanvasWebGL-texImage2D.html
[modify] https://crrev.com/a618ae85f99de9dfcd3596d40e247b92b52eb745/third_party/WebKit/Source/core/html/canvas/CanvasRenderingContext.cpp
[modify] https://crrev.com/a618ae85f99de9dfcd3596d40e247b92b52eb745/third_party/WebKit/Source/core/html/canvas/CanvasRenderingContext.h
[modify] https://crrev.com/a618ae85f99de9dfcd3596d40e247b92b52eb745/third_party/WebKit/Source/modules/canvas2d/CanvasRenderingContext2D.h
[modify] https://crrev.com/a618ae85f99de9dfcd3596d40e247b92b52eb745/third_party/WebKit/Source/modules/webgl/WebGL2RenderingContextBase.cpp
[modify] https://crrev.com/a618ae85f99de9dfcd3596d40e247b92b52eb745/third_party/WebKit/Source/modules/webgl/WebGL2RenderingContextBase.h
[modify] https://crrev.com/a618ae85f99de9dfcd3596d40e247b92b52eb745/third_party/WebKit/Source/modules/webgl/WebGL2RenderingContextBase.idl
[modify] https://crrev.com/a618ae85f99de9dfcd3596d40e247b92b52eb745/third_party/WebKit/Source/modules/webgl/WebGLRenderingContextBase.cpp
[modify] https://crrev.com/a618ae85f99de9dfcd3596d40e247b92b52eb745/third_party/WebKit/Source/modules/webgl/WebGLRenderingContextBase.h
[modify] https://crrev.com/a618ae85f99de9dfcd3596d40e247b92b52eb745/third_party/WebKit/Source/modules/webgl/WebGLRenderingContextBase.idl

Status: Fixed
ash@, you are rockstar for reporting this! xlai@, it's fixed! :)
Cc: hdodda@chromium.org
Labels: Needs-Feedback
Tested on windows 10 & 7 using chrome Dev M59 #59.0.3071.9 and followed below steps to verify:

1.Enabled 'experimental canvas features' in chrome://flags 
2.Launched chrome and navigated to "https://www.scirra.com/labs/bugs/offscreencanvas-texture/" and clicked crash  , nothing happened and observed  console error message.

Attached screencast for reference.

@Could someone please check the attached screencast and confirm us if this is the expected result or steps to verify the issue if we had missed out anything.

Thanks!

696222.mp4
1.4 MB View Download
This issue was marked fixed and I can verify it no longer reproduces in Canary, so I think it's all solved now?
Labels: -Needs-Feedback
Yes it's already resolved.
Sign in to add a comment