Ignore:
Timestamp:
Feb 10, 2010, 1:14:24 PM (15 years ago)
Author:
[email protected]
Message:

Reviewed by Geoffrey Garen.

https://bugs.webkit.org/show_bug.cgi?id=34490
WebCore::ImageEventSender::dispatchPendingEvents() crashes in certain conditions

Test: fast/images/destroyed-image-load-event.html

  • ForwardingHeaders/wtf/ValueCheck.h: Added.
  • loader/ImageLoader.cpp: (WTF::ValueCheck): Special case value check for ImageLoader - it's allocated inside elements, so check the owner instead. (WebCore::ImageEventSender::hasPendingEvents): Added a debugging aid for ImageLoader destructor. (WebCore::ImageLoader::~ImageLoader): Assert that we're not going to leave dangling pointers in ImageEventSender. (WebCore::ImageLoader::setImage): Cancel events that could be dispatched for the previous image. The only client using this method that I could find was DeleteButton, which doesn't care about load events for the new image, so I didn't add any code for firing those. (WebCore::ImageLoader::setLoadingImage): This method only existed to confuse readers - there wasn't any meaningful code shared (callers just undid most assignments made there). Merged the logic into callers. (WebCore::ImageLoader::updateFromElement): We're forgetting the old image, so forget its old events, too. (WebCore::ImageLoader::notifyFinished): This can be called from setImage(), in which case no one is going to dispatch the event "soon". So, don't queue it. (WebCore::ImageEventSender::dispatchPendingEvents): Call checkConsistency(). This didn't help catch this particuar bug, but seems like a useful check anyway.
  • loader/ImageLoader.h: Removed setLoadingImage().
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

    r54405 r54618  
    476476                E124A8F80E555775003091F1 /* OpaqueJSString.cpp in Sources */ = {isa = PBXBuildFile; fileRef = E124A8F60E555775003091F1 /* OpaqueJSString.cpp */; };
    477477                E178636D0D9BEEC300D74E75 /* InitializeThreading.cpp in Sources */ = {isa = PBXBuildFile; fileRef = E178636C0D9BEEC300D74E75 /* InitializeThreading.cpp */; };
     478                E17FF771112131D200076A19 /* ValueCheck.h in Headers */ = {isa = PBXBuildFile; fileRef = E17FF770112131D200076A19 /* ValueCheck.h */; settings = {ATTRIBUTES = (Private, ); }; };
    478479                E18E3A590DF9278C00D90B34 /* JSGlobalData.cpp in Sources */ = {isa = PBXBuildFile; fileRef = E18E3A570DF9278C00D90B34 /* JSGlobalData.cpp */; };
    479480                E1A862A90D7EBB76001EC6AA /* CollatorICU.cpp in Sources */ = {isa = PBXBuildFile; fileRef = E1A862A80D7EBB76001EC6AA /* CollatorICU.cpp */; settings = {COMPILER_FLAGS = "-fno-strict-aliasing"; }; };
     
    980981                E178633F0D9BEC0000D74E75 /* InitializeThreading.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = InitializeThreading.h; sourceTree = "<group>"; };
    981982                E178636C0D9BEEC300D74E75 /* InitializeThreading.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = InitializeThreading.cpp; sourceTree = "<group>"; };
     983                E17FF770112131D200076A19 /* ValueCheck.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ValueCheck.h; sourceTree = "<group>"; };
    982984                E18E3A560DF9278C00D90B34 /* JSGlobalData.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSGlobalData.h; sourceTree = "<group>"; };
    983985                E18E3A570DF9278C00D90B34 /* JSGlobalData.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSGlobalData.cpp; sourceTree = "<group>"; };
     
    13871389                                0B4D7E620F319AC800AD7E58 /* TypeTraits.h */,
    13881390                                935AF46B09E9D9DB00ACD1D8 /* UnusedParam.h */,
     1391                                E17FF770112131D200076A19 /* ValueCheck.h */,
    13891392                                6592C316098B7DE10003D4F6 /* Vector.h */,
    13901393                                6592C317098B7DE10003D4F6 /* VectorTraits.h */,
     
    20552058                                9688CB160ED12B4E001D649F /* X86Assembler.h in Headers */,
    20562059                                86E85539111B9968001AF51E /* JSStringBuilder.h in Headers */,
     2060                                E17FF771112131D200076A19 /* ValueCheck.h in Headers */,
    20572061                        );
    20582062                        runOnlyForDeploymentPostprocessing = 0;
Note: See TracChangeset for help on using the changeset viewer.