Bug 1495738 - Image cache entry should compare the window ID together with the loadID because the loadID can be a reused pointer, r=aosmond
authorAndrea Marchesini <amarchesini@mozilla.com>
Tue, 02 Oct 2018 17:05:21 +0200
changeset 494992 135eaacf1dfc66c289367a665473e67a650407b9
parent 494991 39c8abcf9cb2f40b78289a5535fe550368302423
child 494993 fdbb1ad695392bc5e5e00200013dee7c98a54967
push id9984
push userffxbld-merge
push dateMon, 15 Oct 2018 21:07:35 +0000
treeherdermozilla-beta@183d27ea8570 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersaosmond
bugs1495738
milestone64.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1495738 - Image cache entry should compare the window ID together with the loadID because the loadID can be a reused pointer, r=aosmond
image/imgLoader.cpp
--- a/image/imgLoader.cpp
+++ b/image/imgLoader.cpp
@@ -2036,19 +2036,23 @@ imgLoader::ValidateEntry(imgCacheEntry* 
 
   bool validateRequest = false;
 
   // If the request's loadId is the same as the aCX, then it is ok to use
   // this one because it has already been validated for this context.
   //
   // XXX: nullptr seems to be a 'special' key value that indicates that NO
   //      validation is required.
-  //
+  // XXX: we also check the window ID because the loadID() can return a reused
+  //      pointer of a document. This can still happen for non-document image
+  //      cache entries.
   void *key = (void*) aCX;
-  if (request->LoadId() != key) {
+  nsCOMPtr<nsIDocument> doc = do_QueryInterface(aCX);
+  uint64_t innerWindowID = doc ? doc->InnerWindowID() : 0;
+  if (request->LoadId() != key || request->InnerWindowID() != innerWindowID) {
     // If we would need to revalidate this entry, but we're being told to
     // bypass the cache, we don't allow this entry to be used.
     if (aLoadFlags & nsIRequest::LOAD_BYPASS_CACHE) {
       return false;
     }
 
     if (MOZ_UNLIKELY(ChaosMode::isActive(ChaosFeature::ImageCache))) {
       if (ChaosMode::randomUint32LessThan(4) < 1) {