Changeset 218038 in webkit

Timestamp:

Jun 9, 2017 7:51:05 PM (7 years ago)

Author:

commit-queue@webkit.org

Message:

Image should clear its ImageObserver* when CachedImage releases the last reference to its RefCounted<ImageObserver>
​https://bugs.webkit.org/show_bug.cgi?id=173077

Patch by Said Abou-Hallawa <​sabouhallawa@apple.com> on 2017-06-09
Reviewed by Simon Fraser.

Before dereferencing ImageObserver, CachedImage::clearImage() should check
whether it is the only object that holds a reference to this ImageObserver.
And if this is true, m_image have to clear its raw pointer to the deleted
ImageObserver by calling m_image->setImageObserver(nullptr).

• loader/cache/CachedImage.cpp:

(WebCore::CachedImage::setBodyDataFrom):
(WebCore::CachedImage::CachedImageObserver::CachedImageObserver):
(WebCore::CachedImage::clearImage):

• loader/cache/CachedImage.h:

Location:

trunk/Source/WebCore

Files:

• ChangeLog (modified) (1 diff)
• loader/cache/CachedImage.cpp (modified) (3 diffs)
• loader/cache/CachedImage.h (modified) (3 diffs)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2017-06-09  Said Abou-Hallawa  <sabouhallawa@apple.com>
+
+        Image should clear its ImageObserver* when CachedImage releases the last reference to its RefCounted<ImageObserver>
+        https://bugs.webkit.org/show_bug.cgi?id=173077
+
+        Reviewed by Simon Fraser.
+
+        Before dereferencing ImageObserver, CachedImage::clearImage() should check
+        whether it is the only object that holds a reference to this ImageObserver.
+        And if this is true, m_image have to clear its raw pointer to the deleted
+        ImageObserver by calling m_image->setImageObserver(nullptr).
+
+        * loader/cache/CachedImage.cpp:
+        (WebCore::CachedImage::setBodyDataFrom):
+        (WebCore::CachedImage::CachedImageObserver::CachedImageObserver):
+        (WebCore::CachedImage::clearImage):
+        * loader/cache/CachedImage.h:
+
 2017-06-09  Daniel Bates  <dabates@apple.com>
 

trunk/Source/WebCore/loader/cache/CachedImage.cpp

@@ -102 +102 @@
     m_imageObserver = image.m_imageObserver;
     if (m_imageObserver)
-        m_imageObserver->add(*this);
+        m_imageObserver->cachedImages().add(this);
 
     if (m_image && is<SVGImage>(*m_image))
@@ -327 +327 @@
 CachedImage::CachedImageObserver::CachedImageObserver(CachedImage& image)
 {
-    m_cachedImages.reserveInitialCapacity(1);
-    m_cachedImages.append(&image);
+    m_cachedImages.add(&image);
 }
 
@@ -368 +367 @@
 inline void CachedImage::clearImage()
 {
+    if (!m_image)
+        return;
+
     if (m_imageObserver) {
-        m_imageObserver->remove(*this);
+        m_imageObserver->cachedImages().remove(this);
+
+        if (m_imageObserver->cachedImages().isEmpty()) {
+            ASSERT(m_imageObserver->hasOneRef());
+            m_image->setImageObserver(nullptr);
+        }
+
         m_imageObserver = nullptr;
     }
+
     m_image = nullptr;
 }

trunk/Source/WebCore/loader/cache/CachedImage.h

@@ -121 +121 @@
     public:
         static Ref<CachedImageObserver> create(CachedImage& image) { return adoptRef(*new CachedImageObserver(image)); }
-        void add(CachedImage& image) { m_cachedImages.append(&image); }
-        void remove(CachedImage& image) { m_cachedImages.removeFirst(&image); }
+        HashSet<CachedImage*>& cachedImages() { return m_cachedImages; }
+        const HashSet<CachedImage*>& cachedImages() const { return m_cachedImages; }
 
     private:
@@ -128 +128 @@
 
         // ImageObserver API
-        URL sourceUrl() const override { return !m_cachedImages.isEmpty() ? m_cachedImages[0]->url() : URL(); }
+        URL sourceUrl() const override { return !m_cachedImages.isEmpty() ? (*m_cachedImages.begin())->url() : URL(); }
         void decodedSizeChanged(const Image&, long long delta) final;
         void didDraw(const Image&) final;
@@ -136 +136 @@
         void changedInRect(const Image&, const IntRect*) final;
 
-        Vector<CachedImage*> m_cachedImages;
+        HashSet<CachedImage*> m_cachedImages;
     };