RESOLVED FIXED 23180
Reading freed memory at DocumentLoader::checkForPendingPreloads 
https://bugs.webkit.org/show_bug.cgi?id=23180
Summary Reading freed memory at DocumentLoader::checkForPendingPreloads
Mads Ager
Reported 2009-01-08 05:32:58 PST
In loader.cpp in Loader::Host::didFinishLoading the following two lines causes the problem: docLoader->setLoadInProgress(false); docLoader->checkForPendingPreloads(); setLoadInProgress(false) can cause the frame to be deallocated, which can cause the document to be deallocated and the document destructor deletes the DocumentLoader. Therefore, docLoader can be freed memory at the call to checkForPendingPreloads. This happens when running the layout test: LayoutTests/http/tests/misc/onload-remove-iframe-crash-2.html. Would it make sense to just reorder and check for pending preloads before setting load in progress to false?
Attachments
Patch (1.61 KB, patch)
2009-01-30 17:17 PST, Marc-André Decoste 		no flags
DetailsFormatted DiffDiff
New version of the patch based on recent comments. (1.81 KB, patch)
2009-02-02 12:18 PST, Marc-André Decoste 		koivisto: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Antti Koivisto
Comment 1 2009-01-09 11:17:00 PST
Sounds sensible
Jon@Chromium
Comment 2 2009-01-26 14:12:56 PST
See http://code.google.com/p/chromium/issues/detail?id=3949
Marc-André Decoste
Comment 3 2009-01-30 06:52:14 PST
Another solution I tried while working on the Chromium version of this bug is to hold on to a reference of the document while we interact with the docLoader... This would make the code safer for future maintenance and would not depend on the call order... I have a patch with that change (which is needed at two places by the way), that I will send for code review soon (once I know how to do this here, first time I try :-). (In reply to comment #0) > In loader.cpp in Loader::Host::didFinishLoading the following two lines causes > the problem: > > docLoader->setLoadInProgress(false); > docLoader->checkForPendingPreloads(); > > setLoadInProgress(false) can cause the frame to be deallocated, which can cause > the document to be deallocated and the document destructor deletes the > DocumentLoader. Therefore, docLoader can be freed memory at the call to > checkForPendingPreloads. > > This happens when running the layout test: > LayoutTests/http/tests/misc/onload-remove-iframe-crash-2.html. > > Would it make sense to just reorder and check for pending preloads before > setting load in progress to false? >
Marc-André Decoste
Comment 4 2009-01-30 17:17:22 PST
Created attachment 27203 [details] Patch To fix the bug as proposed in bug comments from me (mad).
Antti Koivisto
Comment 5 2009-01-31 02:15:21 PST
Looks good, two comments: - I believe "protector" is the usual name for this kind of variables in WebKit. I don't know what "gard" means. - Please provide a ChangeLog entry.
Marc-André Decoste
Comment 6 2009-02-02 12:18:43 PST
Created attachment 27252 [details] New version of the patch based on recent comments. Changed the variable name from gard (term used in Chromium, this is why I used it ;-), to protector which is more widely used in WebKit. Also added details to ChangeLog file (slowly getting used to the process :-) And fixed comments to be grammatically correct (start with a Capital and end with a period.). :-)
Antti Koivisto
Comment 7 2009-02-04 02:25:47 PST
Comment on attachment 27252 [details] New version of the patch based on recent comments. r=me
Eric Seidel (no email)
Comment 8 2009-02-04 16:42:12 PST
Committing to http://svn.webkit.org/repository/webkit/trunk ... M WebCore/ChangeLog M WebCore/loader/loader.cpp Committed r40648
Note You need to log in before you can comment on or make changes to this bug.