Changeset 139209 in webkit
- Timestamp:
- Jan 9, 2013 10:52:12 AM (11 years ago)
- Location:
- trunk/Source/WebCore
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebCore/ChangeLog
r139208 r139209 1 2013-01-09 Yongjun Zhang <yongjun_zhang@apple.com> 2 3 If ImageLoader's loadEventSender or errorEventSender fires after document is detached, the document will be leaked. 4 5 https://bugs.webkit.org/show_bug.cgi?id=106394 6 7 Reviewed by Alexey Proskuryakov. 8 9 ImageLoader's loadEventSender and errorEventSender schedule event dispatching in separate timers and refs 10 the Element in updatedHasPendingEvent. If the Document is detached before either eventSender dispatches, 11 we would leak the Document since we bail out early in dispatchPendingLoadEvent or dispatchPendingErrorEvent, 12 without deref-ing the Element itself. 13 14 No new tests. Verified manually by using heap tool to count the living HTMLDocuments. 15 16 * loader/ImageLoader.cpp: 17 (WebCore::ImageLoader::dispatchPendingLoadEvent): also call updatedHasPendingEvent to deref the Element if 18 the document is detached. 19 (WebCore::ImageLoader::dispatchPendingErrorEvent): ditto. 20 1 21 2013-01-09 Dimitri Glazkov <dglazkov@chromium.org> 2 22 -
trunk/Source/WebCore/loader/ImageLoader.cpp
r138724 r139209 415 415 if (!m_image) 416 416 return; 417 if (!document()->attached())418 return;419 417 m_hasPendingLoadEvent = false; 420 dispatchLoadEvent(); 418 if (document()->attached()) 419 dispatchLoadEvent(); 421 420 422 421 // Only consider updating the protection ref-count of the Element immediately before returning … … 429 428 if (!m_hasPendingErrorEvent) 430 429 return; 431 if (!document()->attached())432 return;433 430 m_hasPendingErrorEvent = false; 434 client()->imageElement()->dispatchEvent(Event::create(eventNames().errorEvent, false, false)); 431 if (document()->attached()) 432 client()->imageElement()->dispatchEvent(Event::create(eventNames().errorEvent, false, false)); 433 434 // Only consider updating the protection ref-count of the Element immediately before returning 435 // from this function as doing so might result in the destruction of this ImageLoader. 436 updatedHasPendingEvent(); 435 437 } 436 438
Note: See TracChangeset
for help on using the changeset viewer.