[Webkit-unassigned] [Bug 82882] [GTK] Invalid read from WebKit::DOMObjectCache::clearByFrame

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Oct 18 00:02:27 PDT 2012 

https://bugs.webkit.org/show_bug.cgi?id=82882





--- Comment #6 from Milan Crha <mcrha at redhat.com>  2012-10-18 00:03:21 PST ---
(In reply to comment #5)
> (In reply to comment #4)
> > Are you kidding me? This almost two-liner fixes not-so-obvious error in the code which is still there in 1.9.6, waiting for a review for almost 5 months, and you reject it because of missing ChangeLog? Come on...
> 
> Writing a ChangeLog should be a matter of 5 minutes. If you don't do it someone else has to, I don't see what's so shocking about being strict in this regard.

It's "shocking" when asked doing so after 5 months of waiting for a review. I moved quite far away from this during those 5 months.

> About the patch, one question:
> 
> You mention "if everything goes correctly the weakRefNotify is never called", because we disable it before doing the last unref. Right?

You didn't quote the right passage of the explanation from comment #1. (See below.)

> In that same block we'l decrease timesReturned, so while objectDead will still be FALSE timesReturned should be 0 (since we only do the last unref when it's 1). So we shouldn't really enter the loop again. I guess I'm missing something because there's indeed a valgrind warning, so what am I getting wrong?

That's what I thought about this too, the issue is not obvious on the first look.

The issue is not with g_object_unref() call, valgrind doesn't claim on it, the issue is with the 'data' structure, which is freed together with data->object. Following your 'while' steps (see code in comment #1) it's like this:
   : let data->timesReturned be 1
   : objectDead is FALSE
   the g_object_weak_unref() is called
   data->timesReturned is decreased to 0
   g_object_unref() is called
   : so far so good, 'data->object' is freed,
   : together with 'data' itself, but objectDead is still FALSE
   : then it comes to the 'while' clause
   while (!objectDead && data->timesReturned > 0)
   : and because objectDead is FALSE, and 'data' is freed, then it dereferences freed memory

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list