Changeset 84151 in webkit


Ignore:
Timestamp:
Apr 18, 2011 9:37:50 AM (13 years ago)
Author:
Antti Koivisto
Message:

CSSSelector double frees
https://bugs.webkit.org/show_bug.cgi?id=56124
<rdar://problem/9119036>

Reviewed by Simon Fraser.

In all stacks this is occuring when the document is kept alive by the guard ref only
and the node holding it is deleted.

As a speculative fix, clear the document stylesheets when it turns into a guard ref zombie.
This has a pretty good chance of fixing the actual bug. At minimum it will move the
crash to an earlier, more easily traceble point.

No tests, crash stacks only, no idea how to reproduce.

  • dom/Document.cpp:

(WebCore::Document::removedLastRef):

Location:
trunk/Source/WebCore
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/WebCore/ChangeLog

    r84150 r84151  
     12011-04-18  Antti Koivisto  <antti@apple.com>
     2
     3        Reviewed by Simon Fraser.
     4
     5        CSSSelector double frees
     6        https://bugs.webkit.org/show_bug.cgi?id=56124
     7        <rdar://problem/9119036>
     8
     9        In all stacks this is occuring when the document is kept alive by the guard ref only
     10        and the node holding it is deleted.
     11
     12        As a speculative fix, clear the document stylesheets when it turns into a guard ref zombie.
     13        This has a pretty good chance of fixing the actual bug. At minimum it will move the
     14        crash to an earlier, more easily traceble point.
     15
     16        No tests, crash stacks only, no idea how to reproduce.
     17
     18        * dom/Document.cpp:
     19        (WebCore::Document::removedLastRef):
     20
    1212011-04-18  Alexander Pavlov  <apavlov@chromium.org>
    222
  • trunk/Source/WebCore/dom/Document.cpp

    r84066 r84151  
    586586        m_fullScreenElement = 0;
    587587#endif
     588        m_styleSelector.clear();
     589        m_styleSheets.clear();
     590        m_elemSheet.clear();
     591        m_mappedElementSheet.clear();
     592        m_pageUserSheet.clear();
     593        m_pageGroupUserSheets.clear();
    588594
    589595        // removeAllChildren() doesn't always unregister IDs,
Note: See TracChangeset for help on using the changeset viewer.