-
hclam@chromium.org authored
REGRESSION(r122215) - CachedImage::likelyToBeUsedSoon crashes on accessing a deleted CachedImageClient https://bugs.webkit.org/show_bug.cgi?id=97749 Reviewed by James Robinson. .: Added a manual test to demonstrate drag image and crashing. * ManualTests/drag-image-no-crash.html: Added. Source/WebCore: All implementations of Clipboard set themselves as clients to CachedImage through the JS API setDrageImage() but they do not detach during destruction. This causes memory corruption when CachedImage tries to access a deleted client when MemoryCache prunes and calls CachedImage::likelyToUsedSoon(). Manual test added: ManualTests/drag-image-no-crash.html * platform/chromium/ClipboardChromium.cpp: (WebCore::ClipboardChromium::~ClipboardChromium): * platform/gtk/ClipboardGtk.cpp: (WebCore::ClipboardGtk::~ClipboardGtk): * platform/mac/ClipboardMac.mm: (WebCore::ClipboardMac::~ClipboardMac): * platform/win/ClipboardWin.cpp: (WebCore::ClipboardWin::~ClipboardWin): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129962 268f45cc-cd09-0410-ab3c-d52691b4dbfc
a8e31294