Crash in ImageFrameCache::decodedSizeChanged() after image load cancellation
authorsaid@apple.com <said@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 5 May 2017 21:35:54 +0000 (21:35 +0000)
committersaid@apple.com <said@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 5 May 2017 21:35:54 +0000 (21:35 +0000)
commitfe5df53e3ae432d743e641217648c2d95a6b3979
tree7fca08fc04d743e90f42c92882d3e3951b24601a
parent105ce0af4ff90354a9f527bb16b582b4052a9328
Crash in ImageFrameCache::decodedSizeChanged() after image load cancellation
https://bugs.webkit.org/show_bug.cgi?id=171736

Reviewed by Tim Horton.

Tests: Covered by run-webkit-tests fast/images/image-formats-support.html
--guard-malloc.

Because an image format is not supported, the ImageObserver of the Image
is deleted then the Image itself is deleted. In BitmapImage destructor,
we make a call which ends up accessing the deleted ImageObserver.

To fix this, we need to setImageObsever of the Image to-be-deleted to
nullptr. So the Image can avoid accessing its ImageObserver, while it is
being deleted. Also we can change the BitImage destructor to avoid calling
ImageFrameCache::decodedSizeChanged() since it is not really needed.

* loader/cache/CachedImage.cpp:
(WebCore::CachedImage::clearImage):
* platform/graphics/BitmapImage.cpp:
(WebCore::BitmapImage::~BitmapImage):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@216273 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/WebCore/ChangeLog
Source/WebCore/loader/cache/CachedImage.cpp
Source/WebCore/platform/graphics/BitmapImage.cpp