Changeset 216273 in webkit


Ignore:
Timestamp:
May 5, 2017 2:35:54 PM (7 years ago)
Author:
Said Abou-Hallawa
Message:

Crash in ImageFrameCache::decodedSizeChanged() after image load cancellation
https://bugs.webkit.org/show_bug.cgi?id=171736

Reviewed by Tim Horton.

Tests: Covered by run-webkit-tests fast/images/image-formats-support.html
--guard-malloc.

Because an image format is not supported, the ImageObserver of the Image
is deleted then the Image itself is deleted. In BitmapImage destructor,
we make a call which ends up accessing the deleted ImageObserver.

To fix this, we need to setImageObsever of the Image to-be-deleted to
nullptr. So the Image can avoid accessing its ImageObserver, while it is
being deleted. Also we can change the BitImage destructor to avoid calling
ImageFrameCache::decodedSizeChanged() since it is not really needed.

  • loader/cache/CachedImage.cpp:

(WebCore::CachedImage::clearImage):

  • platform/graphics/BitmapImage.cpp:

(WebCore::BitmapImage::~BitmapImage):

Location:
trunk/Source/WebCore
Files:
3 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/WebCore/ChangeLog

    r216263 r216273  
     12017-05-05  Said Abou-Hallawa  <sabouhallawa@apple.com>
     2
     3        Crash in ImageFrameCache::decodedSizeChanged() after image load cancellation
     4        https://bugs.webkit.org/show_bug.cgi?id=171736
     5
     6        Reviewed by Tim Horton.
     7
     8        Tests: Covered by run-webkit-tests fast/images/image-formats-support.html
     9        --guard-malloc.
     10
     11        Because an image format is not supported, the ImageObserver of the Image
     12        is deleted then the Image itself is deleted. In BitmapImage destructor,
     13        we make a call which ends up accessing the deleted ImageObserver.
     14
     15        To fix this, we need to setImageObsever of the Image to-be-deleted to
     16        nullptr. So the Image can avoid accessing its ImageObserver, while it is
     17        being deleted. Also we can change the BitImage destructor to avoid calling
     18        ImageFrameCache::decodedSizeChanged() since it is not really needed.
     19
     20        * loader/cache/CachedImage.cpp:
     21        (WebCore::CachedImage::clearImage):
     22        * platform/graphics/BitmapImage.cpp:
     23        (WebCore::BitmapImage::~BitmapImage):
     24
    1252017-05-05  Brian Burg  <bburg@apple.com>
    226

  • trunk/Source/WebCore/loader/cache/CachedImage.cpp

    r215952 r216273  
    361361        m_imageObserver = nullptr;
    362362    }
    363     m_image = nullptr;
     363    if (m_image) {
     364        m_image->setImageObserver(nullptr);
     365        m_image = nullptr;
     366    }
    364367}
    365368

  • trunk/Source/WebCore/platform/graphics/BitmapImage.cpp

    r215952 r216273  
    6262{
    6363    invalidatePlatformData();
    64     stopAnimation();
     64    clearTimer();
     65    m_source.stopAsyncDecodingQueue();
    6566}
    6667
Note: See TracChangeset for help on using the changeset viewer.