Title: [216273] trunk/Source/WebCore
- Revision
- 216273
- Author
- s...@apple.com
- Date
- 2017-05-05 14:35:54 -0700 (Fri, 05 May 2017)
Log Message
Crash in ImageFrameCache::decodedSizeChanged() after image load cancellation
https://bugs.webkit.org/show_bug.cgi?id=171736
Reviewed by Tim Horton.
Tests: Covered by run-webkit-tests fast/images/image-formats-support.html
--guard-malloc.
Because an image format is not supported, the ImageObserver of the Image
is deleted then the Image itself is deleted. In BitmapImage destructor,
we make a call which ends up accessing the deleted ImageObserver.
To fix this, we need to setImageObsever of the Image to-be-deleted to
nullptr. So the Image can avoid accessing its ImageObserver, while it is
being deleted. Also we can change the BitImage destructor to avoid calling
ImageFrameCache::decodedSizeChanged() since it is not really needed.
* loader/cache/CachedImage.cpp:
(WebCore::CachedImage::clearImage):
* platform/graphics/BitmapImage.cpp:
(WebCore::BitmapImage::~BitmapImage):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (216272 => 216273)
--- trunk/Source/WebCore/ChangeLog 2017-05-05 21:15:51 UTC (rev 216272)
+++ trunk/Source/WebCore/ChangeLog 2017-05-05 21:35:54 UTC (rev 216273)
@@ -1,3 +1,27 @@
+2017-05-05 Said Abou-Hallawa <sabouhall...@apple.com>
+
+ Crash in ImageFrameCache::decodedSizeChanged() after image load cancellation
+ https://bugs.webkit.org/show_bug.cgi?id=171736
+
+ Reviewed by Tim Horton.
+
+ Tests: Covered by run-webkit-tests fast/images/image-formats-support.html
+ --guard-malloc.
+
+ Because an image format is not supported, the ImageObserver of the Image
+ is deleted then the Image itself is deleted. In BitmapImage destructor,
+ we make a call which ends up accessing the deleted ImageObserver.
+
+ To fix this, we need to setImageObsever of the Image to-be-deleted to
+ nullptr. So the Image can avoid accessing its ImageObserver, while it is
+ being deleted. Also we can change the BitImage destructor to avoid calling
+ ImageFrameCache::decodedSizeChanged() since it is not really needed.
+
+ * loader/cache/CachedImage.cpp:
+ (WebCore::CachedImage::clearImage):
+ * platform/graphics/BitmapImage.cpp:
+ (WebCore::BitmapImage::~BitmapImage):
+
2017-05-05 Brian Burg <bb...@apple.com>
CrashTracer: [USER] com.apple.WebKit.WebContent.Development at com.apple.WebCore: WebCore::commonVMSlow + 57
Modified: trunk/Source/WebCore/loader/cache/CachedImage.cpp (216272 => 216273)
--- trunk/Source/WebCore/loader/cache/CachedImage.cpp 2017-05-05 21:15:51 UTC (rev 216272)
+++ trunk/Source/WebCore/loader/cache/CachedImage.cpp 2017-05-05 21:35:54 UTC (rev 216273)
@@ -360,7 +360,10 @@
m_imageObserver->remove(*this);
m_imageObserver = nullptr;
}
- m_image = nullptr;
+ if (m_image) {
+ m_image->setImageObserver(nullptr);
+ m_image = nullptr;
+ }
}
void CachedImage::addIncrementalDataBuffer(SharedBuffer& data)
Modified: trunk/Source/WebCore/platform/graphics/BitmapImage.cpp (216272 => 216273)
--- trunk/Source/WebCore/platform/graphics/BitmapImage.cpp 2017-05-05 21:15:51 UTC (rev 216272)
+++ trunk/Source/WebCore/platform/graphics/BitmapImage.cpp 2017-05-05 21:35:54 UTC (rev 216273)
@@ -61,7 +61,8 @@
BitmapImage::~BitmapImage()
{
invalidatePlatformData();
- stopAnimation();
+ clearTimer();
+ m_source.stopAsyncDecodingQueue();
}
void BitmapImage::updateFromSettings(const Settings& settings)
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes