[Webkit-unassigned] [Bug 23180] Reading freed memory at DocumentLoader::checkForPendingPreloads
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Jan 30 06:52:14 PST 2009
https://bugs.webkit.org/show_bug.cgi?id=23180
------- Comment #3 from mad at chromium.org 2009-01-30 06:52 PDT -------
Another solution I tried while working on the Chromium version of this bug is
to hold on to a reference of the document while we interact with the
docLoader... This would make the code safer for future maintenance and would
not depend on the call order...
I have a patch with that change (which is needed at two places by the way),
that I will send for code review soon (once I know how to do this here, first
time I try :-).
(In reply to comment #0)
> In loader.cpp in Loader::Host::didFinishLoading the following two lines causes
> the problem:
>
> docLoader->setLoadInProgress(false);
> docLoader->checkForPendingPreloads();
>
> setLoadInProgress(false) can cause the frame to be deallocated, which can cause
> the document to be deallocated and the document destructor deletes the
> DocumentLoader. Therefore, docLoader can be freed memory at the call to
> checkForPendingPreloads.
>
> This happens when running the layout test:
> LayoutTests/http/tests/misc/onload-remove-iframe-crash-2.html.
>
> Would it make sense to just reorder and check for pending preloads before
> setting load in progress to false?
>
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list