RESOLVED FIXED 18879
Reproducible crash when removing a gradient 
https://bugs.webkit.org/show_bug.cgi?id=18879
Summary Reproducible crash when removing a gradient
mitz
Reported 2008-05-03 20:48:58 PDT
The attached test case crashes beneath StyleGeneratedImage::removeClient(), because the CSSImageGeneratorValue is deleted when the background-image property is removed.
Attachments
Test case (will crash) (280 bytes, text/html)
2008-05-03 20:49 PDT, mitz 		no flags
Details
Make clients implicitly ref() the CSSImageGeneratorValue (3.77 KB, patch)
2008-05-03 21:23 PDT, mitz 		sam: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
mitz
Comment 1 2008-05-03 20:49:21 PDT
Created attachment 20954 [details] Test case (will crash)
mitz
Comment 2 2008-05-03 20:49:51 PDT
<rdar://problem/5909481>
mitz
Comment 3 2008-05-03 21:23:49 PDT
Created attachment 20955 [details] Make clients implicitly ref() the CSSImageGeneratorValue The "autoDeref" trick may be the wrong trade-off between readability and leak safety for such a small function. I can replace it with a deref() at the end.
Sam Weinig
Comment 4 2008-05-04 14:03:10 PDT
Comment on attachment 20955 [details] Make clients implicitly ref() the CSSImageGeneratorValue I think you should replace the "autoDeref" trick with a deref at the end to make the calls symmetrical. r=me, the change is up to you though.
mitz
Comment 5 2008-05-04 15:07:55 PDT
Fixed in <http://trac.webkit.org/changeset/32854>.
Note You need to log in before you can comment on or make changes to this bug.