Bug 25759

Summary: [Invalid memory write] HTMLCanvasElement object accessed after deletion
Product: WebKit Reporter: Rahul Kuchhal <kuchhal>
Component: DOMAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal    
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Windows XP   
URL: LayoutTests/fast/canvas/canvas-as-image.html
Attachments:
Description Flags
Fix invalid memory write seen in HTMLCanvasElement by Valgrind oliver: review+

Rahul Kuchhal
Reported 2009-05-13 14:06:08 PDT
Webkit r43650 Debug Webkit using Safari and open LayoutTests/fast/canvas/canvas-as-image.html in Safari. When the page gets unloaded: Document.cpp:420 - m_cssCanvasElements.clear(); ends up destroying canvas element Later when Document gets deleted, CSSCanvasValue::~CSSCanvasValue() gets called which tries to call HTMLCanvasElement::setObserver() on an object that has already been deleted.
Attachments
Fix invalid memory write seen in HTMLCanvasElement by Valgrind (3.14 KB, patch)
2009-05-13 18:36 PDT, Eric Seidel (no email) 		oliver: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Eric Seidel (no email)
Comment 1 2009-05-13 18:34:07 PDT
Scribbled and guarded I'm not able to produce a crash here. MallocScribble=1 run-webkit-tests --guard LayoutTests/fast/canvas/canvas-as-image.html But I was able to see this happening in the debugger. I have a patch to fix this which I'll post shortly.
Eric Seidel (no email)
Comment 2 2009-05-13 18:36:14 PDT
Created attachment 30311 [details] Fix invalid memory write seen in HTMLCanvasElement by Valgrind 5 files changed, 31 insertions(+), 4 deletions(-)
Eric Seidel (no email)
Comment 3 2009-05-13 18:47:29 PDT
Committing to http://svn.webkit.org/repository/webkit/trunk ... M WebCore/ChangeLog M WebCore/css/CSSCanvasValue.cpp M WebCore/css/CSSCanvasValue.h M WebCore/html/HTMLCanvasElement.cpp M WebCore/html/HTMLCanvasElement.h Committed r43678
Note You need to log in before you can comment on or make changes to this bug.