Changeset 225872 in webkit
- Timestamp:
- Dec 13, 2017 2:13:32 PM (6 years ago)
- Location:
- trunk
- Files:
-
- 2 added
- 5 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r225869 r225872 1 2017-12-13 Zalan Bujtas <zalan@apple.com> 2 3 RenderImage can be destroyed even before setting the style on it. 4 https://bugs.webkit.org/show_bug.cgi?id=180767 5 <rdar://problem/33965995> 6 7 Reviewed by Simon Fraser. 8 9 * fast/images/crash-when-image-renderer-is-destroyed-before-calling-initializeStyle-expected.txt: Added. 10 * fast/images/crash-when-image-renderer-is-destroyed-before-calling-initializeStyle.html: Added. 11 1 12 2017-12-13 Matt Lewis <jlewis3@apple.com> 2 13 -
trunk/Source/WebCore/ChangeLog
r225868 r225872 1 2017-12-13 Zalan Bujtas <zalan@apple.com> 2 3 RenderImage can be destroyed even before setting the style on it. 4 https://bugs.webkit.org/show_bug.cgi?id=180767 5 <rdar://problem/33965995> 6 7 Reviewed by Simon Fraser. 8 9 In certain cases, when the newly constructed renderer can't be inserted into the tree (parent can only have specific type of children etc), 10 RenderTreeUpdater destroys it right away. While destroying a RenderImage, the associated image resource assumes 11 that the image renderer has been initialized through RenderElement::initializeStyle(). This is an incorrect 12 assumption. 13 This patch also makes RenderImageResource's m_renderer a weak pointer. 14 15 Test: fast/images/crash-when-image-renderer-is-destroyed-before-calling-initializeStyle.html 16 17 * rendering/RenderImageResource.cpp: 18 (WebCore::RenderImageResource::initialize): 19 (WebCore::RenderImageResource::setCachedImage): 20 (WebCore::RenderImageResource::resetAnimation): 21 (WebCore::RenderImageResource::image const): 22 (WebCore::RenderImageResource::setContainerContext): 23 (WebCore::RenderImageResource::imageSize const): 24 * rendering/RenderImageResource.h: 25 (WebCore::RenderImageResource::renderer const): 26 * rendering/RenderImageResourceStyleImage.cpp: 27 (WebCore::RenderImageResourceStyleImage::shutdown): 28 1 29 2017-12-13 Ryosuke Niwa <rniwa@webkit.org> 2 30 -
trunk/Source/WebCore/rendering/RenderImageResource.cpp
r224537 r225872 48 48 ASSERT(!m_renderer); 49 49 ASSERT(!m_cachedImage); 50 m_renderer = &renderer;50 m_renderer = makeWeakPtr(renderer); 51 51 m_cachedImage = styleCachedImage; 52 52 m_cachedImageRemoveClientIsNeeded = !styleCachedImage; … … 66 66 ASSERT(m_renderer); 67 67 if (m_cachedImage && m_cachedImageRemoveClientIsNeeded) 68 m_cachedImage->removeClient(* m_renderer);68 m_cachedImage->removeClient(*renderer()); 69 69 m_cachedImage = newImage; 70 70 m_cachedImageRemoveClientIsNeeded = true; … … 72 72 return; 73 73 74 m_cachedImage->addClient(* m_renderer);74 m_cachedImage->addClient(*renderer()); 75 75 if (m_cachedImage->errorOccurred()) 76 m_renderer->imageChanged(m_cachedImage.get());76 renderer()->imageChanged(m_cachedImage.get()); 77 77 } 78 78 … … 85 85 image()->resetAnimation(); 86 86 87 if (! m_renderer->needsLayout())88 m_renderer->repaint();87 if (!renderer()->needsLayout()) 88 renderer()->repaint(); 89 89 } 90 90 … … 93 93 if (!m_cachedImage) 94 94 return &Image::nullImage(); 95 if (auto image = m_cachedImage->imageForRenderer( m_renderer))95 if (auto image = m_cachedImage->imageForRenderer(renderer())) 96 96 return image; 97 97 return &Image::nullImage(); … … 103 103 return; 104 104 ASSERT(m_renderer); 105 m_cachedImage->setContainerContextForClient(* m_renderer, imageContainerSize, m_renderer->style().effectiveZoom(), imageURL);105 m_cachedImage->setContainerContextForClient(*renderer(), imageContainerSize, renderer()->style().effectiveZoom(), imageURL); 106 106 } 107 107 … … 110 110 if (!m_cachedImage) 111 111 return LayoutSize(); 112 LayoutSize size = m_cachedImage->imageSizeForRenderer( m_renderer, multiplier, type);113 if (is<RenderImage>( m_renderer))114 size.scale(downcast<RenderImage>(* m_renderer).imageDevicePixelRatio());112 LayoutSize size = m_cachedImage->imageSizeForRenderer(renderer(), multiplier, type); 113 if (is<RenderImage>(renderer())) 114 size.scale(downcast<RenderImage>(*renderer()).imageDevicePixelRatio()); 115 115 return size; 116 116 } -
trunk/Source/WebCore/rendering/RenderImageResource.h
r224537 r225872 30 30 #include "StyleImage.h" 31 31 #include <wtf/IsoMalloc.h> 32 #include <wtf/WeakPtr.h> 32 33 33 34 namespace WebCore { … … 64 65 65 66 protected: 66 RenderElement* renderer() const { return m_renderer ; }67 RenderElement* renderer() const { return m_renderer.get(); } 67 68 void initialize(RenderElement&, CachedImage*); 68 69 … … 70 71 virtual LayoutSize imageSize(float multiplier, CachedImage::SizeType) const; 71 72 72 RenderElement* m_renderer { nullptr };73 WeakPtr<RenderElement> m_renderer; 73 74 CachedResourceHandle<CachedImage> m_cachedImage; 74 75 bool m_cachedImageRemoveClientIsNeeded { true }; -
trunk/Source/WebCore/rendering/RenderImageResourceStyleImage.cpp
r224537 r225872 51 51 void RenderImageResourceStyleImage::shutdown() 52 52 { 53 ASSERT(renderer());54 53 RenderImageResource::shutdown(); 55 m_styleImage->removeClient(renderer()); 54 if (renderer()) 55 m_styleImage->removeClient(renderer()); 56 56 } 57 57
Note: See TracChangeset
for help on using the changeset viewer.