RESOLVED FIXED 78645
RootObject::finalize can cause a crash in object->invalidate()
https://bugs.webkit.org/show_bug.cgi?id=78645
Summary RootObject::finalize can cause a crash in object->invalidate()
Mark Hahnenberg
Reported 2012-02-14 15:38:57 PST
If we finalize weak handles and call RootObject::finalize(), it calls invalidate() on the object that it's finalizing and then removes it from its map of RuntimeObjects. However, invalidate() derefs that RuntimeObject which can call its destructor. In turn, it will deref its member RefPtr to the RootObject. If that RootObject's ref count then hits 0, its destructor will be called, which will then call invalidate() on all its objects in its map. This causes invalidate() to be called on that RuntimeObject twice, which causes a crash. Removing the object from the map first and then calling invalidate() on it should alleviate the crash because invalidate() can't be called a second time if the RootObject's destructor gets called since it will no longer be in the map.
Attachments
Patch (1.39 KB, patch)
2012-02-14 15:43 PST, Mark Hahnenberg
no flags
Patch (1.36 KB, patch)
2012-02-14 17:08 PST, Mark Hahnenberg
ggaren: review+
Mark Hahnenberg
Comment 1 2012-02-14 15:39:21 PST
Mark Hahnenberg
Comment 2 2012-02-14 15:43:45 PST
Geoffrey Garen
Comment 3 2012-02-14 16:45:08 PST
Comment on attachment 127067 [details] Patch This looks good, but I think an even better fix would be "RefPtr<T> protect(this);"
Mark Hahnenberg
Comment 4 2012-02-14 17:08:18 PST
Geoffrey Garen
Comment 5 2012-02-15 09:29:27 PST
Comment on attachment 127083 [details] Patch r=me
Mark Hahnenberg
Comment 6 2012-02-15 14:02:17 PST
Note You need to log in before you can comment on or make changes to this bug.