REGRESSION(r122215) - CachedImage::likelyToBeUsedSoon crashes on accessing a deleted...
authorhclam@chromium.org <hclam@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 28 Sep 2012 23:58:22 +0000 (23:58 +0000)
committerhclam@chromium.org <hclam@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 28 Sep 2012 23:58:22 +0000 (23:58 +0000)
commitca0196d02a78d5511e46a9e6586ecf9ac9cc9d4c
treed201e7e6ac3cff82755bbb4a80f83b1fa75a834d
parent9dc4a1bb59befa6078029998666157d8ea4d4f16
REGRESSION(r122215) - CachedImage::likelyToBeUsedSoon crashes on accessing a deleted CachedImageClient
https://bugs.webkit.org/show_bug.cgi?id=97749

Reviewed by James Robinson.

.:

Added a manual test to demonstrate drag image and crashing.

* ManualTests/drag-image-no-crash.html: Added.

Source/WebCore:

All implementations of Clipboard set themselves as clients to CachedImage
through the JS API setDrageImage() but they do not detach during destruction.
This causes memory corruption when CachedImage tries to access a deleted client
when MemoryCache prunes and calls CachedImage::likelyToUsedSoon().

Manual test added: ManualTests/drag-image-no-crash.html

* platform/chromium/ClipboardChromium.cpp:
(WebCore::ClipboardChromium::~ClipboardChromium):
* platform/gtk/ClipboardGtk.cpp:
(WebCore::ClipboardGtk::~ClipboardGtk):
* platform/mac/ClipboardMac.mm:
(WebCore::ClipboardMac::~ClipboardMac):
* platform/win/ClipboardWin.cpp:
(WebCore::ClipboardWin::~ClipboardWin):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@129962 268f45cc-cd09-0410-ab3c-d52691b4dbfc
ChangeLog
ManualTests/drag-image-no-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/platform/chromium/ClipboardChromium.cpp
Source/WebCore/platform/gtk/ClipboardGtk.cpp
Source/WebCore/platform/mac/ClipboardMac.mm
Source/WebCore/platform/win/ClipboardWin.cpp