Ensure ImageFrameCache does not access its BitmapImage after it is deleted
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 25 May 2017 18:22:48 +0000 (18:22 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 25 May 2017 18:22:48 +0000 (18:22 +0000)
commitf182d1345b7c81e226f642869df8379611c5ad33
tree2692f9d781503fe20be5ec1217cad798ef7e8b79
parent9af5663098200469a8e43f8980f4440a660ae733
Ensure ImageFrameCache does not access its BitmapImage after it is deleted
https://bugs.webkit.org/show_bug.cgi?id=172563

Patch by Said Abou-Hallawa <sabouhallawa@apple.com> on 2017-05-25
Reviewed by Simon Fraser.

A crash may happen if the BitmapImage is deleted while the decoding thread
is still active. Once the current frame finishes decoding, the decoding
thread will make a callOnMainThread() which will access the deleted BitmapImage.

We need to ensure if BitmapImage is deleted, the raw pointer which references
it in ImageFrameCache is cleared. If this is done, nothing else is needed.
All all the accesses to container BitmapImage in ImageFrameCache are guarded
by checking m_image is not null.

* platform/graphics/BitmapImage.cpp:
(WebCore::BitmapImage::~BitmapImage): Make sure the decoding thread will
not have access to the deleted BitmapImage when it finishes decoding and
make its callOnMainThread().
(WebCore::BitmapImage::destroyDecodedData): Use the function new name.
(WebCore::BitmapImage::internalStartAnimation): Ditto.
* platform/graphics/ImageFrameCache.cpp:
(WebCore::ImageFrameCache::startAsyncDecodingQueue): Protect the sourceURL
for the decoding thread. ImageFrameCache::sourceURL() checks for the value
of m_image which now may change from the main thread.
* platform/graphics/ImageFrameCache.h:
(WebCore::ImageFrameCache::clearImage): Add a new function to clear the
raw pointer m_image when its is deleted.
* platform/graphics/ImageSource.cpp:
(WebCore::ImageSource::resetData): Rename clear() to resetData() for better
code readability. This function deletes the ImageDecoder and creates a new
one if data is not null. The purpose is to delete the decoder raster data.
(WebCore::ImageSource::clear): Deleted.
* platform/graphics/ImageSource.h:
(WebCore::ImageSource::clearImage): Wrapper for the ImageFrameCache function.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@217437 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/WebCore/ChangeLog
Source/WebCore/platform/graphics/BitmapImage.cpp
Source/WebCore/platform/graphics/ImageFrameCache.cpp
Source/WebCore/platform/graphics/ImageFrameCache.h
Source/WebCore/platform/graphics/ImageSource.cpp
Source/WebCore/platform/graphics/ImageSource.h