tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE
commit c6321e044d6d0c6d04060521a1eb990026b3c079
parent 4bbf8598d130b17b120f13a9f065fe275fc0b80e
Author: Lee Salzman <lsalzman@mozilla.com>
Date:   Wed, 12 Nov 2025 02:06:58 +0000

Bug 1999580 - Check for valid handle before ReadSnapshotIntoPBO. r=aosmond

Differential Revision: https://phabricator.services.mozilla.com/D272185

Diffstat:

Mdom/canvas/DrawTargetWebgl.cpp | 8+++++++-


Mdom/canvas/SourceSurfaceWebgl.cpp | 12++++++------


Mdom/canvas/SourceSurfaceWebgl.h | 3++-


3 files changed, 15 insertions(+), 8 deletions(-)

diff --git a/dom/canvas/DrawTargetWebgl.cpp b/dom/canvas/DrawTargetWebgl.cpp
@@ -276,7 +276,7 @@ inline void SharedContextWebgl::UnlinkSurfaceTexture(
     // Ensure any WebGL snapshot textures get unlinked.
     if (surface->GetType() == SurfaceType::WEBGL) {
       static_cast<SourceSurfaceWebgl*>(surface.get())
-          ->OnUnlinkTexture(this, aForce);
+          ->OnUnlinkTexture(this, aHandle, aForce);
     }
     surface->RemoveUserData(&mTextureHandleKey);
   }
@@ -1267,6 +1267,9 @@ already_AddRefed<DataSourceSurface> SharedContextWebgl::ReadSnapshot(
     format = aHandle->GetFormat();
     bounds = aHandle->GetBounds();
   } else {
+    if (!mCurrentTarget) {
+      return nullptr;
+    }
     format = mCurrentTarget->GetFormat();
     bounds = mCurrentTarget->GetRect();
   }
@@ -1298,6 +1301,9 @@ already_AddRefed<WebGLBuffer> SharedContextWebgl::ReadSnapshotIntoPBO(
     format = aHandle->GetFormat();
     bounds = aHandle->GetBounds();
   } else {
+    if (!mCurrentTarget) {
+      return nullptr;
+    }
     format = mCurrentTarget->GetFormat();
     bounds = mCurrentTarget->GetRect();
   }
diff --git a/dom/canvas/SourceSurfaceWebgl.cpp b/dom/canvas/SourceSurfaceWebgl.cpp
@@ -186,18 +186,18 @@ void SourceSurfaceWebgl::SetHandle(TextureHandle* aHandle) {
 }
 
 // Handler for when the owner DrawTargetWebgl is destroying the cached texture
-// handle that has been allocated for this snapshot.
+// handle that has been allocated for this snapshot, or if the surface has
+// uploaded data.
 void SourceSurfaceWebgl::OnUnlinkTexture(SharedContextWebgl* aContext,
-                                         bool aForce) {
-  // If we get here, then we must have copied a snapshot, which only happens
-  // if the target changed.
-  MOZ_ASSERT(!mDT);
+                                         TextureHandle* aHandle, bool aForce) {
   // If the snapshot was mapped before the target changed, we may have read
   // data instead of holding a copied texture handle. If subsequently we then
   // try to draw with this snapshot, we might have allocated an external texture
   // handle in the texture cache that still links to this snapshot and can cause
   // us to end up here inside OnUnlinkTexture.
-  MOZ_ASSERT(mHandle || mData || mReadBuffer);
+  if (mHandle != aHandle) {
+    return;
+  }
   if (!mData && !mReadBuffer) {
     if (!aForce) {
       mReadBuffer = aContext->ReadSnapshotIntoPBO(this, mHandle);
diff --git a/dom/canvas/SourceSurfaceWebgl.h b/dom/canvas/SourceSurfaceWebgl.h
@@ -62,7 +62,8 @@ class SourceSurfaceWebgl : public DataSourceSurface {
 
   void SetHandle(TextureHandle* aHandle);
 
-  void OnUnlinkTexture(SharedContextWebgl* aContext, bool aForce);
+  void OnUnlinkTexture(SharedContextWebgl* aContext, TextureHandle* aHandle,
+                       bool aForce);
 
   DrawTargetWebgl* GetTarget() const { return mDT.get(); }