WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
78645
RootObject::finalize can cause a crash in object->invalidate()
https://bugs.webkit.org/show_bug.cgi?id=78645
Summary
RootObject::finalize can cause a crash in object->invalidate()
Mark Hahnenberg
Reported
2012-02-14 15:38:57 PST
If we finalize weak handles and call RootObject::finalize(), it calls invalidate() on the object that it's finalizing and then removes it from its map of RuntimeObjects. However, invalidate() derefs that RuntimeObject which can call its destructor. In turn, it will deref its member RefPtr to the RootObject. If that RootObject's ref count then hits 0, its destructor will be called, which will then call invalidate() on all its objects in its map. This causes invalidate() to be called on that RuntimeObject twice, which causes a crash. Removing the object from the map first and then calling invalidate() on it should alleviate the crash because invalidate() can't be called a second time if the RootObject's destructor gets called since it will no longer be in the map.
Attachments
Patch
(1.39 KB, patch)
2012-02-14 15:43 PST
,
Mark Hahnenberg
no flags
Details
Formatted Diff
Diff
Patch
(1.36 KB, patch)
2012-02-14 17:08 PST
,
Mark Hahnenberg
ggaren
: review+
Details
Formatted Diff
Diff
Show Obsolete
(1)
View All
Add attachment
proposed patch, testcase, etc.
Mark Hahnenberg
Comment 1
2012-02-14 15:39:21 PST
<
rdar://problem/10862749
>
Mark Hahnenberg
Comment 2
2012-02-14 15:43:45 PST
Created
attachment 127067
[details]
Patch
Geoffrey Garen
Comment 3
2012-02-14 16:45:08 PST
Comment on
attachment 127067
[details]
Patch This looks good, but I think an even better fix would be "RefPtr<T> protect(this);"
Mark Hahnenberg
Comment 4
2012-02-14 17:08:18 PST
Created
attachment 127083
[details]
Patch
Geoffrey Garen
Comment 5
2012-02-15 09:29:27 PST
Comment on
attachment 127083
[details]
Patch r=me
Mark Hahnenberg
Comment 6
2012-02-15 14:02:17 PST
Committed
r107837
: <
http://trac.webkit.org/changeset/107837
>
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug