Bug 18879

Summary: Reproducible crash when removing a gradient
Product: WebKit Reporter: mitz
Component: CSSAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: hyatt
Priority: P1 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.5   
Attachments:
Description Flags
Test case (will crash)
none
Make clients implicitly ref() the CSSImageGeneratorValue sam: review+

Description mitz 2008-05-03 20:48:58 PDT 
The attached test case crashes beneath StyleGeneratedImage::removeClient(), because the CSSImageGeneratorValue is deleted when the background-image property is removed.
Comment 1 mitz 2008-05-03 20:49:21 PDT 
Created attachment 20954 [details]
Test case (will crash)
Comment 2 mitz 2008-05-03 20:49:51 PDT 
<rdar://problem/5909481>
Comment 3 mitz 2008-05-03 21:23:49 PDT 
Created attachment 20955 [details]
Make clients implicitly ref() the CSSImageGeneratorValue

The "autoDeref" trick may be the wrong trade-off between readability and leak safety for such a small function. I can replace it with a deref() at the end.
Comment 4 Sam Weinig 2008-05-04 14:03:10 PDT 
Comment on attachment 20955 [details]
Make clients implicitly ref() the CSSImageGeneratorValue

I think you should replace the "autoDeref" trick with a deref at the end to make the calls symmetrical.  r=me, the change is up to you though.
Comment 5 mitz 2008-05-04 15:07:55 PDT 
Fixed in <http://trac.webkit.org/changeset/32854>.