Crash when ImageLoader deletes Element inside SVGImageElement
authorschenney@chromium.org <schenney@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 5 Mar 2013 22:53:57 +0000 (22:53 +0000)
committerschenney@chromium.org <schenney@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 5 Mar 2013 22:53:57 +0000 (22:53 +0000)
commitcd73168c3c07946b273a375ac55bd8fa971e9603
tree2c0383ae6bd6528fff908d3b434fd96066cc9999
parent1eac2f3c6c342414285c5b1b8d9e63e3fa0669cc
Crash when ImageLoader deletes Element inside SVGImageElement
https://bugs.webkit.org/show_bug.cgi?id=111085

Reviewed by Abhishek Arya.

Source/WebCore:

Elements with ImageLoader objects associated with them may have their
final reference held by the ImageLoader (to allow events to be sent
and handled). Any call on Element that causes the ImageLoader to
dispatch events might then result in the final deref of the Element
itself, thus leaving all the Element's "this" pointers up the stack
pointing to invalid memory.

This change puts the deref of the Element on a timer so that, if the
deref is called via a method on Element, the call stack will unwind
before the deref occurs.

Test: svg/custom/image-with-attr-change-after-delete-crash.html

* loader/ImageLoader.cpp:
(WebCore::ImageLoader::ImageLoader): Initialize a timer
(WebCore::ImageLoader::updatedHasPendingEvent): Put deref of the
  element on a oneShotTimer, with appropriate assertions and checks to
  ensure we only ref/deref once.
(WebCore::ImageLoader::timerFired): Deref the element when the timer fires.
* loader/ImageLoader.h:
(ImageLoader): Define a timer for controlling deref of the element.

LayoutTests:

* svg/custom/image-with-attr-change-after-delete-crash-expected.txt: Added.
* svg/custom/image-with-attr-change-after-delete-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@144825 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/svg/custom/image-with-attr-change-after-delete-crash-expected.txt [new file with mode: 0644]
LayoutTests/svg/custom/image-with-attr-change-after-delete-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/loader/ImageLoader.cpp
Source/WebCore/loader/ImageLoader.h