[Webkit-unassigned] [Bug 97749] REGRESSION(r122215) - CachedImage::likelyToBeUsedSoon crashes on accessing a deleted CachedImageClient
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Sep 27 10:33:18 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=97749
Hin-Chung Lam <hclam at google.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|REGRESSION(r122215) - |REGRESSION(r122215) -
|RenderObject::willRenderIma |CachedImage::likelyToBeUsed
|ge crashes on null |Soon crashes on accessing a
|document()->view() |deleted CachedImageClient
--- Comment #2 from Hin-Chung Lam <hclam at google.com> 2012-09-27 10:33:44 PST ---
Tracing this hard with help from ncarter@ I found the problem to be in WebCore::Clipboard. JS setDragImage() is a new HTML5 feature to set an image icon for drag and drop This object handles drag and drop and this is implemented in WebCore::Clipboard. It sets itself as a client but never removed itself, so when the object is destroyed CachedImage doesn't know this client has been removed.
This will be very hard to test as a reproduction involves forcing the memory cache to prune.
A reproduction case is this:
http://www.html5rocks.com/en/tutorials/dnd/basics/
Go to the section for a demo of drag and drop. Drag the image and then click on "Slides" on the menu bar above, scroll up and down the page multiple times to load more resources into WebKit and a crash will eventually happen.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list