Changeset 220509 in webkit


Ignore:
Timestamp:
Aug 9, 2017 9:31:42 PM (7 years ago)
Author:
jmarcell@apple.com
Message:

Cherry-pick r220289. rdar://problem/33810941

Location:
branches/safari-604-branch
Files:
3 edited

Legend:

Unmodified
Added
Removed

  • branches/safari-604-branch/LayoutTests/ChangeLog

    r220340 r220509  
     12017-08-09  Jason Marcell  <jmarcell@apple.com>
     2
     3        Cherry-pick r220289. rdar://problem/33810941
     4
     5    2017-08-04  Said Abou-Hallawa  <sabouhallawa@apple.com>
     6
     7            RenderImageResourceStyleImage::image() should return the nullImage() if the image is not available
     8            https://bugs.webkit.org/show_bug.cgi?id=174874
     9            <rdar://problem/33530130>
     10
     11            Reviewed by Simon Fraser.
     12
     13            * fast/images/image-element-image-content-data-expected.txt: Added.
     14            * fast/images/image-element-image-content-data.html: Added.
     15
    1162017-08-07  Jason Marcell  <jmarcell@apple.com>
    217

  • branches/safari-604-branch/Source/WebCore/ChangeLog

    r220390 r220509  
     12017-08-09  Jason Marcell  <jmarcell@apple.com>
     2
     3        Cherry-pick r220289. rdar://problem/33810941
     4
     5    2017-08-04  Said Abou-Hallawa  <sabouhallawa@apple.com>
     6
     7            RenderImageResourceStyleImage::image() should return the nullImage() if the image is not available
     8            https://bugs.webkit.org/show_bug.cgi?id=174874
     9            <rdar://problem/33530130>
     10
     11            Reviewed by Simon Fraser.
     12
     13            If an <img> element has a non-CachedImage content data, e.g. -webkit-named-image,
     14            RenderImageResourceStyleImage will be created and  attached to the RenderImage.
     15            RenderImageResourceStyleImage::m_cachedImage will be set to null at the
     16            beginning because the m_styleImage->isCachedImage() is false in this case.
     17            When ImageLoader finishes loading the url of the src attribute,
     18            RenderImageResource::setCachedImage() will be called to set m_cachedImage.
     19
     20            A crash will happen when the RenderImage is destroyed. Destroying the
     21            RenderImage calls RenderImageResourceStyleImage::shutdown() which checks
     22            m_cachedImage and finds it not null, so it calls RenderImageResourceStyleImage::image()
     23            which ends up calling CSSNamedImageValue::image() which returns a null pointer
     24            because the size is empty. RenderImageResourceStyleImage::shutdown() calls
     25            image()->stopAnimation() without checking the return value of image().
     26
     27            Another crash will happen later when deleting the CachedImage from the memory
     28            cache if CachedImage::canDestroyDecodedData() is called because the client
     29            it gets from m_clients is a freed pointer. This happens because RenderImageResourceStyleImage
     30            has m_styleImage of type StyleGeneratedImage but its m_cachedImage is set
     31            by RenderImageResource::setCachedImage(). When RenderImageResourceStyleImage::shutdown()
     32            is called, it calls  StyleGeneratedImage::removeClient() which does not
     33            know anything about RenderImageResourceStyleImage::m_cachedImage. So we
     34            end up having a freed pointer in the m_clients of the CachedImage.
     35
     36            Test: fast/images/image-element-image-content-data.html
     37
     38            * rendering/RenderImageResourceStyleImage.cpp:
     39            (WebCore::RenderImageResourceStyleImage::shutdown):  Revert back the changes
     40            of r208511 in this function. Add a call to image()->stopAnimation() without
     41            checking the return of image() since it will return the nullImage() if
     42            the image not available. There is no need to check m_cachedImage before
     43            calling image() because image() does not check or access m_cachedImage.
     44
     45            If m_styleImage is not a CachedStyleImage but m_cachedImage is not null,
     46            we need to remove m_renderer from the set of the clients of this m_cachedImage.
     47
     48            (WebCore::RenderImageResourceStyleImage::image const): The base class method
     49            RenderImageResource::image() returns the nullImage() if the image not
     50            available. This is because CachedImage::imageForRenderer() returns
     51            the nullImage() if the image is not available; see CachedImage.h. We should
     52            do the same for the derived class for consistency.
     53
    1542017-08-08  Jason Marcell  <jmarcell@apple.com>
    255

  • branches/safari-604-branch/Source/WebCore/rendering/RenderImageResourceStyleImage.cpp

    r220066 r220509  
    5858    image()->stopAnimation();
    5959    m_styleImage->removeClient(m_renderer);
     60    if (!m_styleImage->isCachedImage() && m_cachedImage)
     61        m_cachedImage->removeClient(*m_renderer);
    6062    m_cachedImage = nullptr;
    6163}
Note: See TracChangeset for help on using the changeset viewer.