78645 2012-02-14 15:38:57 -0800 RootObject::finalize can cause a crash in object->invalidate() 2012-02-15 14:02:17 -0800 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED P2 Normal --- 1 mhahnenberg mhahnenberg ggaren webkit.review.bot oldest_to_newest 556698 0 mhahnenberg 2012-02-14 15:38:57 -0800 If we finalize weak handles and call RootObject::finalize(), it calls invalidate() on the object that it's finalizing and then removes it from its map of RuntimeObjects. However, invalidate() derefs that RuntimeObject which can call its destructor. In turn, it will deref its member RefPtr to the RootObject. If that RootObject's ref count then hits 0, its destructor will be called, which will then call invalidate() on all its objects in its map. This causes invalidate() to be called on that RuntimeObject twice, which causes a crash. Removing the object from the map first and then calling invalidate() on it should alleviate the crash because invalidate() can't be called a second time if the RootObject's destructor gets called since it will no longer be in the map. 556700 1 mhahnenberg 2012-02-14 15:39:21 -0800 <rdar://problem/10862749> 556711 2 127067 mhahnenberg 2012-02-14 15:43:45 -0800 Created attachment 127067 Patch 556768 3 127067 ggaren 2012-02-14 16:45:08 -0800 Comment on attachment 127067 Patch This looks good, but I think an even better fix would be "RefPtr<T> protect(this);" 556785 4 127083 mhahnenberg 2012-02-14 17:08:18 -0800 Created attachment 127083 Patch 557320 5 127083 ggaren 2012-02-15 09:29:27 -0800 Comment on attachment 127083 Patch r=me 557532 6 mhahnenberg 2012-02-15 14:02:17 -0800 Committed r107837: <http://trac.webkit.org/changeset/107837> 127067 2012-02-14 15:43:45 -0800 2012-02-14 17:08:15 -0800 Patch bug-78645-20120214154344.patch text/plain 1422 mhahnenberg U3VidmVyc2lvbiBSZXZpc2lvbjogMTA3NjE4CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggN2IxNjU3OTI2M2UwYjU5 NThiYTlhZDk1MTY3YmI3NWFmMWYzNzQzZi4uNzk1NmYxNTgzYzY3MDk5NTU2YzQ0YTUzNzY1MmZh ZWYwMTc3YzQ4ZSAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE2IEBACisyMDEyLTAyLTE0ICBNYXJr IEhhaG5lbmJlcmcgIDxtaGFobmVuYmVyZ0BhcHBsZS5jb20+CisKKyAgICAgICAgUm9vdE9iamVj dDo6ZmluYWxpemUgY2FuIGNhdXNlIGEgY3Jhc2ggaW4gb2JqZWN0LT5pbnZhbGlkYXRlKCkKKyAg ICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTc4NjQ1CisKKyAg ICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgTm8gbmV3IHRlc3Rz LgorCisgICAgICAgICogYnJpZGdlL3J1bnRpbWVfcm9vdC5jcHA6CisgICAgICAgIChKU0M6OkJp bmRpbmdzOjpSb290T2JqZWN0OjpmaW5hbGl6ZSk6IFJlb3JkZXJlZCB0aGUgcmVtb3ZhbCBvZiB0 aGUgb2JqZWN0IGZyb20gdGhlIAorICAgICAgICBtYXAgYW5kIHRoZSBjYWxsIHRvIGludmFsaWRh dGUoKSBvbiB0aGUgb2JqZWN0LgorCiAyMDEyLTAyLTEzICBUb255IENoYW5nICA8dG9ueUBjaHJv bWl1bS5vcmc+CiAKICAgICAgICAgVW5yZXZpZXdlZCwgcm9sbGluZyBvdXQgcjEwNzU4Mi4KZGlm ZiAtLWdpdCBhL1NvdXJjZS9XZWJDb3JlL2JyaWRnZS9ydW50aW1lX3Jvb3QuY3BwIGIvU291cmNl L1dlYkNvcmUvYnJpZGdlL3J1bnRpbWVfcm9vdC5jcHAKaW5kZXggZDhiNDc4YWYyMDY5YzcwNzYw ZjJiZWM1YTU2ZjdlZTBhNzFlZThlZS4uZTUzM2M4MDFjMTgzNDcwYzM5OTk4MTI4NjJjMmQ5MTgx ZmMxMTc0NiAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvYnJpZGdlL3J1bnRpbWVfcm9vdC5j cHAKKysrIGIvU291cmNlL1dlYkNvcmUvYnJpZGdlL3J1bnRpbWVfcm9vdC5jcHAKQEAgLTE5OSw4 ICsxOTksOCBAQCB2b2lkIFJvb3RPYmplY3Q6OmZpbmFsaXplKEpTQzo6SGFuZGxlPEpTQzo6VW5r bm93bj4gaGFuZGxlLCB2b2lkKikKICAgICBSdW50aW1lT2JqZWN0KiBvYmplY3QgPSBzdGF0aWNf Y2FzdDxSdW50aW1lT2JqZWN0Kj4oYXNPYmplY3QoaGFuZGxlLmdldCgpKSk7CiAgICAgQVNTRVJU KG1fcnVudGltZU9iamVjdHMuY29udGFpbnMob2JqZWN0KSk7CiAKLSAgICBvYmplY3QtPmludmFs aWRhdGUoKTsKICAgICBtX3J1bnRpbWVPYmplY3RzLnJlbW92ZShvYmplY3QpOworICAgIG9iamVj dC0+aW52YWxpZGF0ZSgpOwogfQogCiB9IH0gLy8gbmFtZXNwYWNlIEpTQzo6QmluZGluZ3MK 127083 2012-02-14 17:08:18 -0800 2012-02-15 10:43:45 -0800 Patch bug-78645-20120214170817.patch text/plain 1396 mhahnenberg U3VidmVyc2lvbiBSZXZpc2lvbjogMTA3NjE4CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggN2IxNjU3OTI2M2UwYjU5 NThiYTlhZDk1MTY3YmI3NWFmMWYzNzQzZi4uNzhjMDM0MDQzNzM2MWQxMWQxMjAwNjc1ZTMyOTA4 NGU1MzNjN2Q5MSAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE2IEBACisyMDEyLTAyLTE0ICBNYXJr IEhhaG5lbmJlcmcgIDxtaGFobmVuYmVyZ0BhcHBsZS5jb20+CisKKyAgICAgICAgUm9vdE9iamVj dDo6ZmluYWxpemUgY2FuIGNhdXNlIGEgY3Jhc2ggaW4gb2JqZWN0LT5pbnZhbGlkYXRlKCkKKyAg ICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTc4NjQ1CisKKyAg ICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgTm8gbmV3IHRlc3Rz LgorCisgICAgICAgICogYnJpZGdlL3J1bnRpbWVfcm9vdC5jcHA6CisgICAgICAgIChKU0M6OkJp bmRpbmdzOjpSb290T2JqZWN0OjpmaW5hbGl6ZSk6IEFkZGVkIGEgc3RhY2stYWxsb2NhdGVkIFJl ZlB0ciB0byBwcm90ZWN0IHRoZSBSb290T2JqZWN0CisgICAgICAgIGR1cmluZyB0aGUgY2FsbCB0 byBpbnZhbGlkYXRlKCkuCisKIDIwMTItMDItMTMgIFRvbnkgQ2hhbmcgIDx0b255QGNocm9taXVt Lm9yZz4KIAogICAgICAgICBVbnJldmlld2VkLCByb2xsaW5nIG91dCByMTA3NTgyLgpkaWZmIC0t Z2l0IGEvU291cmNlL1dlYkNvcmUvYnJpZGdlL3J1bnRpbWVfcm9vdC5jcHAgYi9Tb3VyY2UvV2Vi Q29yZS9icmlkZ2UvcnVudGltZV9yb290LmNwcAppbmRleCBkOGI0NzhhZjIwNjljNzA3NjBmMmJl YzVhNTZmN2VlMGE3MWVlOGVlLi4wYmU3YjVlNWViYWFkMGM5MzJmNTJhNDQyMDk0YzUyZjUyY2Vk YjQ4IDEwMDY0NAotLS0gYS9Tb3VyY2UvV2ViQ29yZS9icmlkZ2UvcnVudGltZV9yb290LmNwcAor KysgYi9Tb3VyY2UvV2ViQ29yZS9icmlkZ2UvcnVudGltZV9yb290LmNwcApAQCAtMTk5LDYgKzE5 OSw3IEBAIHZvaWQgUm9vdE9iamVjdDo6ZmluYWxpemUoSlNDOjpIYW5kbGU8SlNDOjpVbmtub3du PiBoYW5kbGUsIHZvaWQqKQogICAgIFJ1bnRpbWVPYmplY3QqIG9iamVjdCA9IHN0YXRpY19jYXN0 PFJ1bnRpbWVPYmplY3QqPihhc09iamVjdChoYW5kbGUuZ2V0KCkpKTsKICAgICBBU1NFUlQobV9y dW50aW1lT2JqZWN0cy5jb250YWlucyhvYmplY3QpKTsKIAorICAgIFJlZlB0cjxSb290T2JqZWN0 PiBwcm90ZWN0KHRoaXMpOwogICAgIG9iamVjdC0+aW52YWxpZGF0ZSgpOwogICAgIG1fcnVudGlt ZU9iamVjdHMucmVtb3ZlKG9iamVjdCk7CiB9Cg==