Changeset 216273 in webkit
- Timestamp:
- May 5, 2017 2:35:54 PM (7 years ago)
- Location:
- trunk/Source/WebCore
- Files:
-
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebCore/ChangeLog
r216263 r216273 1 2017-05-05 Said Abou-Hallawa <sabouhallawa@apple.com> 2 3 Crash in ImageFrameCache::decodedSizeChanged() after image load cancellation 4 https://bugs.webkit.org/show_bug.cgi?id=171736 5 6 Reviewed by Tim Horton. 7 8 Tests: Covered by run-webkit-tests fast/images/image-formats-support.html 9 --guard-malloc. 10 11 Because an image format is not supported, the ImageObserver of the Image 12 is deleted then the Image itself is deleted. In BitmapImage destructor, 13 we make a call which ends up accessing the deleted ImageObserver. 14 15 To fix this, we need to setImageObsever of the Image to-be-deleted to 16 nullptr. So the Image can avoid accessing its ImageObserver, while it is 17 being deleted. Also we can change the BitImage destructor to avoid calling 18 ImageFrameCache::decodedSizeChanged() since it is not really needed. 19 20 * loader/cache/CachedImage.cpp: 21 (WebCore::CachedImage::clearImage): 22 * platform/graphics/BitmapImage.cpp: 23 (WebCore::BitmapImage::~BitmapImage): 24 1 25 2017-05-05 Brian Burg <bburg@apple.com> 2 26 -
trunk/Source/WebCore/loader/cache/CachedImage.cpp
r215952 r216273 361 361 m_imageObserver = nullptr; 362 362 } 363 m_image = nullptr; 363 if (m_image) { 364 m_image->setImageObserver(nullptr); 365 m_image = nullptr; 366 } 364 367 } 365 368 -
trunk/Source/WebCore/platform/graphics/BitmapImage.cpp
r215952 r216273 62 62 { 63 63 invalidatePlatformData(); 64 stopAnimation(); 64 clearTimer(); 65 m_source.stopAsyncDecodingQueue(); 65 66 } 66 67
Note: See TracChangeset
for help on using the changeset viewer.