Webkit r43650 Debug Webkit using Safari and open LayoutTests/fast/canvas/canvas-as-image.html in Safari. When the page gets unloaded: Document.cpp:420 - m_cssCanvasElements.clear(); ends up destroying canvas element Later when Document gets deleted, CSSCanvasValue::~CSSCanvasValue() gets called which tries to call HTMLCanvasElement::setObserver() on an object that has already been deleted.
Scribbled and guarded I'm not able to produce a crash here. MallocScribble=1 run-webkit-tests --guard LayoutTests/fast/canvas/canvas-as-image.html But I was able to see this happening in the debugger. I have a patch to fix this which I'll post shortly.
Created attachment 30311 [details] Fix invalid memory write seen in HTMLCanvasElement by Valgrind 5 files changed, 31 insertions(+), 4 deletions(-)
Committing to http://svn.webkit.org/repository/webkit/trunk ... M WebCore/ChangeLog M WebCore/css/CSSCanvasValue.cpp M WebCore/css/CSSCanvasValue.h M WebCore/html/HTMLCanvasElement.cpp M WebCore/html/HTMLCanvasElement.h Committed r43678