25759 2009-05-13 14:06:08 -0700 [Invalid memory write] HTMLCanvasElement object accessed after deletion 2009-05-13 18:47:29 -0700 1 1 1 Unclassified WebKit DOM 528+ (Nightly build) PC Windows XP RESOLVED FIXED LayoutTests/fast/canvas/canvas-as-image.html P2 Normal --- 1 kuchhal webkit-unassigned oldest_to_newest 121093 0 kuchhal 2009-05-13 14:06:08 -0700 Webkit r43650 Debug Webkit using Safari and open LayoutTests/fast/canvas/canvas-as-image.html in Safari. When the page gets unloaded: Document.cpp:420 - m_cssCanvasElements.clear(); ends up destroying canvas element Later when Document gets deleted, CSSCanvasValue::~CSSCanvasValue() gets called which tries to call HTMLCanvasElement::setObserver() on an object that has already been deleted. 121196 1 eric 2009-05-13 18:34:07 -0700 Scribbled and guarded I'm not able to produce a crash here. MallocScribble=1 run-webkit-tests --guard LayoutTests/fast/canvas/canvas-as-image.html But I was able to see this happening in the debugger. I have a patch to fix this which I'll post shortly. 121197 2 30311 eric 2009-05-13 18:36:14 -0700 Created attachment 30311 Fix invalid memory write seen in HTMLCanvasElement by Valgrind 5 files changed, 31 insertions(+), 4 deletions(-) 121199 3 eric 2009-05-13 18:47:29 -0700 Committing to http://svn.webkit.org/repository/webkit/trunk ... M WebCore/ChangeLog M WebCore/css/CSSCanvasValue.cpp M WebCore/css/CSSCanvasValue.h M WebCore/html/HTMLCanvasElement.cpp M WebCore/html/HTMLCanvasElement.h Committed r43678 30311 2009-05-13 18:36:14 -0700 2009-05-13 18:39:33 -0700 Fix invalid memory write seen in HTMLCanvasElement by Valgrind Fix-invalid-memory-write-seen-in-HTMLCanvasElement-by-Valgrind.patch text/plain 3216 eric NjNiM2FhODI1MmI4NTYzNjI2MmFhYWFmNzgwYWYxMjFiOTQ3NDRhMQpkaWZmIC0tZ2l0IGEvV2Vi Q29yZS9DaGFuZ2VMb2cgYi9XZWJDb3JlL0NoYW5nZUxvZwppbmRleCA4ZDI1MTFlLi5mYWRmYTdh IDEwMDY0NAotLS0gYS9XZWJDb3JlL0NoYW5nZUxvZworKysgYi9XZWJDb3JlL0NoYW5nZUxvZwpA QCAtMSwzICsxLDE5IEBACisyMDA5LTA1LTEzICBFcmljIFNlaWRlbCAgPGVyaWNAd2Via2l0Lm9y Zz4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBGaXgg aW52YWxpZCBtZW1vcnkgd3JpdGUgc2VlbiBpbiBIVE1MQ2FudmFzRWxlbWVudCBieSBWYWxncmlu ZAorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MjU3NTkK KworICAgICAgICBJIGNhbid0IHRoaW5rIG9mIGFueSB3YXkgdG8gY2F0Y2ggdGhpcyB3aXRoIGEg bGF5b3V0IHRlc3QsIHNvIG5vIHRlc3QuCisKKyAgICAgICAgKiBjc3MvQ1NTQ2FudmFzVmFsdWUu Y3BwOgorICAgICAgICAoV2ViQ29yZTo6Q1NTQ2FudmFzVmFsdWU6OmNhbnZhc0Rlc3Ryb3llZCk6 CisgICAgICAgICogY3NzL0NTU0NhbnZhc1ZhbHVlLmg6CisgICAgICAgICogaHRtbC9IVE1MQ2Fu dmFzRWxlbWVudC5jcHA6CisgICAgICAgIChXZWJDb3JlOjpIVE1MQ2FudmFzRWxlbWVudDo6fkhU TUxDYW52YXNFbGVtZW50KToKKyAgICAgICAgKiBodG1sL0hUTUxDYW52YXNFbGVtZW50Lmg6CisK IDIwMDktMDUtMTMgIENocmlzIEZsZWl6YWNoICA8Y2ZsZWl6YWNoQGFwcGxlLmNvbT4KIAogICAg ICAgICBCdWcgMjU3NTU6IEltcGxlbWVudCBBUklBIGdyaWQgcm9sZQpkaWZmIC0tZ2l0IGEvV2Vi Q29yZS9jc3MvQ1NTQ2FudmFzVmFsdWUuY3BwIGIvV2ViQ29yZS9jc3MvQ1NTQ2FudmFzVmFsdWUu Y3BwCmluZGV4IDRmZDUyMTAuLmNmOGNiNDIgMTAwNjQ0Ci0tLSBhL1dlYkNvcmUvY3NzL0NTU0Nh bnZhc1ZhbHVlLmNwcAorKysgYi9XZWJDb3JlL2Nzcy9DU1NDYW52YXNWYWx1ZS5jcHAKQEAgLTU5 LDYgKzU5LDEzIEBAIHZvaWQgQ1NTQ2FudmFzVmFsdWU6OmNhbnZhc1Jlc2l6ZWQoSFRNTENhbnZh c0VsZW1lbnQqKQogICAgICAgICBjdXJyLT5maXJzdC0+aW1hZ2VDaGFuZ2VkKHN0YXRpY19jYXN0 PFdyYXBwZWRJbWFnZVB0cj4odGhpcykpOwogfQogCit2b2lkIENTU0NhbnZhc1ZhbHVlOjpjYW52 YXNEZXN0cm95ZWQoSFRNTENhbnZhc0VsZW1lbnQqIGVsZW1lbnQpCit7CisgICAgQVNTRVJUKGVs ZW1lbnQgPT0gbV9lbGVtZW50KTsKKyAgICBpZiAoZWxlbWVudCA9PSBtX2VsZW1lbnQpCisgICAg ICAgIG1fZWxlbWVudCA9IDA7Cit9CisKIEludFNpemUgQ1NTQ2FudmFzVmFsdWU6OmZpeGVkU2l6 ZShjb25zdCBSZW5kZXJPYmplY3QqIHJlbmRlcmVyKQogewogICAgIGlmIChIVE1MQ2FudmFzRWxl bWVudCogZWx0ID0gZWxlbWVudChyZW5kZXJlci0+ZG9jdW1lbnQoKSkpCmRpZmYgLS1naXQgYS9X ZWJDb3JlL2Nzcy9DU1NDYW52YXNWYWx1ZS5oIGIvV2ViQ29yZS9jc3MvQ1NTQ2FudmFzVmFsdWUu aAppbmRleCBhNjk4ZjMxLi40Y2Q0MjgwIDEwMDY0NAotLS0gYS9XZWJDb3JlL2Nzcy9DU1NDYW52 YXNWYWx1ZS5oCisrKyBiL1dlYkNvcmUvY3NzL0NTU0NhbnZhc1ZhbHVlLmgKQEAgLTUyLDggKzUy LDkgQEAgcHJpdmF0ZToKICAgICB7CiAgICAgfQogCi0gICAgdmlydHVhbCB2b2lkIGNhbnZhc0No YW5nZWQoSFRNTENhbnZhc0VsZW1lbnQqIGVsZW1lbnQsIGNvbnN0IEZsb2F0UmVjdCYgY2hhbmdl ZFJlY3QpOwotICAgIHZpcnR1YWwgdm9pZCBjYW52YXNSZXNpemVkKEhUTUxDYW52YXNFbGVtZW50 KiBlbGVtZW50KTsKKyAgICB2aXJ0dWFsIHZvaWQgY2FudmFzQ2hhbmdlZChIVE1MQ2FudmFzRWxl bWVudCosIGNvbnN0IEZsb2F0UmVjdCYgY2hhbmdlZFJlY3QpOworICAgIHZpcnR1YWwgdm9pZCBj YW52YXNSZXNpemVkKEhUTUxDYW52YXNFbGVtZW50Kik7CisgICAgdmlydHVhbCB2b2lkIGNhbnZh c0Rlc3Ryb3llZChIVE1MQ2FudmFzRWxlbWVudCopOwogCiAgICAgSFRNTENhbnZhc0VsZW1lbnQq IGVsZW1lbnQoRG9jdW1lbnQqKTsKICAgICAgCmRpZmYgLS1naXQgYS9XZWJDb3JlL2h0bWwvSFRN TENhbnZhc0VsZW1lbnQuY3BwIGIvV2ViQ29yZS9odG1sL0hUTUxDYW52YXNFbGVtZW50LmNwcApp bmRleCBmOTRkY2QxLi5hZTgwZDY5IDEwMDY0NAotLS0gYS9XZWJDb3JlL2h0bWwvSFRNTENhbnZh c0VsZW1lbnQuY3BwCisrKyBiL1dlYkNvcmUvaHRtbC9IVE1MQ2FudmFzRWxlbWVudC5jcHAKQEAg LTcyLDYgKzcyLDggQEAgSFRNTENhbnZhc0VsZW1lbnQ6OkhUTUxDYW52YXNFbGVtZW50KGNvbnN0 IFF1YWxpZmllZE5hbWUmIHRhZ05hbWUsIERvY3VtZW50KiBkb2MKIAogSFRNTENhbnZhc0VsZW1l bnQ6On5IVE1MQ2FudmFzRWxlbWVudCgpCiB7CisgICAgaWYgKG1fb2JzZXJ2ZXIpCisgICAgICAg IG1fb2JzZXJ2ZXItPmNhbnZhc0Rlc3Ryb3llZCh0aGlzKTsKIH0KIAogI2lmIEVOQUJMRShEQVNI Qk9BUkRfU1VQUE9SVCkKZGlmZiAtLWdpdCBhL1dlYkNvcmUvaHRtbC9IVE1MQ2FudmFzRWxlbWVu dC5oIGIvV2ViQ29yZS9odG1sL0hUTUxDYW52YXNFbGVtZW50LmgKaW5kZXggMTJiM2NiMi4uYmJh MWYyZCAxMDA2NDQKLS0tIGEvV2ViQ29yZS9odG1sL0hUTUxDYW52YXNFbGVtZW50LmgKKysrIGIv V2ViQ29yZS9odG1sL0hUTUxDYW52YXNFbGVtZW50LmgKQEAgLTQ5LDggKzQ5LDkgQEAgY2xhc3Mg Q2FudmFzT2JzZXJ2ZXIgewogcHVibGljOgogICAgIHZpcnR1YWwgfkNhbnZhc09ic2VydmVyKCkg e307CiAKLSAgICB2aXJ0dWFsIHZvaWQgY2FudmFzQ2hhbmdlZChIVE1MQ2FudmFzRWxlbWVudCog ZWxlbWVudCwgY29uc3QgRmxvYXRSZWN0JiBjaGFuZ2VkUmVjdCkgPSAwOwotICAgIHZpcnR1YWwg dm9pZCBjYW52YXNSZXNpemVkKEhUTUxDYW52YXNFbGVtZW50KiBlbGVtZW50KSA9IDA7CisgICAg dmlydHVhbCB2b2lkIGNhbnZhc0NoYW5nZWQoSFRNTENhbnZhc0VsZW1lbnQqLCBjb25zdCBGbG9h dFJlY3QmIGNoYW5nZWRSZWN0KSA9IDA7CisgICAgdmlydHVhbCB2b2lkIGNhbnZhc1Jlc2l6ZWQo SFRNTENhbnZhc0VsZW1lbnQqKSA9IDA7CisgICAgdmlydHVhbCB2b2lkIGNhbnZhc0Rlc3Ryb3ll ZChIVE1MQ2FudmFzRWxlbWVudCopID0gMDsKIH07CiAKIGNsYXNzIEhUTUxDYW52YXNFbGVtZW50 IDogcHVibGljIEhUTUxFbGVtZW50IHsK