Changeset 139209 in webkit


Ignore:
Timestamp:
Jan 9, 2013 10:52:12 AM (11 years ago)
Author:
commit-queue@webkit.org
Message:

If ImageLoader's loadEventSender or errorEventSender fires after document is detached, the document will be leaked.

https://bugs.webkit.org/show_bug.cgi?id=106394

Patch by Yongjun Zhang <yongjun_zhang@apple.com> on 2013-01-09
Reviewed by Alexey Proskuryakov.

ImageLoader's loadEventSender and errorEventSender schedule event dispatching in separate timers and refs
the Element in updatedHasPendingEvent. If the Document is detached before either eventSender dispatches,
we would leak the Document since we bail out early in dispatchPendingLoadEvent or dispatchPendingErrorEvent,
without deref-ing the Element itself.

No new tests. Verified manually by using heap tool to count the living HTMLDocuments.

  • loader/ImageLoader.cpp:

(WebCore::ImageLoader::dispatchPendingLoadEvent): also call updatedHasPendingEvent to deref the Element if

the document is detached.

(WebCore::ImageLoader::dispatchPendingErrorEvent): ditto.

Location:
trunk/Source/WebCore
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/WebCore/ChangeLog

    r139208 r139209  
     12013-01-09  Yongjun Zhang  <yongjun_zhang@apple.com>
     2
     3        If ImageLoader's loadEventSender or errorEventSender fires after document is detached, the document will be leaked.
     4
     5        https://bugs.webkit.org/show_bug.cgi?id=106394
     6
     7        Reviewed by Alexey Proskuryakov.
     8
     9        ImageLoader's loadEventSender and errorEventSender schedule event dispatching in separate timers and refs
     10        the Element in updatedHasPendingEvent.  If the Document is detached before either eventSender dispatches,
     11        we would leak the Document since we bail out early in dispatchPendingLoadEvent or dispatchPendingErrorEvent,
     12        without deref-ing the Element itself.
     13
     14        No new tests.  Verified manually by using heap tool to count the living HTMLDocuments.
     15
     16        * loader/ImageLoader.cpp:
     17        (WebCore::ImageLoader::dispatchPendingLoadEvent): also call updatedHasPendingEvent to deref the Element if
     18                    the document is detached.
     19        (WebCore::ImageLoader::dispatchPendingErrorEvent): ditto.
     20
    1212013-01-09  Dimitri Glazkov  <dglazkov@chromium.org>
    222
  • trunk/Source/WebCore/loader/ImageLoader.cpp

    r138724 r139209  
    415415    if (!m_image)
    416416        return;
    417     if (!document()->attached())
    418         return;
    419417    m_hasPendingLoadEvent = false;
    420     dispatchLoadEvent();
     418    if (document()->attached())
     419        dispatchLoadEvent();
    421420
    422421    // Only consider updating the protection ref-count of the Element immediately before returning
     
    429428    if (!m_hasPendingErrorEvent)
    430429        return;
    431     if (!document()->attached())
    432         return;
    433430    m_hasPendingErrorEvent = false;
    434     client()->imageElement()->dispatchEvent(Event::create(eventNames().errorEvent, false, false));
     431    if (document()->attached())
     432        client()->imageElement()->dispatchEvent(Event::create(eventNames().errorEvent, false, false));
     433
     434    // Only consider updating the protection ref-count of the Element immediately before returning
     435    // from this function as doing so might result in the destruction of this ImageLoader.
     436    updatedHasPendingEvent();
    435437}
    436438
Note: See TracChangeset for help on using the changeset viewer.