Assertion failure in ~CompletionHandler() via ImageBitmap::createComp…

…letionHandler https://bugs.webkit.org/show_bug.cgi?id=270379 Reviewed by Wenson Hsieh. Call the completion handler when exiting early in PendingImageBitmap::fetch. * LayoutTests/fast/images/create-image-bitmap-after-stopping-script-execution-context-expected.txt: Added. * LayoutTests/fast/images/create-image-bitmap-after-stopping-script-execution-context.html: Added. * Source/WebCore/html/ImageBitmap.cpp: Canonical link: https://commits.webkit.org/275581@main
WebKit · Mar 2, 2024 · 198cfb4 · 198cfb4
1 parent 74f9655
commit 198cfb4
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 1 deletion.
diff --git a/...ests/fast/images/create-image-bitmap-after-stopping-script-execution-context-expected.txt b/...ests/fast/images/create-image-bitmap-after-stopping-script-execution-context-expected.txt
@@ -0,0 +1,4 @@
+This tests calling createImageBitmap on a window without a browsing context.
+WebKit should not crash and should show pass below.
+
+Partial PASS
diff --git a/LayoutTests/fast/images/create-image-bitmap-after-stopping-script-execution-context.html b/LayoutTests/fast/images/create-image-bitmap-after-stopping-script-execution-context.html
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+<body>
+<p>This tests calling createImageBitmap on a window without a browsing context.<br>
+WebKit should not crash and should show pass below.</p>
+<div id="result">Running</div>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+    setTimeout(() => {
+        testRunner.notifyDone();
+    }, 10); // Needs to happen after promise.catch below.
+}
+
+const iframe = document.createElement('iframe');
+document.documentElement.appendChild(iframe);
+const contentWindow = iframe.contentWindow;
+iframe.remove();
+const promise = contentWindow.createImageBitmap(new Blob());
+
+result.textContent = 'Partial PASS';
+promise.catch(() => result.textContent = 'PASS');
+
+</script>
+</body>
+</html>
diff --git a/Source/WebCore/html/ImageBitmap.cpp b/Source/WebCore/html/ImageBitmap.cpp
@@ -725,8 +725,10 @@ class PendingImageBitmap final : public RefCounted<PendingImageBitmap>, public A
 public:
     static void fetch(ScriptExecutionContext& scriptExecutionContext, RefPtr<Blob>&& blob, ImageBitmapOptions&& options, std::optional<IntRect> rect, ImageBitmap::ImageBitmapCompletionHandler&& completionHandler)
     {
-        if (scriptExecutionContext.activeDOMObjectsAreStopped())
+        if (scriptExecutionContext.activeDOMObjectsAreStopped()) {
+            completionHandler(Exception { ExceptionCode::InvalidStateError, "Cannot create ImageBitmap in a document without browsing context"_s });
             return;
+        }
         Ref pendingImageBitmap = adoptRef(*new PendingImageBitmap(scriptExecutionContext, WTFMove(blob), WTFMove(options), WTFMove(rect), WTFMove(completionHandler)));
         pendingImageBitmap->suspendIfNeeded();
         pendingImageBitmap->start(scriptExecutionContext);