Changeset 119918 in webkit

Timestamp:

Jun 9, 2012 4:03:25 PM (12 years ago)

Author:

commit-queue@webkit.org

Message:

Unreviewed, rolling out r118618 and r119353.
​http://trac.webkit.org/changeset/118618
​http://trac.webkit.org/changeset/119353
​https://bugs.webkit.org/show_bug.cgi?id=88720

Caused at least 30 different crashes on ClusterFuzz (Requested
by inferno-sec on #webkit).

Patch by Sheriff Bot <​webkit.review.bot@gmail.com> on 2012-06-09

Source/WebCore:

• loader/SubresourceLoader.cpp:

(WebCore::SubresourceLoader::checkForHTTPStatusCodeError):

• loader/cache/CachedCSSStyleSheet.cpp:

(WebCore::CachedCSSStyleSheet::allClientsRemoved):

• loader/cache/CachedFont.cpp:

(WebCore::CachedFont::allClientsRemoved):

• loader/cache/CachedFont.h:

(WebCore::CachedFontClient::resourceClientType):

• loader/cache/CachedImage.cpp:

(WebCore::CachedImage::removeClientForRenderer):
(WebCore):
(WebCore::CachedImage::allClientsRemoved):
(WebCore::CachedImage::lookupOrCreateImageForRenderer):

• loader/cache/CachedImage.h:

(CachedImage):
(WebCore::CachedImageClient::resourceClientType):

• loader/cache/CachedRawResource.cpp:

(WebCore::CachedRawResource::allClientsRemoved):
(WebCore):

• loader/cache/CachedRawResource.h:

(CachedRawResource):
(WebCore::CachedRawResourceClient::resourceClientType):

• loader/cache/CachedResource.cpp:

(WebCore::CachedResource::removeClient):

• loader/cache/CachedResource.h:

(WebCore::CachedResource::allClientsRemoved):

• loader/cache/CachedResourceClient.h:

(WebCore::CachedResourceClient::resourceClientType):

• loader/cache/CachedSVGDocument.h:

(WebCore::CachedSVGDocumentClient::resourceClientType):

• loader/cache/CachedScript.cpp:

(WebCore::CachedScript::allClientsRemoved):

• loader/cache/CachedStyleSheetClient.h:

(WebCore::CachedStyleSheetClient::resourceClientType):

• rendering/style/StyleCachedImage.cpp:

(WebCore::StyleCachedImage::removeClient):

• rendering/style/StyleCachedImageSet.cpp:

(WebCore::StyleCachedImageSet::removeClient):

• svg/graphics/SVGImageCache.cpp:

(WebCore::SVGImageCache::~SVGImageCache):
(WebCore::SVGImageCache::removeRendererFromCache):
(WebCore::SVGImageCache::setRequestedSizeAndScales):
(WebCore::SVGImageCache::requestedSizeAndScales):
(WebCore::SVGImageCache::lookupOrCreateBitmapImageForRenderer):

• svg/graphics/SVGImageCache.h:

(WebCore):
(SVGImageCache):

LayoutTests:

• http/tests/cache/cancel-in-progress-load-expected.txt: Removed.
• http/tests/cache/cancel-in-progress-load.html: Removed.
• http/tests/misc/write-while-waiting.html:
• svg/as-image/svg-image-leak-cached-data-expected.txt: Removed.
• svg/as-image/svg-image-leak-cached-data.html: Removed.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/cache/cancel-in-progress-load-expected.txt (deleted)
• LayoutTests/http/tests/cache/cancel-in-progress-load.html (deleted)
• LayoutTests/http/tests/misc/write-while-waiting.html (modified) (1 diff)
• LayoutTests/svg/as-image/svg-image-leak-cached-data-expected.txt (deleted)
• LayoutTests/svg/as-image/svg-image-leak-cached-data.html (deleted)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/loader/SubresourceLoader.cpp (modified) (1 diff)
• Source/WebCore/loader/cache/CachedCSSStyleSheet.cpp (modified) (1 diff)
• Source/WebCore/loader/cache/CachedFont.cpp (modified) (1 diff)
• Source/WebCore/loader/cache/CachedFont.h (modified) (1 diff)
• Source/WebCore/loader/cache/CachedImage.cpp (modified) (4 diffs)
• Source/WebCore/loader/cache/CachedImage.h (modified) (2 diffs)
• Source/WebCore/loader/cache/CachedRawResource.cpp (modified) (1 diff)
• Source/WebCore/loader/cache/CachedRawResource.h (modified) (2 diffs)
• Source/WebCore/loader/cache/CachedResource.cpp (modified) (2 diffs)
• Source/WebCore/loader/cache/CachedResource.h (modified) (1 diff)
• Source/WebCore/loader/cache/CachedResourceClient.h (modified) (1 diff)
• Source/WebCore/loader/cache/CachedSVGDocument.h (modified) (1 diff)
• Source/WebCore/loader/cache/CachedScript.cpp (modified) (1 diff)
• Source/WebCore/loader/cache/CachedStyleSheetClient.h (modified) (1 diff)
• Source/WebCore/rendering/style/StyleCachedImage.cpp (modified) (1 diff)
• Source/WebCore/rendering/style/StyleCachedImageSet.cpp (modified) (1 diff)
• Source/WebCore/svg/graphics/SVGImageCache.cpp (modified) (7 diffs)
• Source/WebCore/svg/graphics/SVGImageCache.h (modified) (3 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2012-06-09  Sheriff Bot  <webkit.review.bot@gmail.com>
+
+        Unreviewed, rolling out r118618 and r119353.
+        http://trac.webkit.org/changeset/118618
+        http://trac.webkit.org/changeset/119353
+        https://bugs.webkit.org/show_bug.cgi?id=88720
+
+        Caused at least 30 different crashes on ClusterFuzz (Requested
+        by inferno-sec on #webkit).
+
+        * http/tests/cache/cancel-in-progress-load-expected.txt: Removed.
+        * http/tests/cache/cancel-in-progress-load.html: Removed.
+        * http/tests/misc/write-while-waiting.html:
+        * svg/as-image/svg-image-leak-cached-data-expected.txt: Removed.
+        * svg/as-image/svg-image-leak-cached-data.html: Removed.
+
 2012-06-09  Ryosuke Niwa  <rniwa@webkit.org>
 

trunk/LayoutTests/http/tests/misc/write-while-waiting.html

@@ -3 +3 @@
 FAIL
 <script>
-if (window.layoutTestController) {
+if (window.layoutTestController)
     layoutTestController.dumpAsText();
-    layoutTestController.waitUntilDone();
-}
 
-setTimeout("document.write('PASS');document.close(); if (window.layoutTestController) layoutTestController.notifyDone();", 100);
+setTimeout("document.write('PASS');document.close();", 100);
 </script>
 <script src="resources/script-slow1.pl"></script>

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2012-06-09  Sheriff Bot  <webkit.review.bot@gmail.com>
+
+        Unreviewed, rolling out r118618 and r119353.
+        http://trac.webkit.org/changeset/118618
+        http://trac.webkit.org/changeset/119353
+        https://bugs.webkit.org/show_bug.cgi?id=88720
+
+        Caused at least 30 different crashes on ClusterFuzz (Requested
+        by inferno-sec on #webkit).
+
+        * loader/SubresourceLoader.cpp:
+        (WebCore::SubresourceLoader::checkForHTTPStatusCodeError):
+        * loader/cache/CachedCSSStyleSheet.cpp:
+        (WebCore::CachedCSSStyleSheet::allClientsRemoved):
+        * loader/cache/CachedFont.cpp:
+        (WebCore::CachedFont::allClientsRemoved):
+        * loader/cache/CachedFont.h:
+        (WebCore::CachedFontClient::resourceClientType):
+        * loader/cache/CachedImage.cpp:
+        (WebCore::CachedImage::removeClientForRenderer):
+        (WebCore):
+        (WebCore::CachedImage::allClientsRemoved):
+        (WebCore::CachedImage::lookupOrCreateImageForRenderer):
+        * loader/cache/CachedImage.h:
+        (CachedImage):
+        (WebCore::CachedImageClient::resourceClientType):
+        * loader/cache/CachedRawResource.cpp:
+        (WebCore::CachedRawResource::allClientsRemoved):
+        (WebCore):
+        * loader/cache/CachedRawResource.h:
+        (CachedRawResource):
+        (WebCore::CachedRawResourceClient::resourceClientType):
+        * loader/cache/CachedResource.cpp:
+        (WebCore::CachedResource::removeClient):
+        * loader/cache/CachedResource.h:
+        (WebCore::CachedResource::allClientsRemoved):
+        * loader/cache/CachedResourceClient.h:
+        (WebCore::CachedResourceClient::resourceClientType):
+        * loader/cache/CachedSVGDocument.h:
+        (WebCore::CachedSVGDocumentClient::resourceClientType):
+        * loader/cache/CachedScript.cpp:
+        (WebCore::CachedScript::allClientsRemoved):
+        * loader/cache/CachedStyleSheetClient.h:
+        (WebCore::CachedStyleSheetClient::resourceClientType):
+        * rendering/style/StyleCachedImage.cpp:
+        (WebCore::StyleCachedImage::removeClient):
+        * rendering/style/StyleCachedImageSet.cpp:
+        (WebCore::StyleCachedImageSet::removeClient):
+        * svg/graphics/SVGImageCache.cpp:
+        (WebCore::SVGImageCache::~SVGImageCache):
+        (WebCore::SVGImageCache::removeRendererFromCache):
+        (WebCore::SVGImageCache::setRequestedSizeAndScales):
+        (WebCore::SVGImageCache::requestedSizeAndScales):
+        (WebCore::SVGImageCache::lookupOrCreateBitmapImageForRenderer):
+        * svg/graphics/SVGImageCache.h:
+        (WebCore):
+        (SVGImageCache):
+
 2012-06-09  Florin Malita  <fmalita@chromium.org>
 

trunk/Source/WebCore/loader/SubresourceLoader.cpp

@@ -235 +235 @@
         return false;
 
+    m_resource->error(CachedResource::LoadError);
     m_state = Finishing;
-    m_resource->error(CachedResource::LoadError);
     cancel();
     return true;

trunk/Source/WebCore/loader/cache/CachedCSSStyleSheet.cpp

@@ -67 +67 @@
     if (!MemoryCache::shouldMakeResourcePurgeableOnEviction() && isSafeToMakePurgeable())
         makePurgeable(true);
-    CachedResource::allClientsRemoved();
 }
 

trunk/Source/WebCore/loader/cache/CachedFont.cpp

@@ -186 +186 @@
     }
 #endif
-    CachedResource::allClientsRemoved();
 }
 

trunk/Source/WebCore/loader/cache/CachedFont.h

@@ -86 +86 @@
     virtual ~CachedFontClient() { }
     static CachedResourceClientType expectedType() { return FontType; }
-    virtual CachedResourceClientType resourceClientType() const { return expectedType(); }
+    virtual CachedResourceClientType resourceClientType() { return expectedType(); }
     virtual void fontLoaded(CachedFont*) { }
 };

trunk/Source/WebCore/loader/cache/CachedImage.cpp

@@ -93 +93 @@
 }
 
+void CachedImage::removeClientForRenderer(RenderObject* renderer)
+{
+#if ENABLE(SVG)
+    if (m_svgImageCache)
+        m_svgImageCache->removeRendererFromCache(renderer);
+#endif
+    removeClient(renderer);
+}
+
 void CachedImage::didAddClient(CachedResourceClient* c)
 {
@@ -108 +117 @@
 
     CachedResource::didAddClient(c);
-}
-
-void CachedImage::didRemoveClient(CachedResourceClient* c)
-{
-    ASSERT(c->resourceClientType() == CachedImageClient::expectedType());
-#if ENABLE(SVG)
-    if (m_svgImageCache)
-        m_svgImageCache->removeClientFromCache(static_cast<CachedImageClient*>(c));
-#endif
-
-    CachedResource::didRemoveClient(c);
 }
 
@@ -127 +125 @@
     if (double interval = memoryCache()->deadDecodedDataDeletionInterval())
         m_decodedDataDeletionTimer.startOneShot(interval);
-    CachedResource::allClientsRemoved();
 }
 
@@ -153 +150 @@
     if (!m_image->isSVGImage())
         return m_image.get();
-    Image* useImage = m_svgImageCache->lookupOrCreateBitmapImageForClient(renderer);
+    Image* useImage = m_svgImageCache->lookupOrCreateBitmapImageForRenderer(renderer);
     if (useImage == Image::nullImage())
         return m_image.get();

trunk/Source/WebCore/loader/cache/CachedImage.h

@@ -68 +68 @@
     void computeIntrinsicDimensions(Length& intrinsicWidth, Length& intrinsicHeight, FloatSize& intrinsicRatio);
 
+    void removeClientForRenderer(RenderObject*);
     virtual void didAddClient(CachedResourceClient*);
-    virtual void didRemoveClient(CachedResourceClient*);
-
+    
     virtual void allClientsRemoved();
     virtual void destroyDecodedData();
@@ -119 +119 @@
     virtual ~CachedImageClient() { }
     static CachedResourceClientType expectedType() { return ImageType; }
-    virtual CachedResourceClientType resourceClientType() const { return expectedType(); }
+    virtual CachedResourceClientType resourceClientType() { return expectedType(); }
 
     // Called whenever a frame of an image changes, either because we got more data from the network or

trunk/Source/WebCore/loader/cache/CachedRawResource.cpp

@@ -88 +88 @@
 }
 
+void CachedRawResource::allClientsRemoved()
+{
+    if (m_loader)
+        m_loader->cancelIfNotFinishing();
+}
+
 void CachedRawResource::willSendRequest(ResourceRequest& request, const ResourceResponse& response)
 {

trunk/Source/WebCore/loader/cache/CachedRawResource.h

@@ -50 +50 @@
 
     virtual bool shouldIgnoreHTTPStatusCodeErrors() const { return true; }
+    virtual void allClientsRemoved();
 
     virtual void willSendRequest(ResourceRequest&, const ResourceResponse&);
@@ -66 +67 @@
     virtual ~CachedRawResourceClient() { }
     static CachedResourceClientType expectedType() { return RawResourceType; }
-    virtual CachedResourceClientType resourceClientType() const { return expectedType(); }
+    virtual CachedResourceClientType resourceClientType() { return expectedType(); }
 
     virtual void dataSent(CachedResource*, unsigned long long /* bytesSent */, unsigned long long /* totalBytesToBeSent */) { }

trunk/Source/WebCore/loader/cache/CachedResource.cpp

@@ -388 +388 @@
 }
 
-void CachedResource::allClientsRemoved()
-{
-    if (m_loader)
-        m_loader->cancelIfNotFinishing();
-}
-
 bool CachedResource::addClientToSet(CachedResourceClient* client)
 {
@@ -433 +427 @@
         ASSERT(m_clients.contains(client));
         m_clients.remove(client);
-        didRemoveClient(client);
     }
 

trunk/Source/WebCore/loader/cache/CachedResource.h

@@ -127 +127 @@
 
     virtual void didAddClient(CachedResourceClient*);
-    virtual void didRemoveClient(CachedResourceClient*) { }
-    virtual void allClientsRemoved();
+    virtual void allClientsRemoved() { }
 
     unsigned count() const { return m_clients.size(); }

trunk/Source/WebCore/loader/cache/CachedResourceClient.h

@@ -51 +51 @@
     
     static CachedResourceClientType expectedType() { return BaseResourceType; }
-    virtual CachedResourceClientType resourceClientType() const { return expectedType(); }
+    virtual CachedResourceClientType resourceClientType() { return expectedType(); }
 
 protected:

trunk/Source/WebCore/loader/cache/CachedSVGDocument.h

@@ -53 +53 @@
     virtual ~CachedSVGDocumentClient() { }
     static CachedResourceClientType expectedType() { return SVGDocumentType; }
-    virtual CachedResourceClientType resourceClientType() const { return expectedType(); }
+    virtual CachedResourceClientType resourceClientType() { return expectedType(); }
 };
 

trunk/Source/WebCore/loader/cache/CachedScript.cpp

@@ -68 +68 @@
     if (double interval = memoryCache()->deadDecodedDataDeletionInterval())
         m_decodedDataDeletionTimer.startOneShot(interval);
-    CachedResource::allClientsRemoved();
 }
 

trunk/Source/WebCore/loader/cache/CachedStyleSheetClient.h

@@ -37 +37 @@
     virtual ~CachedStyleSheetClient() { }
     static CachedResourceClientType expectedType() { return StyleSheetType; }
-    virtual CachedResourceClientType resourceClientType() const { return expectedType(); }
+    virtual CachedResourceClientType resourceClientType() { return expectedType(); }
     virtual void setCSSStyleSheet(const String& /* href */, const KURL& /* baseURL */, const String& /* charset */, const CachedCSSStyleSheet*) { }
     virtual void setXSLStyleSheet(const String& /* href */, const KURL& /* baseURL */, const String& /* sheet */) { }

trunk/Source/WebCore/rendering/style/StyleCachedImage.cpp

@@ -98 +98 @@
 void StyleCachedImage::removeClient(RenderObject* renderer)
 {
-    m_image->removeClient(renderer);
+    m_image->removeClientForRenderer(renderer);
 }
 

trunk/Source/WebCore/rendering/style/StyleCachedImageSet.cpp

@@ -109 +109 @@
 void StyleCachedImageSet::removeClient(RenderObject* renderer)
 {
-    m_bestFitImage->removeClient(renderer);
+    m_bestFitImage->removeClientForRenderer(renderer);
 }
 

trunk/Source/WebCore/svg/graphics/SVGImageCache.cpp

@@ -22 +22 @@
 
 #if ENABLE(SVG)
-#include "CachedImage.h"
 #include "FrameView.h"
 #include "GraphicsContext.h"
@@ -43 +42 @@
 
     ImageDataMap::iterator end = m_imageDataMap.end();
-    for (ImageDataMap::iterator it = m_imageDataMap.begin(); it != end; ++it) {
-        // Checks if the client (it->first) is still valid. The client should remove itself from this
-        // cache before its end of life, otherwise the following ASSERT will crash on pure virtual
-        // function call or a general crash.
-        ASSERT(it->first->resourceClientType() == CachedImageClient::expectedType());
+    for (ImageDataMap::iterator it = m_imageDataMap.begin(); it != end; ++it)
         delete it->second.buffer;
-    }
 
     m_imageDataMap.clear();
 }
 
-void SVGImageCache::removeClientFromCache(const CachedImageClient* client)
+void SVGImageCache::removeRendererFromCache(const RenderObject* renderer)
 {
-    ASSERT(client);
-    m_sizeAndScalesMap.remove(client);
+    ASSERT(renderer);
+    m_sizeAndScalesMap.remove(renderer);
 
-    ImageDataMap::iterator it = m_imageDataMap.find(client);
+    ImageDataMap::iterator it = m_imageDataMap.find(renderer);
     if (it == m_imageDataMap.end())
         return;
@@ -67 +61 @@
 }
 
-void SVGImageCache::setRequestedSizeAndScales(const CachedImageClient* client, const SizeAndScales& sizeAndScales)
+void SVGImageCache::setRequestedSizeAndScales(const RenderObject* renderer, const SizeAndScales& sizeAndScales)
 {
-    ASSERT(client);
+    ASSERT(renderer);
     ASSERT(!sizeAndScales.size.isEmpty());
-    m_sizeAndScalesMap.set(client, sizeAndScales);
+    m_sizeAndScalesMap.set(renderer, sizeAndScales);
 }
 
-SVGImageCache::SizeAndScales SVGImageCache::requestedSizeAndScales(const CachedImageClient* client) const
+SVGImageCache::SizeAndScales SVGImageCache::requestedSizeAndScales(const RenderObject* renderer) const
 {
-    ASSERT(client);
-    SizeAndScalesMap::const_iterator it = m_sizeAndScalesMap.find(client);
+    ASSERT(renderer);
+    SizeAndScalesMap::const_iterator it = m_sizeAndScalesMap.find(renderer);
     if (it == m_sizeAndScalesMap.end())
         return SizeAndScales();
@@ -129 +123 @@
 }
 
-Image* SVGImageCache::lookupOrCreateBitmapImageForClient(const CachedImageClient* client)
+Image* SVGImageCache::lookupOrCreateBitmapImageForRenderer(const RenderObject* renderer)
 {
-    ASSERT(client);
+    ASSERT(renderer);
 
-    // The cache needs to know the size of the client before querying an image for it.
-    SizeAndScalesMap::iterator sizeIt = m_sizeAndScalesMap.find(client);
+    // The cache needs to know the size of the renderer before querying an image for it.
+    SizeAndScalesMap::iterator sizeIt = m_sizeAndScalesMap.find(renderer);
     if (sizeIt == m_sizeAndScalesMap.end())
         return Image::nullImage();
@@ -143 +137 @@
     ASSERT(!size.isEmpty());
 
-    // Lookup image for client in cache and eventually update it.
-    ImageDataMap::iterator it = m_imageDataMap.find(client);
+    // Lookup image for renderer in cache and eventually update it.
+    ImageDataMap::iterator it = m_imageDataMap.find(renderer);
     if (it != m_imageDataMap.end()) {
         ImageData& data = it->second;
@@ -152 +146 @@
             return data.image.get();
 
-        // If the image size for the client changed, we have to delete the buffer, remove the item from the cache and recreate it.
+        // If the image size for the renderer changed, we have to delete the buffer, remove the item from the cache and recreate it.
         delete data.buffer;
         m_imageDataMap.remove(it);
@@ -171 +165 @@
     ASSERT(newImagePtr);
 
-    m_imageDataMap.add(client, ImageData(newBuffer.leakPtr(), newImage.release(), sizeIt->second));
+    m_imageDataMap.add(renderer, ImageData(newBuffer.leakPtr(), newImage.release(), sizeIt->second));
     return newImagePtr;
 }

trunk/Source/WebCore/svg/graphics/SVGImageCache.h

@@ -32 +32 @@
 
 class CachedImage;
-class CachedImageClient;
 class ImageBuffer;
+class RenderObject;
 class SVGImage;
 
@@ -64 +64 @@
     };
 
-    void removeClientFromCache(const CachedImageClient*);
+    void removeRendererFromCache(const RenderObject*);
 
-    void setRequestedSizeAndScales(const CachedImageClient*, const SizeAndScales&);
-    SizeAndScales requestedSizeAndScales(const CachedImageClient*) const;
+    void setRequestedSizeAndScales(const RenderObject*, const SizeAndScales&);
+    SizeAndScales requestedSizeAndScales(const RenderObject*) const;
 
-    Image* lookupOrCreateBitmapImageForClient(const CachedImageClient*);
+    Image* lookupOrCreateBitmapImageForRenderer(const RenderObject*);
     void imageContentChanged();
 
@@ -99 +99 @@
     };
 
-    typedef HashMap<const CachedImageClient*, SizeAndScales> SizeAndScalesMap;
-    typedef HashMap<const CachedImageClient*, ImageData> ImageDataMap;
+    typedef HashMap<const RenderObject*, SizeAndScales> SizeAndScalesMap;
+    typedef HashMap<const RenderObject*, ImageData> ImageDataMap;
 
     SVGImage* m_svgImage;