[Webkit-unassigned] [Bug 61494] New: REGRESSION (r78342) - Crash when Document calls into a freed DocumentLoader

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed May 25 18:23:27 PDT 2011 

https://bugs.webkit.org/show_bug.cgi?id=61494

           Summary: REGRESSION (r78342) - Crash when Document calls into a
                    freed DocumentLoader
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: NEW
          Keywords: InRadar
          Severity: Critical
          Priority: P1
         Component: Page Loading
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: beidson at apple.com
                CC: abarth at webkit.org, japhet at chromium.org


REGRESSION (r78342) - Crash when Document calls into a freed DocumentLoader

http://trac.webkit.org/changeset/78342 introduced a bizarre relationship between Document and DocumentLoader where a Document grabs a DocumentLoader in its constructor, then never changes that reference, even after the DocumentLoader is destroyed.

This is being discussed on webkit-dev under the subject "Early deletion of DocumentLoader instances"

Today Darin wrote in https://lists.webkit.org/pipermail/webkit-dev/2011-May/016834.html 
"
    1) It’s poor design that the document grabs and keeps a pointer to the document loader in its constructor. The document is not in a position to monitor the lifetime of the loader. It would be far more maintainable if the same code/class both set up and maintained the pointer.

    2) It's not clear that detach time is the right moment to invalidate the pointer from a document to its document loader. It would be better to study the lifetime of document loader and loading process to get a clearer idea of exactly what the right time is and what the best relationship between these objects is.

    3) Keeping a dangling m_documentLoader pointer around with no guarantee that it points to a live object is a bad design pattern. If the loader is no longer valid when the document is not associated with a frame, then right way to deal with that is to zero out m_documentLoader in the detach function, not to check m_frame each time before checking m_documentLoader.
"

This isn't just affecting the EFL port.  We have crash data showing that this is affecting the Mac WebKit port in the field.

In radar as <rdar://problem/9125145>

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list