[Webkit-unassigned] [Bug 54959] New: MemoryCache::revalidationSucceeded accesses possibly freed object
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Feb 22 07:54:10 PST 2011
https://bugs.webkit.org/show_bug.cgi?id=54959
Summary: MemoryCache::revalidationSucceeded accesses possibly
freed object
Product: WebKit
Version: 528+ (Nightly build)
Platform: All
OS/Version: All
Status: UNCONFIRMED
Severity: Trivial
Priority: P2
Component: Page Loading
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: fabrizio.machado at nokia.com
In MemoryCache::revalidationSucceeded(), revalidatingResource is blindly accessed after evict() has been called on it:
=======================================
evict(revalidatingResource);
ASSERT(!m_resources.get(resource->url()));
m_resources.set(resource->url(), resource);
resource->setInCache(true);
resource->updateResponseAfterRevalidation(response);
insertInLRUList(resource);
int delta = resource->size();
if (resource->decodedSize() && resource->hasClients())
insertInLiveDecodedResourcesList(resource);
if (delta)
adjustSize(resource->hasClients(), delta);
revalidatingResource->switchClientsToRevalidatedResource();
=======================================
An inspection of MemoryCache::evict(CachedResource* resource) shows that it may
delete the resource:
=======================================
if (resource->canDelete())
delete resource;
=======================================
Therefore, if evict() has been called on revalidatingResource, then revalidatingResource must not be accessed without checking, since it may have been deleted.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list