Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(248)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 2152853003: Check |m_image| before using in |LayoutListMarker::imageChanged()| (Closed)

Created:
4 years, 5 months ago by chongz
Modified:
4 years, 5 months ago
Reviewers:
eae
CC:
chromium-reviews, szager+layoutwatch_chromium.org, zoltan1, blink-reviews-layout_chromium.org, pdr+renderingwatchlist_chromium.org, eae+blinkwatch, leviw+renderwatch, jchaffraix+rendering, blink-reviews, rnimmagadda_chromium.org, hiroshige
Base URL:
https://chromium.googlesource.com/chromium/src.git@master
Target Ref:
refs/pending/heads/master
Project:
chromium
Visibility:
Public.

Description

Check |m_image| before using in |LayoutListMarker::imageChanged()| This CL fixed crash cause by css: ``` cursor:url('?'),auto; display:list-item; ``` |LayoutObject::imageChanged()| can be shared by multiple image listeners, it could be invoked by other listeners (from base class) before we add our own listeners. We should make sure the object is ready and the image is the expected image. Example Crash Log: #0 0x7f0b7e03def7 base::debug::(anonymous namespace)::StackDumpSignalHandler() #1 0x7f0b7aa78330 <unknown> #2 0x7f0b7d98ae36 blink::LayoutListMarker::imageChanged() #3 0x7f0b7d73002c blink::ImageResource::notifyObservers() #4 0x7f0b7d72fb9e blink::ImageResource::updateImage() #5 0x7f0b7d730240 blink::ImageResource::finish() #6 0x7f0b7d74335c blink::ResourceFetcher::didFinishLoading() #7 0x7f0b7d0426f1 content::WebURLLoaderImpl::Context::OnCompletedRequest() #8 0x7f0b7d029de5 content::ResourceDispatcher::OnRequestComplete() #9 0x7f0b7d02b395 _ZN3IPC8MessageTI32ResourceMsg_RequestComplete_MetaSt5tupleIJiN7content31ResourceRequestCompletionStatusEEEvE8DispatchINS3_18ResourceDispatcherES8_vMS8_FviRKS4_EEEbPKNS_7MessageEPT_PT0_PT1_T2_ #10 0x7f0b7d0283e2 content::ResourceDispatcher::DispatchMessage() #11 0x7f0b7d027cdb content::ResourceDispatcher::OnMessageReceived() #12 0x7f0b7bba92e9 _ZN4base8internal7InvokerINS0_9BindStateIPFvSt10unique_ptrIN6syncer22AttachmentStoreBackendESt14default_deleteIS5_EEEJNS0_13PassedWrapperIS8_EEEEEFvvEE3RunEPNS0_13BindStateBaseE #13 0x7f0b7e0afdd6 base::debug::TaskAnnotator::RunTask() BUG=627811 Committed: https://crrev.com/7f53d5050b3b72d11cfbceb54f49d0bba15de43a Cr-Commit-Position: refs/heads/master@{#405595}

Patch Set 1 #

Unified diffs Side-by-side diffs Delta from patch set Stats (+19 lines, -1 line) Patch
A third_party/WebKit/LayoutTests/fast/css/cursor-image-list-item-crash.html View 1 chunk +18 lines, -0 lines 0 comments Download
M third_party/WebKit/Source/core/layout/LayoutListMarker.cpp View 1 chunk +1 line, -1 line 0 comments Download

Messages

Total messages: 16 (11 generated)
chongz
eae@ PTAL at this fix for the Canary crash, thanks!
4 years, 5 months ago (2016-07-14 18:44:49 UTC) #7
eae
OK, LGTM
4 years, 5 months ago (2016-07-14 21:49:24 UTC) #10
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2152853003/1
4 years, 5 months ago (2016-07-14 21:59:23 UTC) #12
commit-bot: I haz the power
Committed patchset #1 (id:1)
4 years, 5 months ago (2016-07-14 22:10:31 UTC) #14
commit-bot: I haz the power
4 years, 5 months ago (2016-07-14 22:14:44 UTC) #16
Message was sent while issue was closed. 
Patchset 1 (id:??) landed as
https://crrev.com/7f53d5050b3b72d11cfbceb54f49d0bba15de43a
Cr-Commit-Position: refs/heads/master@{#405595}

Powered by Google App Engine
This is Rietveld 408576698