Skip to content
Find file Blame History Permalink
  • hclam@chromium.org's avatar
    REGRESSION(r122215) - CachedImage::likelyToBeUsedSoon crashes on accessing a... · a8e31294
    hclam@chromium.org authored 
    REGRESSION(r122215) - CachedImage::likelyToBeUsedSoon crashes on accessing a deleted CachedImageClient
https://bugs.webkit.org/show_bug.cgi?id=97749

Reviewed by James Robinson.

.:

Added a manual test to demonstrate drag image and crashing.

* ManualTests/drag-image-no-crash.html: Added.

Source/WebCore:

All implementations of Clipboard set themselves as clients to CachedImage
through the JS API setDrageImage() but they do not detach during destruction.
This causes memory corruption when CachedImage tries to access a deleted client
when MemoryCache prunes and calls CachedImage::likelyToUsedSoon().

Manual test added: ManualTests/drag-image-no-crash.html

* platform/chromium/ClipboardChromium.cpp:
(WebCore::ClipboardChromium::~ClipboardChromium):
* platform/gtk/ClipboardGtk.cpp:
(WebCore::ClipboardGtk::~ClipboardGtk):
* platform/mac/ClipboardMac.mm:
(WebCore::ClipboardMac::~ClipboardMac):
* platform/win/ClipboardWin.cpp:
(WebCore::ClipboardWin::~ClipboardWin):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129962 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    a8e31294