[Webkit-unassigned] [Bug 146538] New: Memory leak for a protected element having pending events in ImageLoader
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Jul 1 19:12:16 PDT 2015
https://bugs.webkit.org/show_bug.cgi?id=146538
Bug ID: 146538
Summary: Memory leak for a protected element having pending
events in ImageLoader
Classification: Unclassified
Product: WebKit
Version: 528+ (Nightly build)
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: WebCore Misc.
Assignee: webkit-unassigned at lists.webkit.org
Reporter: kyounga.ra at gmail.com
We found a memory leak possibility in ImageLoader.
See the code below
====
ImageLoader::~ImageLoader()
{
..
if (m_elementIsProtected)
element().deref();
}
void ImageLoader::updatedHasPendingEvent()
{
bool wasProtected = m_elementIsProtected;
m_elementIsProtected = m_hasPendingLoadEvent || m_hasPendingErrorEvent;
if (wasProtected == m_elementIsProtected)
return;
if (m_elementIsProtected) {
if (m_derefElementTimer.isActive())
m_derefElementTimer.stop();
else
element().ref();
} else {
ASSERT(!m_derefElementTimer.isActive());
m_derefElementTimer.startOneShot(0);
}
}
void ImageLoader::timerFired()
{
element().deref();
}
====
Let's supposed that an protected element is to be "unprotected".
The "m_elementIsProtected" flag is false immediately, but deref() is called later using Timer.
If ImageLoader is destroyed before the timer is fired, the element's refCount never be zero.
I didn't create a test case but there is logically 100% memory leak in this case.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150702/adc41154/attachment.html>
More information about the webkit-unassigned
mailing list