Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 89356ad2cb98c18ac4aa75db9d457cee5b3fe990
https://github.com/WebKit/WebKit/commit/89356ad2cb98c18ac4aa75db9d457cee5b3fe990
Author: Matt Woodrow <[email protected]>
Date: 2026-04-15 (Wed, 15 Apr 2026)
Changed paths:
M Source/WebCore/platform/graphics/ImageUtilities.cpp
Log Message:
-----------
REGRESSION(308505@main) - Crash in WebCore::IOSurface::createPlatformContext
https://bugs.webkit.org/show_bug.cgi?id=312211
rdar://173305815
Reviewed by Simon Fraser.
HTMLCanvasElement::toBlob calls encodeData(makeRenderingResultsAvailable()…
which passes a RefPtr<ImageBuffer>&&.
encodeData then calls ImageBuffer::sinkIntoNativeImage which consumes the
ImageBuffer, and takes m_surface out of the backend.
Later on we try to flush the ImageBuffer, and crash because it’s in an invalid
state.
sinkIntoNativeImage should only be used if the moved RefPtr is the only ref to
the buffer.
* Source/WebCore/platform/graphics/ImageUtilities.cpp:
(WebCore::encodeData):
(WebCore::encodeDataURL):
Canonical link: https://commits.webkit.org/311322@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
