[Webkit-unassigned] [Bug 167304] [GTK] WebProcess from WebKitGtk+ 2.15.x SIGSEVs in GIFLZWContext::doLZW(unsigned char const*, unsigned long) at Source/WebCore/platform/image-decoders/gif/GIFImageReader.cpp:303

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=167304

Miguel Gomez <magomez at igalia.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |magomez at igalia.com

--- Comment #10 from Miguel Gomez <magomez at igalia.com> ---
The problem here seems to come from the usage of a decoding thread to decode gif images.

I've been able to reproduce the cash and what seems to be happening is:

- We want to show a gif image, so we create ImageFrameCache decides that the decoding of that image will happen in a secondary thread.
It creates a WorkQueue and, for each of the frames requested, the WorkQueue calls m_decoder->createFrameImageAtIndex() in the decoding thread.

- For some reason (maybe because it's hidden because of scrolling), the BitmapImage containing the gif gets resetAnimation() called. This stops the WorkQueue with the frame decodings and then it destroys all the data that has been decoded, and sometimes even the decoder used. Theoretically this is fine.

- But what I'm seeing is that the WorkQueue is indeed being stopped, and no new frames are requested for decoding. But if there's an ongoing decoding in the seconday thread, it won't stop until it finishes. Due to this, there's the possibility that the decoder gets destroyed while it's still being used in the decoding thread, and this seems to be reason of the crashes, both this one and the similar ones reported.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170303/e37ed3fb/attachment.html>