webgl context objects leak fix

tomasz-karczewski-red · tomasz-karczewski-red · commit 7fcd70c17ec6 · 2024-10-21T17:02:09.000+02:00
Changing order of operations in ~WebGLRenderingContextBase
Otherwise, WebGLContextGroup will not be able to release some of the
'group shared' resources that still have attachements when being removed
via WebGLSharedObject destructor - it happens eg. for
WebGLVertexArrayObjectBase objects that have buffers set on
destruction time.

The current behaviour in ~WebGLRenderingContextBase:

- first, the reference to some WebGLSharedObject (like m_boundArrayBuffer)
   is nullified
- since this decreases refcnt to 0, destructor for this WebGLSharedObject is
  executed - this goes via WebGLObject::runDestructor() -&gt; WebGLObject::deleteObject.
- WebGLObject::deleteObject checks for attachement count (m_attachmentCount)
  and if it's not 0 it will not execute deleteObjectImpl (where the actual
  removal from the context takes place).
- So the reference to the object is destructed, and ~WebGLSharedObject removes
  the object from m_contextGroup as well. At this point the resource is leaked.

With the fix, m_contextGroup-&gt;removeContext(*this) is executed at the beginning
of ~WebGLRenderingContextBase - this calls detach() on all the objects
(WebGLContextGroup::detachAndRemoveAllObjects) so is possible to release them.
diff --git a/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp b/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp
@@ -1238,6 +1238,13 @@ void WebGLRenderingContextBase::removeActivityStateChangeObserver()
 
 WebGLRenderingContextBase::~WebGLRenderingContextBase()
 {
+    if (!m_isPendingPolicyResolution) {
+        // need to remove from the group first, before we destroy the graphics context
+        // othwerwise, in case this is the last context in the group, when the context group tries
+        // to cleanup the remaining objects, it will not call deleteImpl (see WebGLObject::deleteObject)
+        // since the context is no longer available
+        m_contextGroup->removeContext(*this);
+    }
     // Remove all references to WebGLObjects so if they are the last reference
     // they will be freed before the last context is removed from the context group.
     m_boundArrayBuffer = nullptr;
@@ -1262,7 +1269,6 @@ WebGLRenderingContextBase::~WebGLRenderingContextBase()
         detachAndRemoveAllObjects();
         loseExtensions(LostContextMode::RealLostContext);
         destroyGraphicsContextGL();
-        m_contextGroup->removeContext(*this);
     }
 
     {

Original file line number	Diff line number	Diff line change
`@@ -1238,6 +1238,13 @@ void WebGLRenderingContextBase::removeActivityStateChangeObserver()`
`1238`	`1238`
`1239`	`1239`	`WebGLRenderingContextBase::~WebGLRenderingContextBase()`
`1240`	`1240`	`{`
	`1241`	`+ if (!m_isPendingPolicyResolution) {`
	`1242`	`+ // need to remove from the group first, before we destroy the graphics context`
	`1243`	`+ // othwerwise, in case this is the last context in the group, when the context group tries`
	`1244`	`+ // to cleanup the remaining objects, it will not call deleteImpl (see WebGLObject::deleteObject)`
	`1245`	`+ // since the context is no longer available`
	`1246`	`+ m_contextGroup->removeContext(*this);`
	`1247`	`+ }`
`1241`	`1248`	`// Remove all references to WebGLObjects so if they are the last reference`
`1242`	`1249`	`// they will be freed before the last context is removed from the context group.`
`1243`	`1250`	`m_boundArrayBuffer = nullptr;`
`@@ -1262,7 +1269,6 @@ WebGLRenderingContextBase::~WebGLRenderingContextBase()`
`1262`	`1269`	`detachAndRemoveAllObjects();`
`1263`	`1270`	`loseExtensions(LostContextMode::RealLostContext);`
`1264`	`1271`	`destroyGraphicsContextGL();`
`1265`		`- m_contextGroup->removeContext(*this);`
`1266`	`1272`	`}`
`1267`	`1273`
`1268`	`1274`	`{`