[Webkit-unassigned] [Bug 9476] REGRESSION: Reproducible crash after closing window after viewing css2.1/t0803-c5501-imrgn-t-00-b-ag.html
bugzilla-daemon at opendarwin.org
bugzilla-daemon at opendarwin.org
Fri Jun 16 21:47:50 PDT 2006
http://bugzilla.opendarwin.org/show_bug.cgi?id=9476
ddkilzer at kilzer.net changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |timothy at hatcher.name,
| |mjs at apple.com,
| |adele at apple.com,
| |ggaren at apple.com
------- Comment #5 from ddkilzer at kilzer.net 2006-06-16 21:47 PDT -------
For my simple test case in Comment #0, what's happening is that
KJS::Debugger::~Debugger() gets called *first* which calls detach(0), then
KJS::Interpreter::~Interpreter() gets called *second* which calls detach(this),
which by that time has already had its debugger detached (and thus bad pointers
are dereferenced).
The while() loop in detach() doesn't call setDebugger(0) on every Debugger it
destroys, so some Interpreters will think they still need to destroy theirs.
The solution is to call setDebugger(0) on every Interpreter that is destroyed
regardless of whether it's "ours" or not. The initial code in detach() is
therefore no longer needed.
--
Configure bugmail: http://bugzilla.opendarwin.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list