Bug 18879

Summary: Reproducible crash when removing a gradient
Product: WebKit Reporter: mitz
Component: CSSAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: hyatt
Priority: P1 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.5   
Attachments:
Description Flags
Test case (will crash)
none
Make clients implicitly ref() the CSSImageGeneratorValue sam: review+

mitz
Reported 2008-05-03 20:48:58 PDT
The attached test case crashes beneath StyleGeneratedImage::removeClient(), because the CSSImageGeneratorValue is deleted when the background-image property is removed.
Attachments
Test case (will crash) (280 bytes, text/html)
2008-05-03 20:49 PDT, mitz 		no flags
Details
Make clients implicitly ref() the CSSImageGeneratorValue (3.77 KB, patch)
2008-05-03 21:23 PDT, mitz 		sam: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
mitz
Comment 1 2008-05-03 20:49:21 PDT
Created attachment 20954 [details] Test case (will crash)
mitz
Comment 2 2008-05-03 20:49:51 PDT
<rdar://problem/5909481>
mitz
Comment 3 2008-05-03 21:23:49 PDT
Created attachment 20955 [details] Make clients implicitly ref() the CSSImageGeneratorValue The "autoDeref" trick may be the wrong trade-off between readability and leak safety for such a small function. I can replace it with a deref() at the end.
Sam Weinig
Comment 4 2008-05-04 14:03:10 PDT
Comment on attachment 20955 [details] Make clients implicitly ref() the CSSImageGeneratorValue I think you should replace the "autoDeref" trick with a deref at the end to make the calls symmetrical. r=me, the change is up to you though.
mitz
Comment 5 2008-05-04 15:07:55 PDT
Fixed in <http://trac.webkit.org/changeset/32854>.
Note You need to log in before you can comment on or make changes to this bug.