[Webkit-unassigned] [Bug 146538] New: Memory leak for a protected element having pending events in ImageLoader

Wed Jul 1 19:12:16 PDT 2015

https://bugs.webkit.org/show_bug.cgi?id=146538

            Bug ID: 146538
           Summary: Memory leak for a protected element having pending
                    events in ImageLoader
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: kyounga.ra at gmail.com

We found a memory leak possibility in ImageLoader.
See the code below
====
ImageLoader::~ImageLoader()
{
..
    if (m_elementIsProtected)
        element().deref();
}
void ImageLoader::updatedHasPendingEvent()
{
    bool wasProtected = m_elementIsProtected;
    m_elementIsProtected = m_hasPendingLoadEvent || m_hasPendingErrorEvent;
    if (wasProtected == m_elementIsProtected)
        return;

    if (m_elementIsProtected) {
        if (m_derefElementTimer.isActive())
            m_derefElementTimer.stop();
        else
            element().ref();
    } else {
        ASSERT(!m_derefElementTimer.isActive());
        m_derefElementTimer.startOneShot(0);
    }
}
void ImageLoader::timerFired()
{
    element().deref();
}
====

Let's supposed that an protected element is to be "unprotected".
The "m_elementIsProtected" flag is false immediately, but deref() is called later using Timer.
If ImageLoader is destroyed before the timer is fired, the element's refCount never be zero.
I didn't create a test case but there is logically 100% memory leak in this case.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150702/adc41154/attachment.html>