[Webkit-unassigned] [Bug 19891] New: Broken HTML object elements cause de-reference of pointer to freed memory

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Jul 3 15:30:35 PDT 2008


           Summary: Broken HTML object elements cause de-reference of
                    pointer to freed memory
           Product: WebKit
           Version: 526+ (Nightly build)
          Platform: Macintosh
        OS/Version: Mac OS X 10.4
            Status: UNCONFIRMED
          Severity: Critical
          Priority: P2
         Component: Page Loading
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: chrisb at adobe.com

When loading the attached test case WebCore requests that the FrameLoaderClient
create multiple frames with the same owner element.  When we tear down the DOM
only the frame that is pointed at by the owner element's contentFrame pointer
is properly torn down.  The other frames end up using their owner element
pointer to calculate topDocument during their tear down sequence.  At that
point the ownerElement is free'd memory.

Steps to reproduce:
1. Apply first attached patch.  Patch works ~ revision 34962.  This patch adds
debugging code that will cause a crash is Frame::ownerElement would return a
reference to a free'd FrameOwnerElement.
2. Load the attached test html file via HTTP.
3. After the page loads navigate to about:blank.

I believe the second attached patch should catch the problem earier by
asserting in the debug build that a new frame's owner element does not already
have a content frame that points to the same owner element.

I can not get this to crash reliably in the nightly builds.

Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list