RenderImage can be destroyed even before setting the style on it.
authorzalan@apple.com <zalan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 13 Dec 2017 22:13:32 +0000 (22:13 +0000)
committerzalan@apple.com <zalan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 13 Dec 2017 22:13:32 +0000 (22:13 +0000)
commit6efb6424d511ad34eebe909d1e899077445e3574
tree6e234b390d48a7ffac923d887bca5033df63c1f6
parentafcb218c7197ef1b4323f8462787e9e32812e86c
RenderImage can be destroyed even before setting the style on it.
https://bugs.webkit.org/show_bug.cgi?id=180767
<rdar://problem/33965995>

Reviewed by Simon Fraser.

Source/WebCore:

In certain cases, when the newly constructed renderer can't be inserted into the tree (parent can only have specific type of children etc),
RenderTreeUpdater destroys it right away. While destroying a RenderImage, the associated image resource assumes
that the image renderer has been initialized through RenderElement::initializeStyle(). This is an incorrect
assumption.
This patch also makes RenderImageResource's m_renderer a weak pointer.

Test: fast/images/crash-when-image-renderer-is-destroyed-before-calling-initializeStyle.html

* rendering/RenderImageResource.cpp:
(WebCore::RenderImageResource::initialize):
(WebCore::RenderImageResource::setCachedImage):
(WebCore::RenderImageResource::resetAnimation):
(WebCore::RenderImageResource::image const):
(WebCore::RenderImageResource::setContainerContext):
(WebCore::RenderImageResource::imageSize const):
* rendering/RenderImageResource.h:
(WebCore::RenderImageResource::renderer const):
* rendering/RenderImageResourceStyleImage.cpp:
(WebCore::RenderImageResourceStyleImage::shutdown):

LayoutTests:

* fast/images/crash-when-image-renderer-is-destroyed-before-calling-initializeStyle-expected.txt: Added.
* fast/images/crash-when-image-renderer-is-destroyed-before-calling-initializeStyle.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@225872 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/images/crash-when-image-renderer-is-destroyed-before-calling-initializeStyle-expected.txt [new file with mode: 0644]
LayoutTests/fast/images/crash-when-image-renderer-is-destroyed-before-calling-initializeStyle.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/rendering/RenderImageResource.cpp
Source/WebCore/rendering/RenderImageResource.h
Source/WebCore/rendering/RenderImageResourceStyleImage.cpp