[Webkit-unassigned] [Bug 172563] New: Ensure ImageFrameCache does not access its BitmapImage after it is deleted

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed May 24 17:30:20 PDT 2017 

https://bugs.webkit.org/show_bug.cgi?id=172563

            Bug ID: 172563
           Summary: Ensure ImageFrameCache does not access its BitmapImage
                    after it is deleted
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Images
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: sabouhallawa at apple.com

ImageFrameCache keeps a raw pointer to its container BitmapImage named m_image. The reason for not making m_image a RefPtr is we do not want to create a cyclic reference: BitmapImage -> ImageSource - > ImageFrameCache -> BitmapImage. But because we allow the decoding thread to continue after the BitmapImage is deleted, we need to ensure the ImageFrameCache does not keep a pointer to the BitmapImage after it is deleted. We can do that by adding a function named ImageFrameCache::clearImage() which will set m_image to null and call it from the BitmapImage destructor via the ImageSource.

This bug can cause the following crash:

WebCore::ImageFrameCache::decodedSizeChanged(long long) + 20 at ImageFrameCache.cpp:127:31
{
       124          if (!decodedSize || !m_image || !m_image->imageObserver())
       125              return;
       126          
    -> 127          m_image->imageObserver()->decodedSizeChanged(*m_image, decodedSize);
       128 
}

WebCore::ImageFrameCache::decodedSizeChanged(long long) + 20 at ImageFrameCache.cpp:127:31
WebCore::ImageFrameCache::decodedSizeIncreased(unsigned decodedSize) at ImageFrameCache.cpp:246
WebCore::ImageFrameCache::cacheNativeImageAtIndex(WTF::RetainPtr<CGImage*>&&, unsigned long, WebCore::SubsamplingLevel, WebCore::DecodingOptions const&, WebCore::ImageFrame::DecodingStatus) at ImageFrameCache.cpp:141
WebCore::ImageFrameCache::cacheNativeImageAtIndex(WTF::RetainPtr<CGImage*>&&, unsigned long, WebCore::SubsamplingLevel, WebCore::DecodingOptions const&, WebCore::ImageFrame::DecodingStatus) at ImageFrameCache.cpp:245
WTF::Function<void ()>::CallableWrapper<WebCore::ImageFrameCache::startAsyncDecodingQueue()::$_0::operator()() const::'lambda'()>::call() at ImageFrameCache.cpp:256:5
WTF::Function<void ()>::CallableWrapper<WebCore::ImageFrameCache::startAsyncDecodingQueue()::$_0::operator()() const::'lambda'()>::call() at ImageFrameCache.cpp:305
WTF::Function<void ()>::CallableWrapper<WebCore::ImageFrameCache::startAsyncDecodingQueue()::$_0::operator()() const::'lambda'()>::call() at Function.h:89

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170525/392b4a63/attachment.html>

More information about the webkit-unassigned mailing list