[webkit-changes] [216273] trunk/Source/WebCore

[said]

Title: [216273] trunk/Source/WebCore

Revision

216273

Author

s...@apple.com

Date

2017-05-05 14:35:54 -0700 (Fri, 05 May 2017)

Log Message

Crash in ImageFrameCache::decodedSizeChanged() after image load cancellation
https://bugs.webkit.org/show_bug.cgi?id=171736

Reviewed by Tim Horton.

Tests: Covered by run-webkit-tests fast/images/image-formats-support.html
--guard-malloc.

Because an image format is not supported, the ImageObserver of the Image
is deleted then the Image itself is deleted. In BitmapImage destructor,
we make a call which ends up accessing the deleted ImageObserver.

To fix this, we need to setImageObsever of the Image to-be-deleted to 
nullptr. So the Image can avoid accessing its ImageObserver, while it is
being deleted. Also we can change the BitImage destructor to avoid calling 
ImageFrameCache::decodedSizeChanged() since it is not really needed.

* loader/cache/CachedImage.cpp:
(WebCore::CachedImage::clearImage):
* platform/graphics/BitmapImage.cpp:
(WebCore::BitmapImage::~BitmapImage):

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/loader/cache/CachedImage.cpp
• trunk/Source/WebCore/platform/graphics/BitmapImage.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (216272 => 216273)

--- trunk/Source/WebCore/ChangeLog	2017-05-05 21:15:51 UTC (rev 216272)
+++ trunk/Source/WebCore/ChangeLog	2017-05-05 21:35:54 UTC (rev 216273)
@@ -1,3 +1,27 @@
+2017-05-05  Said Abou-Hallawa  <sabouhall...@apple.com>
+
+        Crash in ImageFrameCache::decodedSizeChanged() after image load cancellation
+        https://bugs.webkit.org/show_bug.cgi?id=171736
+
+        Reviewed by Tim Horton.
+
+        Tests: Covered by run-webkit-tests fast/images/image-formats-support.html
+        --guard-malloc.
+
+        Because an image format is not supported, the ImageObserver of the Image
+        is deleted then the Image itself is deleted. In BitmapImage destructor,
+        we make a call which ends up accessing the deleted ImageObserver.
+
+        To fix this, we need to setImageObsever of the Image to-be-deleted to 
+        nullptr. So the Image can avoid accessing its ImageObserver, while it is
+        being deleted. Also we can change the BitImage destructor to avoid calling 
+        ImageFrameCache::decodedSizeChanged() since it is not really needed.
+
+        * loader/cache/CachedImage.cpp:
+        (WebCore::CachedImage::clearImage):
+        * platform/graphics/BitmapImage.cpp:
+        (WebCore::BitmapImage::~BitmapImage):
+
 2017-05-05  Brian Burg  <bb...@apple.com>
 
         CrashTracer: [USER] com.apple.WebKit.WebContent.Development at com.apple.WebCore: WebCore::commonVMSlow + 57

Modified: trunk/Source/WebCore/loader/cache/CachedImage.cpp (216272 => 216273)

--- trunk/Source/WebCore/loader/cache/CachedImage.cpp	2017-05-05 21:15:51 UTC (rev 216272)
+++ trunk/Source/WebCore/loader/cache/CachedImage.cpp	2017-05-05 21:35:54 UTC (rev 216273)
@@ -360,7 +360,10 @@
         m_imageObserver->remove(*this);
         m_imageObserver = nullptr;
     }
-    m_image = nullptr;
+    if (m_image) {
+        m_image->setImageObserver(nullptr);
+        m_image = nullptr;
+    }
 }
 
 void CachedImage::addIncrementalDataBuffer(SharedBuffer& data)

Modified: trunk/Source/WebCore/platform/graphics/BitmapImage.cpp (216272 => 216273)

--- trunk/Source/WebCore/platform/graphics/BitmapImage.cpp	2017-05-05 21:15:51 UTC (rev 216272)
+++ trunk/Source/WebCore/platform/graphics/BitmapImage.cpp	2017-05-05 21:35:54 UTC (rev 216273)
@@ -61,7 +61,8 @@
 BitmapImage::~BitmapImage()
 {
     invalidatePlatformData();
-    stopAnimation();
+    clearTimer();
+    m_source.stopAsyncDecodingQueue();
 }
 
 void BitmapImage::updateFromSettings(const Settings& settings)

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes