[Webkit-unassigned] [Bug 19891] New: Broken HTML object elements cause de-reference of pointer to freed memory
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jul 3 15:30:35 PDT 2008
https://bugs.webkit.org/show_bug.cgi?id=19891
Summary: Broken HTML object elements cause de-reference of
pointer to freed memory
Product: WebKit
Version: 526+ (Nightly build)
Platform: Macintosh
OS/Version: Mac OS X 10.4
Status: UNCONFIRMED
Severity: Critical
Priority: P2
Component: Page Loading
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: chrisb at adobe.com
When loading the attached test case WebCore requests that the FrameLoaderClient
create multiple frames with the same owner element. When we tear down the DOM
only the frame that is pointed at by the owner element's contentFrame pointer
is properly torn down. The other frames end up using their owner element
pointer to calculate topDocument during their tear down sequence. At that
point the ownerElement is free'd memory.
Steps to reproduce:
1. Apply first attached patch. Patch works ~ revision 34962. This patch adds
debugging code that will cause a crash is Frame::ownerElement would return a
reference to a free'd FrameOwnerElement.
2. Load the attached test html file via HTTP.
3. After the page loads navigate to about:blank.
I believe the second attached patch should catch the problem earier by
asserting in the debug build that a new frame's owner element does not already
have a content frame that points to the same owner element.
I can not get this to crash reliably in the nightly builds.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list