RESOLVED FIXED167618
The current frame of an image should not deleted if another frame is asynchronously being decoded 
https://bugs.webkit.org/show_bug.cgi?id=167618
Summary The current frame of an image should not deleted if another frame is asynchro...
Said Abou-Hallawa
Reported 2017-01-30 17:27:24 PST
Decoding multiple frames from the same image is not thread-safe. Since the next frame may not be ready at the time BitmapImage::draw() is called, the current frame has to be drawn. If the current frame is not available, drawing the current frame will invoke the image decoding from the drawing commit thread. This may lead to a crash when two threads update the image decoded frames data at the same time.
Attachments
Patch (8.39 KB, patch)
2017-01-30 18:14 PST, Said Abou-Hallawa 		no flags
DetailsFormatted DiffDiff
Patch (14.17 KB, patch)
2017-01-31 13:42 PST, Said Abou-Hallawa 		no flags
DetailsFormatted DiffDiff
Patch (17.93 KB, patch)
2017-01-31 16:01 PST, Said Abou-Hallawa 		no flags
DetailsFormatted DiffDiff
Patch (18.89 KB, patch)
2017-02-03 12:25 PST, Said Abou-Hallawa 		no flags
DetailsFormatted DiffDiff
Patch (18.87 KB, patch)
2017-02-13 16:10 PST, Said Abou-Hallawa 		no flags
DetailsFormatted DiffDiff
Show Obsolete (4) View All Add attachment proposed patch, testcase, etc.
Said Abou-Hallawa
Comment 1 2017-01-30 18:14:08 PST
Created attachment 300174 [details] Patch
Said Abou-Hallawa
Comment 2 2017-01-30 18:14:56 PST
I will see if I can come up with a test for this patch.
Simon Fraser (smfr)
Comment 3 2017-01-30 18:38:58 PST
Comment on attachment 300174 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=300174&action=review > Source/WebCore/ChangeLog:18 > + be destroyed expect the current frame. expect -> except > Source/WebCore/platform/graphics/ImageFrameCache.cpp:73 > +void ImageFrameCache::destroyDecodedData(bool destroyAll, size_t currentFrame) 'currentFrame' is a bit confusing here. Does it mean "just destroy data for the current frame", or "destroy data for all frames up to and including currentFrame"? > Source/WebCore/platform/graphics/ImageFrameCache.cpp:87 > +bool ImageFrameCache::destroyDecodedDataIfNecessary(bool destroyAll, size_t currentFrame) Same comment.
Said Abou-Hallawa
Comment 4 2017-01-31 13:42:36 PST
Created attachment 300254 [details] Patch
Said Abou-Hallawa
Comment 5 2017-01-31 13:44:29 PST
(In reply to comment #3) > Comment on attachment 300174 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=300174&action=review > > > Source/WebCore/ChangeLog:18 > > + be destroyed expect the current frame. > > expect -> except > > > Source/WebCore/platform/graphics/ImageFrameCache.cpp:73 > > +void ImageFrameCache::destroyDecodedData(bool destroyAll, size_t currentFrame) > > 'currentFrame' is a bit confusing here. Does it mean "just destroy data for > the current frame", or "destroy data for all frames up to and including > currentFrame"? > > > Source/WebCore/platform/graphics/ImageFrameCache.cpp:87 > > +bool ImageFrameCache::destroyDecodedDataIfNecessary(bool destroyAll, size_t currentFrame) > > Same comment. I did not see these comments before uploading the new patch. Please ignore it till I fix these issues.
Said Abou-Hallawa
Comment 6 2017-01-31 16:01:25 PST
Created attachment 300279 [details] Patch
Said Abou-Hallawa
Comment 7 2017-01-31 16:06:04 PST
Comment on attachment 300174 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=300174&action=review >>> Source/WebCore/ChangeLog:18 >>> + be destroyed expect the current frame. >> >> expect -> except > > I did not see these comments before uploading the new patch. Please ignore it till I fix these issues. Fixed. >> Source/WebCore/platform/graphics/ImageFrameCache.cpp:73 >> +void ImageFrameCache::destroyDecodedData(bool destroyAll, size_t currentFrame) > > 'currentFrame' is a bit confusing here. Does it mean "just destroy data for the current frame", or "destroy data for all frames up to and including currentFrame"? All the logic is moved to BitmapImage::destroyDecodedData(). BitmapImage::destroyDecodedDataIfNecessary() also checks the decoded data size and then decides to call BitmapImage::destroyDecodedData() or not. The ImageSource is just a wrapper for the ImageFrameCache functions. The ImageFrameCache::destroyDecodedData() deletes a range of ImageFrame unconditionally.
Said Abou-Hallawa
Comment 8 2017-02-03 12:25:56 PST
Created attachment 300557 [details] Patch
Jon Lee
Comment 9 2017-02-09 12:00:21 PST
rdar://problem/30231732
Simon Fraser (smfr)
Comment 10 2017-02-13 15:18:05 PST
Comment on attachment 300557 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=300557&action=review > Source/WTF/wtf/Assertions.h:306 > + CRASH(); \ > +} \ The indentation is off here. > Source/WebCore/ChangeLog:16 > + We can avoid that by destroying all the frames expect the current frame if expect -> except
Said Abou-Hallawa
Comment 11 2017-02-13 16:10:40 PST
Created attachment 301408 [details] Patch
WebKit Commit Bot
Comment 12 2017-02-13 17:31:03 PST
Comment on attachment 301408 [details] Patch Clearing flags on attachment: 301408 Committed r212265: <http://trac.webkit.org/changeset/212265>
WebKit Commit Bot
Comment 13 2017-02-13 17:31:09 PST
All reviewed patches have been landed. Closing bug.
Said Abou-Hallawa
Comment 14 2017-03-06 14:53:28 PST
<rdar://problem/30231732>
Note You need to log in before you can comment on or make changes to this bug.