[Webkit-unassigned] [Bug 34490] WebCore::ImageEventSender::dispatchPendingEvents() crashes on Chromium
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Feb 3 09:46:20 PST 2010
https://bugs.webkit.org/show_bug.cgi?id=34490
Victor Wang <victorw at chromium.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
AssignedTo|webkit-unassigned at lists.web |victorw at chromium.org
|kit.org |
--- Comment #3 from Victor Wang <victorw at chromium.org> 2010-02-03 09:46:18 PST ---
Created an attachment (id=48047)
--> (https://bugs.webkit.org/attachment.cgi?id=48047)
test case by adding delay to ImageLoader::m_timer in
ImageEventSender::dispatchEventSoon()
I was able to catch the crash by adding delay to the timer in ImageEventSender
(ImageLoader.cpp) and keep refreshing the page attached. This confirms the
theory in comment#1 is correct.
The crash happens if ImageLoader (owned by HTMLImageElement) is destroyed after
it has been added to ImageEventSender::m_dispatchSoonList but before the
pending load events are dispatched (by timer, HTMLParser::finished etc).
The crash could not be easily repro because of all the timing issues: it
depends on the time the ImageLoader timer fires, the time HTMLImageElement is
destroyed and collected by GC, the image loading time and the time a new empty
image src is sets to existing loader etc.
Removing the image loader from the pending event queue whenever the loader is
destroyed fixes the crash.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list