[Webkit-unassigned] [Bug 16512] Valgrind: Invalid read of size 4

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=16512





------- Comment #7 from darin at apple.com  2008-12-23 13:05 PDT -------
I can't tell from the backtrace if this crash is happening inside the document
destructor; the trace pasted here doesn't go far enough back.

I believe one correct fix would be code like this in the destructors of the
various classes such as HTMLObjectElement:

    if (inDocument() && isDocNamedItem() && document()->isHTMLDocument()) {
        HTMLDocument* document = static_cast<HTMLDocument*>(this->document());
        document->removeNamedItem(m_name);
        document->removeExtraNamedItem(m_id);
    }

This code catches the case where the object is being destroyed while it's still
in the document. However, it may be that the only way this can happen is when
the nodes are being destroyed inside ~Document. If so, then we can do a more
efficient fix by adding this code to ~HTMLDocument:

    m_namedItemCounts.clear();
    m_extraNamedItemCounts.clear();

If this is inside ~HTMLDocument, it's strange that some elements are being
removed from the document and others are simply being destroyed in place. I'd
still like to understand that.

We shouldn't need to add any new data members in any case.


-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.