[Webkit-unassigned] [Bug 34490] WebCore::ImageEventSender::dispatchPendingEvents() crashes on Chromium

Tue Feb 2 10:46:36 PST 2010

https://bugs.webkit.org/show_bug.cgi?id=34490

Victor Wang <victorw at chromium.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |hyatt at apple.com

--- Comment #1 from Victor Wang <victorw at chromium.org>  2010-02-02 10:46:36 PST ---
Looking into the dump, think the crash is caused by the "loader" becomes
invalid when ImageEventSender dispatches pending events. 

The crash started a few weeks ago and seems related to webkit patch:
http://trac.webkit.org/changeset/52116, which fixes bug 31660: Image load event
fires before the document fragment is attached. To fix the issue, the patch
(52116) removes ImageLoader::dispatchPendingLoadEvents call from
HTMLTokenizer::write() so the load events will be dispatched later.

>From the dump, the crash happens in ImageEventSender::dispatchPendingEvents()
which is called from HTMLTokenizer::finish(), and it seems that ImageLoader
could be destroyed before that and the "loader" in m_dispatchSoonList becomes
invalid.

Looking at ImageLoader destructor code, the event is removed from
loadEventSender only if m_fireLoad is false. I think we could remove the
m_fireLoad check in ImageLoader destructor and this should fix the crashes we
are having with Chromium. This should not be Chromium specific issue and think
the crash may happen on other browsers too. 

Alexey and Dave,
you touched this code before, any comments on the issue and the change I
proposed to remove the check in ImageLoader destructor?

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.