[Webkit-unassigned] [Bug 143521] New: [GTK] Crash in DOMObjectCache when a wrapped object owned by the cache is unreffed by the user

Wed Apr 8 06:34:06 PDT 2015

https://bugs.webkit.org/show_bug.cgi?id=143521

            Bug ID: 143521
           Summary: [GTK] Crash in DOMObjectCache when a wrapped object
                    owned by the cache is unreffed by the user
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Keywords: Gtk
          Severity: Normal
          Priority: P2
         Component: WebKit Gtk
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: cgarcia at igalia.com
                CC: gns at gnome.org, mcrha at redhat.com, pnormand at igalia.com,
                    svillar at igalia.com

This is a case we claim to support, but it only works if the object has only one reference. In that case, when the user unrefs it, the weak ref notify callback removes the object from the cache. However, if the object has more than one ref, the cache doesn't know the user unreffed it, and when clearing the cache we try to remove more references that what the object actually has, causing a crash in g_object_unref. See the backtrace in bug #118788.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150408/089184c4/attachment.html>