[Webkit-unassigned] [Bug 87928] New: [JSC][V8] Document accessed via ownerDocument may have been neutered by GC

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed May 30 23:19:25 PDT 2012 

https://bugs.webkit.org/show_bug.cgi?id=87928

           Summary: [JSC][V8] Document accessed via ownerDocument may have
                    been neutered by GC
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: HTML DOM
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: dominicc at chromium.org
                CC: dominicc at chromium.org


See the attached repro. Even when a reference to a document persists via someElement.ownerDocument, JavaScript GC causes the document to be emptied. This does not look like use-after-free – the element’s guard ref keeps the HTMLDocument alive, just in its neutered state.

Here’s the callstack resetting documentElement from Chrome:

Old value = ('WebCore::Element' *) 0x131a5440
New value = ('WebCore::Element' *) 0x0
WTF::RefPtr<WebCore::Element>::operator= (this=0x6aa70004, optr=0x0) at RefPtr.h:12
6
126             derefIfNotNull(ptr);
(gdb) where
#0  WTF::RefPtr<WebCore::Element>::operator= (this=0x6aa70004, optr=0x0) at RefPtr.
h:126 
#1  0x058eef0e in WebCore::Document::removedLastRef (this=0x6aa6fc00) at ../../thir
d_party/WebKit/Source/WebCore/dom/Document.cpp:657
#2  0x058ef04c in non-virtual thunk to WebCore::Document::removedLastRef() () at ..
/../third_party/WebKit/Source/WebCore/dom/Document.cpp:692
#3  0x02220538 in WebCore::TreeShared<WebCore::ContainerNode>::deref (this=0x6aa6fc
08) at TreeShared.h:79
#4  0x00b287aa in WebCore::DOMDataStore::weakNodeCallback (value={<v8::Handle<v8::V
alue>> = {val_ = 0x6ba83d80}, <No data fields>}, domObject=0x6aa6fc00) at ../../thi
rd_party/WebKit/Source/WebCore/bindings/v8/DOMDataStore.cpp:150
#5  0x072d16ec in v8::internal::GlobalHandles::Node::PostGarbageCollectionProcessin
g (this=0x6ba83d80, isolate=0x6ba23e00, global_handles=0x6c0700b0) at ../../v8/src/
global-handles.cc:233

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list