Fix use-after-free in gfx::Image.

Fix use-after-free in gfx::Image.

ToImageSkia, ToUIImage and ToNSImage would insert an ImageRep into the
map, then return the pointer to the ImageRep. If the map already
contained a rep of that type, the new rep gets freed and the returned
pointer is dangling. Adds a CHECK for this case so it will now crash
cleanly.

This should not happen, but it is evidently possible. This could mean
that ToImageSkia is being called from two threads at the same time
(which is bad, because gfx::Image is not thread safe).

BUG=590882
Committed: https://crrev.com/7e551c12da627989bf8f31afd7b671279113d92d
Cr-Commit-Position: refs/heads/master@{#381141}

[Matt Giuca, 2016-03-07 05:55:10]

mgiuca@chromium.org changed reviewers:
+ rsesek@chromium.org

[Matt Giuca, 2016-03-07 05:55:10]

Alternative to https://codereview.chromium.org/1769433002/.

The discussion on the bug pointed at the DCHECK-and-move-on being the wrong
approach (since std::map is not thread-safe). So adding a CHECK instead. WDYT?

I still think we should update the AddRepresentation interface to return the
pointer, but if we go with CHECK instead of DCHECK that isn't strictly necessary
to fix the bug, so I took it out of this CL.

[Robert Sesek, 2016-03-14 17:19:44]

LGTM. I think this fix is better because it'll hopefully ferret out the
thread-unsafe usage in a more obvious way.

[Matt Giuca, 2016-03-14 23:43:24]

Description was changed from

==========
Fix use-after-free in gfx::Image.

ToImageSkia, ToUIImage and ToNSImage would insert an ImageRep into the
map, then return the pointer to the ImageRep. If the map already
contained a rep of that type, the new rep gets freed and the returned
pointer is dangling. Adds a CHECK for this case so it will now crash
cleanly.

This should not happen, but it is evidently possible. This could mean
that ToImageSkia is being called from two threads at the same time
(which is bad, because gfx::Image is not thread safe).

BUG=590882
==========

to

==========
Fix use-after-free in gfx::Image.

ToImageSkia, ToUIImage and ToNSImage would insert an ImageRep into the
map, then return the pointer to the ImageRep. If the map already
contained a rep of that type, the new rep gets freed and the returned
pointer is dangling. Adds a CHECK for this case so it will now crash
cleanly.

This should not happen, but it is evidently possible. This could mean
that ToImageSkia is being called from two threads at the same time
(which is bad, because gfx::Image is not thread safe).

BUG=590882
==========

[Matt Giuca, 2016-03-14 23:43:27]

The CQ bit was checked by mgiuca@chromium.org

[commit-bot: I haz the power, 2016-03-14 23:44:03]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/1773433002/1
View timeline at
 https://chromium-cq-status.appspot.com/patch-timeline/1773433002/1

[commit-bot: I haz the power, 2016-03-15 00:57:08]

Description was changed from

==========
Fix use-after-free in gfx::Image.

ToImageSkia, ToUIImage and ToNSImage would insert an ImageRep into the
map, then return the pointer to the ImageRep. If the map already
contained a rep of that type, the new rep gets freed and the returned
pointer is dangling. Adds a CHECK for this case so it will now crash
cleanly.

This should not happen, but it is evidently possible. This could mean
that ToImageSkia is being called from two threads at the same time
(which is bad, because gfx::Image is not thread safe).

BUG=590882
==========

to

==========
Fix use-after-free in gfx::Image.

ToImageSkia, ToUIImage and ToNSImage would insert an ImageRep into the
map, then return the pointer to the ImageRep. If the map already
contained a rep of that type, the new rep gets freed and the returned
pointer is dangling. Adds a CHECK for this case so it will now crash
cleanly.

This should not happen, but it is evidently possible. This could mean
that ToImageSkia is being called from two threads at the same time
(which is bad, because gfx::Image is not thread safe).

BUG=590882
==========

[commit-bot: I haz the power, 2016-03-15 00:57:09]

Committed patchset #1 (id:1)

[commit-bot: I haz the power, 2016-03-15 00:58:11]

Description was changed from

==========
Fix use-after-free in gfx::Image.

ToImageSkia, ToUIImage and ToNSImage would insert an ImageRep into the
map, then return the pointer to the ImageRep. If the map already
contained a rep of that type, the new rep gets freed and the returned
pointer is dangling. Adds a CHECK for this case so it will now crash
cleanly.

This should not happen, but it is evidently possible. This could mean
that ToImageSkia is being called from two threads at the same time
(which is bad, because gfx::Image is not thread safe).

BUG=590882
==========

to

==========
Fix use-after-free in gfx::Image.

ToImageSkia, ToUIImage and ToNSImage would insert an ImageRep into the
map, then return the pointer to the ImageRep. If the map already
contained a rep of that type, the new rep gets freed and the returned
pointer is dangling. Adds a CHECK for this case so it will now crash
cleanly.

This should not happen, but it is evidently possible. This could mean
that ToImageSkia is being called from two threads at the same time
(which is bad, because gfx::Image is not thread safe).

BUG=590882

Committed: https://crrev.com/7e551c12da627989bf8f31afd7b671279113d92d
Cr-Commit-Position: refs/heads/master@{#381141}
==========

[commit-bot: I haz the power, 2016-03-15 00:58:12]

Patchset 1 (id:??) landed as
https://crrev.com/7e551c12da627989bf8f31afd7b671279113d92d
Cr-Commit-Position: refs/heads/master@{#381141}