Context Navigation

← Previous Change
Next Change →

CSSImageSetValue.cpp

Timestamp:

Dec 4, 2012, 1:50:18 PM (12 years ago)

Author:

Message:

Heap-use-after-free in WebCore::StyleCachedImageSet::cssValue
https://bugs.webkit.org/show_bug.cgi?id=100621

Reviewed by Eric Seidel.

Source/WebCore:

r115639 fixed a memory leak caused by reference cycle between StyleCachedImageSet
and its owner CSSImageSetValue. The fix caused StyleCachedImageSet to maintain
a weak pointer to CSSImageSetValue. This patch makes sure that the weak pointer
is cleared when CSSImageSetValue is going away.

Test: fast/css/image-set-value-not-removed-crash.html

css/CSSImageSetValue.cpp:

(WebCore::CSSImageSetValue::~CSSImageSetValue):

rendering/style/StyleCachedImageSet.h:

(WebCore::StyleCachedImageSet::clearImageSetValue):
(StyleCachedImageSet):

LayoutTests:

fast/css/image-set-value-not-removed-crash-expected.txt: Added.
fast/css/image-set-value-not-removed-crash.html: Added.

File:

: 1 edited

trunk/Source/WebCore/css/CSSImageSetValue.cpp (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/Source/WebCore/css/CSSImageSetValue.cpp

r135452	r136560
53	53	CSSImageSetValue::~CSSImageSetValue()
54	54	{
	55	if (m_imageSet && m_imageSet->isCachedImageSet())
	56	static_cast<StyleCachedImageSet*>(m_imageSet.get())->clearImageSetValue();
55	57	}
56	58

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 136560 in webkit for trunk/Source/WebCore/css/CSSImageSetValue.cpp

Legend:

trunk/Source/WebCore/css/CSSImageSetValue.cpp

Download in other formats: