
<html>

    <head>

      <base href="https://bugs.webkit.org/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - ImageFrame has to implement its copy constructor"

   href="https://bugs.webkit.org/show_bug.cgi?id=168396">168396</a>

          </td>

        </tr>


        <tr>

          <th>Summary</th>

          <td>ImageFrame has to implement its copy constructor

          </td>

        </tr>


        <tr>

          <th>Classification</th>

          <td>Unclassified

          </td>

        </tr>


        <tr>

          <th>Product</th>

          <td>WebKit

          </td>

        </tr>


        <tr>

          <th>Version</th>

          <td>WebKit Nightly Build

          </td>

        </tr>


        <tr>

          <th>Hardware</th>

          <td>Unspecified

          </td>

        </tr>


        <tr>

          <th>OS</th>

          <td>Unspecified

          </td>

        </tr>


        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>


        <tr>

          <th>Severity</th>

          <td>Normal

          </td>

        </tr>


        <tr>

          <th>Priority</th>

          <td>P2

          </td>

        </tr>


        <tr>

          <th>Component</th>

          <td>Images

          </td>

        </tr>


        <tr>

          <th>Assignee</th>

          <td>webkit-unassigned&#64;lists.webkit.org

          </td>

        </tr>


        <tr>

          <th>Reporter</th>

          <td>sabouhallawa&#64;apple.com

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Currently the ImageFrame copy constructor calls the assignment operator. This is a bad idea because the members of the object aren't initialized properly when calling the assignment operator. The problematic member is m_nativeImage. Assigning a new RetainPtr to m_nativeImage will force calling the destructor of the old RetainPtr which is garbage at that time. This may lead to the following crash:


Thread[0] EXC_BAD_ACCESS (SIGBUS) (KERN_PROTECTION_FAILURE at 0x00000001123fd000)

[  0] 0x0000000107fda288 WebCore`WebCore::ImageFrame::ImageFrame() [inlined] WTF::RetainPtr&lt;CGImage*&gt;::RetainPtr() at RetainPtr.h:64:19

[  0] 0x0000000107fda288 WebCore`WebCore::ImageFrame::ImageFrame() [inlined] WTF::RetainPtr&lt;CGImage*&gt;::RetainPtr() at RetainPtr.h:64

[  0] 0x0000000107fda288 WebCore`WebCore::ImageFrame::ImageFrame() [inlined] WebCore::ImageFrame::ImageFrame() + 20 at ImageFrame.cpp:33

[  1] 0x0000000107894a27 WebCore`WebCore::ImageFrameCache::growFrames() [inlined] WTF::VectorInitializer&lt;true, false, WebCore::ImageFrame&gt;::initialize(WebCore::ImageFrame*, WebCore::ImageFrame*) + 28 at Vector.h:79:32

[  1] 0x0000000107894a0b WebCore`WebCore::ImageFrameCache::growFrames() [inlined] WTF::VectorTypeOperations&lt;WebCore::ImageFrame&gt;::initialize(WebCore::ImageFrame*, WebCore::ImageFrame*) at Vector.h:229

[  1] 0x0000000107894a0b WebCore`WebCore::ImageFrameCache::growFrames() [inlined] WTF::Vector&lt;WebCore::ImageFrame, 1ul, WTF::CrashOnOverflow, 16ul&gt;::grow(unsigned long) + 77 at Vector.h:1036

[  1] 0x00000001078949be WebCore`WebCore::ImageFrameCache::growFrames() + 46 at ImageFrameCache.cpp:165

[  2] 0x0000000107ca9a1a WebCore`WebCore::ImageSource::dataChanged(WebCore::SharedBuffer*, bool) + 90 at ImageSource.cpp:155:5</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      
      <ul>

          <li>You are the assignee for the bug.</li>

      </ul>

    </body>

</html>