[Webkit-unassigned] [Bug 21329] REGRESSION: crash in ScriptElement::notifyFinished
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Oct 3 11:30:28 PDT 2008
https://bugs.webkit.org/show_bug.cgi?id=21329
------- Comment #3 from eric at webkit.org 2008-10-03 11:30 PDT -------
(In reply to comment #2)
> This patch, which essentially just rolls back part of the original change,
> seems to resolve the bug. I'll work on a layout test, but it may be
> challenging since it is dependent on GC running at the right time.
>
> Index: ScriptElement.cpp
> ===================================================================
> --- ScriptElement.cpp (revision 2802)
> +++ ScriptElement.cpp (working copy)
> @@ -180,10 +180,13 @@
> CachedScript* cs = static_cast<CachedScript*>(o);
> ASSERT(cs == m_cachedScript);
> + // Evaluating the script could lead to a garbage collection which can
> + // delete the script element so we need to protect it.
> + RefPtr<Element> protector(m_element);
> +
> if (cs->errorOccurred())
> m_scriptElement->dispatchErrorEvent();
> else {
> - RefPtr<Element> protector(m_element);
> evaluateScript(cs->url(), cs->script());
> m_scriptElement->dispatchLoadEvent();
> }
>
The change looks good. We just need a changelog, and ideally a layout test.
gc() or GCController.collect() should be able to kick off GC when you need.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list