Created attachment 23067 [details] Fix GeneratedImage to respect Image's refcounting WebCore/css/CSSGradientValue.cpp | 11 ++++++----- WebCore/css/CSSImageGeneratorValue.cpp | 7 +++---- WebCore/css/CSSImageGeneratorValue.h | 4 ++-- WebCore/platform/graphics/GeneratedImage.h | 11 ++++++++--- WebCore/rendering/style/RenderStyle.cpp | 5 ++--- WebCore/rendering/style/RenderStyle.h | 4 ++-- 6 files changed, 23 insertions(+), 19 deletions(-)

I don't think this will fix any leaks seen on ToT, but it will prevent future crashes due to clients expecting Images to live as long as their refcount is non-zero. :)

I will add a ChangeLog when I land.

For example, if somehow this image could be used as a tile to a Pattern, it's possible that this could be made to crash on ToT. I'm not really sure how to use GeneratedImages, but if one can get an HTMLImageElement to use one so that a CanvasPattern can end up creating a Pattern using a GeneratedImage, then the following code should crash webkit: var canvas = document.getElementById("canvas"); var img = document.getElementById("imgUsingGeneratedImage"); var ctx = canvas.getContext("2d"); var pattern = ctx.createPattern(image); img.parentNode.removeChild(img); ctx.fillStyle = pattern; ctx.fillRect(0, 0, 100, 100);

Comment on attachment 23067 [details] Fix GeneratedImage to respect Image's refcounting r=me