[Webkit-unassigned] [Bug 20403] [Gtk] Segfault after a table with an iframe is attempted to be added twice to DOM model with javascript.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Sep 18 10:58:46 PDT 2008
https://bugs.webkit.org/show_bug.cgi?id=20403
------- Comment #14 from lkcl at lkcl.net 2008-09-18 10:58 PDT -------
remember - the order of events is as follows:
* view page
* initial frame gets loaded
* timer goes off (creating new thread context)
* timer-inited-thread removes old frame, resulting in destruction of document,
including a "Frame"
* destruction of document results in webkit objects being deleted. regardless
of current refcount, refcounts are forced to zero.
* WebKitWebFrame contains an object which has been forcibly deleted
* main thread still has "page loading" signals outstanding
* main thread tries to notify user of "page loading" on a WebKitWebFrame where
the Frame has been forcibly destroyed, outside of the control of the main
thread (by timer-initiated-thread).
* main thread tries to de-reference NULL pointer. segfault.
the fix _really is_ to check that m_frame != NULL. much better would be to
copy the style of the JS Bindings, which already have this concept of
"mark()ing".
the issue's been solved for javascript bindings, and the code required to fix
this issue is there, tried, tested and available for easy adoption and use, to
solve the problem.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list