RESOLVED FIXED 25759
[Invalid memory write] HTMLCanvasElement object accessed after deletion 
https://bugs.webkit.org/show_bug.cgi?id=25759
Summary [Invalid memory write] HTMLCanvasElement object accessed after deletion
Rahul Kuchhal
Reported 2009-05-13 14:06:08 PDT
Webkit r43650 Debug Webkit using Safari and open LayoutTests/fast/canvas/canvas-as-image.html in Safari. When the page gets unloaded: Document.cpp:420 - m_cssCanvasElements.clear(); ends up destroying canvas element Later when Document gets deleted, CSSCanvasValue::~CSSCanvasValue() gets called which tries to call HTMLCanvasElement::setObserver() on an object that has already been deleted.
Attachments
Fix invalid memory write seen in HTMLCanvasElement by Valgrind (3.14 KB, patch)
2009-05-13 18:36 PDT, Eric Seidel (no email) 		oliver: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Eric Seidel (no email)
Comment 1 2009-05-13 18:34:07 PDT
Scribbled and guarded I'm not able to produce a crash here. MallocScribble=1 run-webkit-tests --guard LayoutTests/fast/canvas/canvas-as-image.html But I was able to see this happening in the debugger. I have a patch to fix this which I'll post shortly.
Eric Seidel (no email)
Comment 2 2009-05-13 18:36:14 PDT
Created attachment 30311 [details] Fix invalid memory write seen in HTMLCanvasElement by Valgrind 5 files changed, 31 insertions(+), 4 deletions(-)
Eric Seidel (no email)
Comment 3 2009-05-13 18:47:29 PDT
Committing to http://svn.webkit.org/repository/webkit/trunk ... M WebCore/ChangeLog M WebCore/css/CSSCanvasValue.cpp M WebCore/css/CSSCanvasValue.h M WebCore/html/HTMLCanvasElement.cpp M WebCore/html/HTMLCanvasElement.h Committed r43678
Note You need to log in before you can comment on or make changes to this bug.