Changeset 84151 in webkit
- Timestamp:
- Apr 18, 2011 9:37:50 AM (13 years ago)
- Location:
- trunk/Source/WebCore
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebCore/ChangeLog
r84150 r84151 1 2011-04-18 Antti Koivisto <antti@apple.com> 2 3 Reviewed by Simon Fraser. 4 5 CSSSelector double frees 6 https://bugs.webkit.org/show_bug.cgi?id=56124 7 <rdar://problem/9119036> 8 9 In all stacks this is occuring when the document is kept alive by the guard ref only 10 and the node holding it is deleted. 11 12 As a speculative fix, clear the document stylesheets when it turns into a guard ref zombie. 13 This has a pretty good chance of fixing the actual bug. At minimum it will move the 14 crash to an earlier, more easily traceble point. 15 16 No tests, crash stacks only, no idea how to reproduce. 17 18 * dom/Document.cpp: 19 (WebCore::Document::removedLastRef): 20 1 21 2011-04-18 Alexander Pavlov <apavlov@chromium.org> 2 22 -
trunk/Source/WebCore/dom/Document.cpp
r84066 r84151 586 586 m_fullScreenElement = 0; 587 587 #endif 588 m_styleSelector.clear(); 589 m_styleSheets.clear(); 590 m_elemSheet.clear(); 591 m_mappedElementSheet.clear(); 592 m_pageUserSheet.clear(); 593 m_pageGroupUserSheets.clear(); 588 594 589 595 // removeAllChildren() doesn't always unregister IDs,
Note: See TracChangeset
for help on using the changeset viewer.