[Webkit-unassigned] [Bug 82882] [GTK] Invalid read from WebKit::DOMObjectCache::clearByFrame
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Oct 18 02:56:04 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=82882
--- Comment #7 from Xan Lopez <xan.lopez at gmail.com> 2012-10-18 02:56:58 PST ---
(In reply to comment #6)
> The issue is not with g_object_unref() call, valgrind doesn't claim on it, the issue is with the 'data' structure, which is freed together with data->object. Following your 'while' steps (see code in comment #1) it's like this:
> : let data->timesReturned be 1
> : objectDead is FALSE
> the g_object_weak_unref() is called
> data->timesReturned is decreased to 0
> g_object_unref() is called
> : so far so good, 'data->object' is freed,
> : together with 'data' itself, but objectDead is still FALSE
> : then it comes to the 'while' clause
> while (!objectDead && data->timesReturned > 0)
> : and because objectDead is FALSE, and 'data' is freed, then it dereferences freed memory
Ah, indeed. 'data' is freed in the object's ::finalize, which calls the DOMObjectCache function 'forget'. Tricky.
So I think the patch is OK, but I'd put an extra comment explaining what's going on here, since it's not really trivial to see. If you can do that plus a ChangeLog I'll be happy to r+, thanks a lot for figuring this out.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list