Crash in ImageFrameCache::decodedSizeChanged() after image load cancellation
authorsaid@apple.com <said@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 6 May 2017 03:27:16 +0000 (03:27 +0000)
committersaid@apple.com <said@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 6 May 2017 03:27:16 +0000 (03:27 +0000)
commitf29e0a6966a8eb8a5c58528b6966627b2a4cf25e
treeb864556eec4177968768f68f44005482054392c3
parentb8896916e7541c67ff49ab11c64c4a8280c3633b
Crash in ImageFrameCache::decodedSizeChanged() after image load cancellation
https://bugs.webkit.org/show_bug.cgi?id=171736

Reviewed by Tim Horton.

Tests: Covered by run-webkit-tests fast/images/image-formats-support.html
--guard-malloc.

Because an image format is not supported, the ImageObserver of the Image
is deleted then the Image itself is deleted. In BitmapImage destructor,
we make a call which ends up accessing the deleted ImageObserver.

To fix this, we need to change the BitImage destructor to avoid calling
ImageFrameCache::decodedSizeChanged() since it is not really needed.

* platform/graphics/BitmapImage.cpp:
(WebCore::BitmapImage::~BitmapImage):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@216305 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/WebCore/ChangeLog
Source/WebCore/platform/graphics/BitmapImage.cpp