Crash in ImageFrameCache::decodedSizeChanged() after image load cancellation
authorsaid@apple.com <said@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 6 May 2017 03:27:16 +0000 (03:27 +0000)
committersaid@apple.com <said@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 6 May 2017 03:27:16 +0000 (03:27 +0000)
https://bugs.webkit.org/show_bug.cgi?id=171736

Reviewed by Tim Horton.

Tests: Covered by run-webkit-tests fast/images/image-formats-support.html
--guard-malloc.

Because an image format is not supported, the ImageObserver of the Image
is deleted then the Image itself is deleted. In BitmapImage destructor,
we make a call which ends up accessing the deleted ImageObserver.

To fix this, we need to change the BitImage destructor to avoid calling
ImageFrameCache::decodedSizeChanged() since it is not really needed.

* platform/graphics/BitmapImage.cpp:
(WebCore::BitmapImage::~BitmapImage):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@216305 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebCore/ChangeLog
Source/WebCore/platform/graphics/BitmapImage.cpp

index b470758..adda754 100644 (file)
@@ -1,3 +1,23 @@
+2017-05-05  Said Abou-Hallawa  <sabouhallawa@apple.com>
+
+        Crash in ImageFrameCache::decodedSizeChanged() after image load cancellation
+        https://bugs.webkit.org/show_bug.cgi?id=171736
+
+        Reviewed by Tim Horton.
+
+        Tests: Covered by run-webkit-tests fast/images/image-formats-support.html
+        --guard-malloc.
+
+        Because an image format is not supported, the ImageObserver of the Image
+        is deleted then the Image itself is deleted. In BitmapImage destructor,
+        we make a call which ends up accessing the deleted ImageObserver.
+
+        To fix this, we need to change the BitImage destructor to avoid calling 
+        ImageFrameCache::decodedSizeChanged() since it is not really needed.
+
+        * platform/graphics/BitmapImage.cpp:
+        (WebCore::BitmapImage::~BitmapImage):
+
 2017-05-05  Timothy Horton  <timothy_horton@apple.com>
 
         [Mac] Adjust cursor position for dragged link (and stop it from moving based on how fast you are dragging)
index 0d42b44..9a6ab12 100644 (file)
@@ -61,7 +61,8 @@ BitmapImage::BitmapImage(NativeImagePtr&& image, ImageObserver* observer)
 BitmapImage::~BitmapImage()
 {
     invalidatePlatformData();
-    stopAnimation();
+    clearTimer();
+    m_source.stopAsyncDecodingQueue();
 }
 
 void BitmapImage::updateFromSettings(const Settings& settings)