[Webkit-unassigned] [Bug 82882] Invalid read from WebKit::DOMObjectCache::clearByFrame
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Apr 2 04:24:12 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=82882
--- Comment #1 from Milan Crha <mcrha at redhat.com> 2012-04-02 04:24:12 PST ---
Created an attachment (id=135063)
--> (https://bugs.webkit.org/attachment.cgi?id=135063&action=review)
proposed webkit patch
for webkit;
Basically, if everything goes correctly then the weakRefNotify() is never called, thus objectDead is always FALSE, thus the 'while' dereferences the 'data' which is already freed in the last loop cycle. I tested with valgrind and it is happy with this patch included.
Just for a reference, here's the code I talk about (without patch applied):
gboolean objectDead = FALSE;
g_object_weak_ref(data->object, weakRefNotify, &objectDead);
// We need to check objectDead first, otherwise the cache data
// might be garbage already.
while (!objectDead && data->timesReturned > 0) {
// If this is the last unref we are going to do,
// disconnect the weak ref. We cannot do it afterwards
// because the object might be dead at that point.
if (data->timesReturned == 1)
g_object_weak_unref(data->object, weakRefNotify, &objectDead);
data->timesReturned--;
g_object_unref(data->object);
}
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list