RESOLVED FIXED 78645
RootObject::finalize can cause a crash in object->invalidate() 
https://bugs.webkit.org/show_bug.cgi?id=78645
Summary RootObject::finalize can cause a crash in object->invalidate()
Mark Hahnenberg
Reported 2012-02-14 15:38:57 PST
If we finalize weak handles and call RootObject::finalize(), it calls invalidate() on the object that it's finalizing and then removes it from its map of RuntimeObjects. However, invalidate() derefs that RuntimeObject which can call its destructor. In turn, it will deref its member RefPtr to the RootObject. If that RootObject's ref count then hits 0, its destructor will be called, which will then call invalidate() on all its objects in its map. This causes invalidate() to be called on that RuntimeObject twice, which causes a crash. Removing the object from the map first and then calling invalidate() on it should alleviate the crash because invalidate() can't be called a second time if the RootObject's destructor gets called since it will no longer be in the map.
Attachments
Patch (1.39 KB, patch)
2012-02-14 15:43 PST, Mark Hahnenberg 		no flags
DetailsFormatted DiffDiff
Patch (1.36 KB, patch)
2012-02-14 17:08 PST, Mark Hahnenberg 		ggaren: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Mark Hahnenberg
Comment 1 2012-02-14 15:39:21 PST
<rdar://problem/10862749>
Mark Hahnenberg
Comment 2 2012-02-14 15:43:45 PST
Created attachment 127067 [details] Patch
Geoffrey Garen
Comment 3 2012-02-14 16:45:08 PST
Comment on attachment 127067 [details] Patch This looks good, but I think an even better fix would be "RefPtr<T> protect(this);"
Mark Hahnenberg
Comment 4 2012-02-14 17:08:18 PST
Created attachment 127083 [details] Patch
Geoffrey Garen
Comment 5 2012-02-15 09:29:27 PST
Comment on attachment 127083 [details] Patch r=me
Mark Hahnenberg
Comment 6 2012-02-15 14:02:17 PST
Committed r107837: <http://trac.webkit.org/changeset/107837>
Note You need to log in before you can comment on or make changes to this bug.