RESOLVED FIXED 172563
Ensure ImageFrameCache does not access its BitmapImage after it is deleted 
https://bugs.webkit.org/show_bug.cgi?id=172563
Summary Ensure ImageFrameCache does not access its BitmapImage after it is deleted
Said Abou-Hallawa
Reported 2017-05-24 17:30:20 PDT
ImageFrameCache keeps a raw pointer to its container BitmapImage named m_image. The reason for not making m_image a RefPtr is we do not want to create a cyclic reference: BitmapImage -> ImageSource - > ImageFrameCache -> BitmapImage. But because we allow the decoding thread to continue after the BitmapImage is deleted, we need to ensure the ImageFrameCache does not keep a pointer to the BitmapImage after it is deleted. We can do that by adding a function named ImageFrameCache::clearImage() which will set m_image to null and call it from the BitmapImage destructor via the ImageSource. This bug can cause the following crash: WebCore::ImageFrameCache::decodedSizeChanged(long long) + 20 at ImageFrameCache.cpp:127:31 { 124 if (!decodedSize || !m_image || !m_image->imageObserver()) 125 return; 126 -> 127 m_image->imageObserver()->decodedSizeChanged(*m_image, decodedSize); 128 } WebCore::ImageFrameCache::decodedSizeChanged(long long) + 20 at ImageFrameCache.cpp:127:31 WebCore::ImageFrameCache::decodedSizeIncreased(unsigned decodedSize) at ImageFrameCache.cpp:246 WebCore::ImageFrameCache::cacheNativeImageAtIndex(WTF::RetainPtr<CGImage*>&&, unsigned long, WebCore::SubsamplingLevel, WebCore::DecodingOptions const&, WebCore::ImageFrame::DecodingStatus) at ImageFrameCache.cpp:141 WebCore::ImageFrameCache::cacheNativeImageAtIndex(WTF::RetainPtr<CGImage*>&&, unsigned long, WebCore::SubsamplingLevel, WebCore::DecodingOptions const&, WebCore::ImageFrame::DecodingStatus) at ImageFrameCache.cpp:245 WTF::Function<void ()>::CallableWrapper<WebCore::ImageFrameCache::startAsyncDecodingQueue()::$_0::operator()() const::'lambda'()>::call() at ImageFrameCache.cpp:256:5 WTF::Function<void ()>::CallableWrapper<WebCore::ImageFrameCache::startAsyncDecodingQueue()::$_0::operator()() const::'lambda'()>::call() at ImageFrameCache.cpp:305 WTF::Function<void ()>::CallableWrapper<WebCore::ImageFrameCache::startAsyncDecodingQueue()::$_0::operator()() const::'lambda'()>::call() at Function.h:89
Attachments
Patch (5.84 KB, patch)
2017-05-24 17:47 PDT, Said Abou-Hallawa 		no flags
DetailsFormatted DiffDiff
Patch (10.15 KB, patch)
2017-05-24 18:34 PDT, Said Abou-Hallawa 		no flags
DetailsFormatted DiffDiff
Patch (10.31 KB, patch)
2017-05-25 10:59 PDT, Said Abou-Hallawa 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Said Abou-Hallawa
Comment 1 2017-05-24 17:30:52 PDT
<rdar://problem/32385552>
Said Abou-Hallawa
Comment 2 2017-05-24 17:47:08 PDT
Created attachment 311172 [details] Patch
Said Abou-Hallawa
Comment 3 2017-05-24 18:34:45 PDT
Created attachment 311176 [details] Patch
Said Abou-Hallawa
Comment 4 2017-05-25 10:59:32 PDT
Created attachment 311247 [details] Patch
WebKit Commit Bot
Comment 5 2017-05-25 11:22:51 PDT
Comment on attachment 311247 [details] Patch Clearing flags on attachment: 311247 Committed r217437: <http://trac.webkit.org/changeset/217437>
WebKit Commit Bot
Comment 6 2017-05-25 11:22:52 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.