jsc_fuz/wktr: null ptr deref in WebCore::GraphicsLayerAsyncContentsDisplayDelegateCocoa::tryCopyToLayer(WebCore::ImageBuffer&)

https://bugs.webkit.org/show_bug.cgi?id=262640
<rdar://115497296>

Reviewed by Kimmo Kinnunen.

This adds support for setDelegatedContents on a PlatformCALayerRemote having a generic ImageBufferBackendHandle (which includes
shared memory), instead of only MachSendRight.

Adds an explicit copy constructor to SharedMemoryHandle, UnixFileDescriptor and CGDisplayList to match MachSendRight and make
this possible.

Also switches Protection::ReadWrite to Protection::ReadOnly for the RemoteLayerBackingStore callers, since we were already using
this for tryCopyToLayer, and we need the ::map() call in the UI process to not try ask for extra permissions.

* Source/WTF/wtf/unix/UnixFileDescriptor.h:
(WTF::UnixFileDescriptor::UnixFileDescriptor):
* Source/WebKit/Platform/SharedMemory.h:
* Source/WebKit/Shared/RemoteLayerTree/CGDisplayList.h:
* Source/WebKit/Shared/RemoteLayerTree/RemoteLayerBackingStore.h:
* Source/WebKit/Shared/RemoteLayerTree/RemoteLayerBackingStore.mm:
(WebKit::RemoteLayerBackingStore::encode const):
(WebKit::RemoteLayerBackingStore::setDelegatedContents):
(WebKit::RemoteLayerBackingStoreProperties::layerContentsBufferFromBackendHandle):
* Source/WebKit/Shared/ShareableBitmap.h:
* Source/WebKit/WebProcess/WebPage/RemoteLayerTree/GraphicsLayerCARemote.mm:
* Source/WebKit/WebProcess/WebPage/RemoteLayerTree/PlatformCALayerRemote.h:
* Source/WebKit/WebProcess/WebPage/RemoteLayerTree/PlatformCALayerRemote.mm:
(WebKit::PlatformCALayerRemote::setDelegatedContents):
(WebKit::PlatformCALayerRemote::setRemoteDelegatedContents):

Originally-landed-as: 267815.262@safari-7617-branch (8ac1946). rdar://119570861
Canonical link: https://commits.webkit.org/272365@main

Author: mattwoodrow

LayoutTests/fast/canvas/offscreen-giant-expected.html

@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<body>
+<canvas id="onscreen" width="100" height="10""></canvas>
+<script>
+const canvas = document.getElementById('onscreen');
+
+const context = canvas.getContext('2d');
+
+const square = new Path2D();
+square.rect(0, 0, 100, 10);
+context.fillStyle = 'green';
+context.fill(square);
+
+</script>
+</body>
+</html>

LayoutTests/fast/canvas/offscreen-giant.html

@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta name="fuzzy" content="maxDifference=0-64; totalPixels=0-10" />
+</head>
+<body style="overflow:hidden">
+<canvas id="offscreen"></canvas>
+<script>
+const canvas = document.getElementById('offscreen');
+
+const offscreenCanvas = canvas.transferControlToOffscreen();
+offscreenCanvas.width = 200000;
+offscreenCanvas.height = 10;
+
+const offscreenContext = offscreenCanvas.getContext('2d');
+
+if (window.testRunner)
+    testRunner.waitUntilDone();
+
+requestAnimationFrame(function() {
+    const square = new Path2D();
+    square.rect(0, 0, 100, 10);
+    offscreenContext.fillStyle = 'green';
+    offscreenContext.fill(square);
+    offscreenContext.commit();
+
+    requestAnimationFrame(function() {
+        if (window.testRunner)
+            testRunner.notifyDone();
+    });
+});
+</script>
+</body>
+</html>

LayoutTests/platform/glib/TestExpectations

@@ -3757,6 +3757,8 @@ webkit.org/b/266636 fast/multicol/last-set-crash.html [ Skip ]
 
 webkit.org/b/266708 imported/w3c/web-platform-tests/html/semantics/embedded-content/media-elements/loading-the-media-resource/resource-selection-currentSrc.html [ Pass Crash ]
 
+webkit.org/b/266719 fast/canvas/offscreen-giant.html [ ImageOnlyFailure ]
+
 # End: Common failures between GTK and WPE.
 
 #////////////////////////////////////////////////////////////////////////////////////////

LayoutTests/platform/mac-monterey/TestExpectations

@@ -7,3 +7,5 @@
 
 # Failing after OS migration rdar://112624778 (Migrate macOS Sonoma test expectations to OpenSource, add expectation files to Down-Levels (259373))
 http/tests/appcache/fail-on-update-2.html [ DumpJSConsoleLogInStdErr Timeout Failure ]
+
+fast/canvas/offscreen-giant.html [ ImageOnlyFailure ]

Source/WTF/wtf/unix/UnixFileDescriptor.h

@@ -34,7 +34,6 @@
 namespace WTF {
 
 class UnixFileDescriptor {
-    WTF_MAKE_NONCOPYABLE(UnixFileDescriptor);
 public:
     UnixFileDescriptor() = default;
 
@@ -55,6 +54,12 @@ class UnixFileDescriptor {
         m_value = o.release();
     }
 
+    explicit UnixFileDescriptor(const UnixFileDescriptor& o)
+    {
+        if (o.m_value >= 0)
+            m_value = dupCloseOnExec(o.m_value);
+    }
+
     UnixFileDescriptor& operator=(UnixFileDescriptor&& o)
     {
         if (&o == this)

Source/WebCore/platform/graphics/ca/cocoa/GraphicsLayerAsyncContentsDisplayDelegateCocoa.mm

@@ -43,6 +43,8 @@
 bool GraphicsLayerAsyncContentsDisplayDelegateCocoa::tryCopyToLayer(ImageBuffer& image)
 {
     m_image = ImageBuffer::sinkIntoNativeImage(image.clone());
+    if (!m_image)
+        return false;
 
     [CATransaction begin];
     [CATransaction setDisableActions:YES];

Source/WebCore/platform/graphics/cocoa/DynamicContentScalingDisplayList.h

@@ -33,13 +33,13 @@
 namespace WebCore {
 
 class DynamicContentScalingDisplayList {
-    WTF_MAKE_NONCOPYABLE(DynamicContentScalingDisplayList);
 public:
     DynamicContentScalingDisplayList(Ref<WebCore::SharedBuffer> displayList, Vector<MachSendRight>&& surfaces)
         : m_displayList(WTFMove(displayList))
         , m_surfaces(WTFMove(surfaces))
     {
     }
+    explicit CGDisplayList(const CGDisplayList&) = default;
 
     DynamicContentScalingDisplayList(DynamicContentScalingDisplayList&&) = default;
     DynamicContentScalingDisplayList& operator=(DynamicContentScalingDisplayList&&) = default;

Source/WebKit/Platform/SharedMemory.h

@@ -60,7 +60,6 @@ namespace WebKit {
 enum class MemoryLedger { None, Default, Network, Media, Graphics, Neural };
 
 class SharedMemoryHandle {
-    WTF_MAKE_NONCOPYABLE(SharedMemoryHandle);
 public:
     using Type =
 #if USE(UNIX_DOMAIN_SOCKETS)
@@ -72,6 +71,7 @@ class SharedMemoryHandle {
 #endif
 
     SharedMemoryHandle(SharedMemoryHandle&&) = default;
+    explicit SharedMemoryHandle(const SharedMemoryHandle&) = default;
     SharedMemoryHandle(SharedMemoryHandle::Type&&, size_t);
 
     SharedMemoryHandle& operator=(SharedMemoryHandle&&) = default;

Source/WebKit/Shared/RemoteLayerTree/RemoteLayerBackingStore.h

@@ -54,6 +54,7 @@ class RemoteLayerBackingStoreCollection;
 class RemoteLayerTreeNode;
 class RemoteLayerTreeHost;
 enum class SwapBuffersDisplayRequirement : uint8_t;
+struct PlatformCALayerRemoteDelegatedContents;
 
 enum class BackingStoreNeedsDisplayReason : uint8_t {
     None,
@@ -102,7 +103,7 @@ class RemoteLayerBackingStore : public CanMakeWeakPtr<RemoteLayerBackingStore> {
     void setNeedsDisplay(const WebCore::IntRect);
     void setNeedsDisplay();
 
-    void setDelegatedContents(const WebCore::PlatformCALayerDelegatedContents&);
+    void setDelegatedContents(const PlatformCALayerRemoteDelegatedContents&);
 
     // Returns true if we need to encode the buffer.
     bool layerWillBeDisplayed();
@@ -178,7 +179,7 @@ class RemoteLayerBackingStore : public CanMakeWeakPtr<RemoteLayerBackingStore> {
 
     // FIXME: This should be removed and m_bufferHandle should be used to ref the buffer once ShareableBitmap::Handle
     // can be encoded multiple times. http://webkit.org/b/234169
-    std::optional<MachSendRight> m_contentsBufferHandle;
+    std::optional<ImageBufferBackendHandle> m_contentsBufferHandle;
     std::optional<WebCore::RenderingResourceIdentifier> m_contentsRenderingResourceIdentifier;
 
     Vector<std::unique_ptr<WebCore::ThreadSafeImageBufferFlusher>> m_frontBufferFlushers;

Source/WebKit/Shared/RemoteLayerTree/RemoteLayerBackingStore.mm

@@ -161,7 +161,7 @@ static bool hasValue(const ImageBufferBackendHandle& backendHandle)
     std::optional<ImageBufferBackendHandle> handle;
     if (m_contentsBufferHandle) {
         ASSERT(m_parameters.type == Type::IOSurface);
-        handle = MachSendRight { *m_contentsBufferHandle };
+        handle = ImageBufferBackendHandle { *m_contentsBufferHandle };
     } else
         handle = frontBufferHandle();
 
@@ -311,9 +311,9 @@ static bool hasValue(const ImageBufferBackendHandle& backendHandle)
     return !m_parameters.isOpaque && !m_layer->owner()->platformCALayerShouldPaintUsingCompositeCopy();
 }
 
-void RemoteLayerBackingStore::setDelegatedContents(const WebCore::PlatformCALayerDelegatedContents& contents)
+void RemoteLayerBackingStore::setDelegatedContents(const PlatformCALayerRemoteDelegatedContents& contents)
 {
-    m_contentsBufferHandle = MachSendRight { contents.surface };
+    m_contentsBufferHandle = ImageBufferBackendHandle { contents.surface };
     if (contents.finishedFence)
         m_frontBufferFlushers.append(DelegatedContentsFenceFlusher::create(Ref { *contents.finishedFence }));
     if (contents.surfaceIdentifier)
@@ -478,7 +478,7 @@ static bool hasValue(const ImageBufferBackendHandle& backendHandle)
     RetainPtr<id> contents;
     WTF::switchOn(backendHandle,
         [&] (ShareableBitmap::Handle& handle) {
-            if (auto bitmap = ShareableBitmap::create(WTFMove(handle)))
+            if (auto bitmap = ShareableBitmap::create(WTFMove(handle), SharedMemory::Protection::ReadOnly))
                 contents = bridge_id_cast(bitmap->makeCGImageCopy());
         },
         [&] (MachSendRight& machSendRight) {