Status: Untriaged Owner: ---- Labels: Type-Bug Pri-2 OS-All Area-Misc Size-Medium valgrind
New issue 9528 by [email protected]: Invalid write in WebCore::HTMLCanvasElement::setObserver in LayoutTests/fast/canvas/canvas-as-image.html http://code.google.com/p/chromium/issues/detail?id=9528 Valgrinding LayoutTests/fast/canvas/canvas-as-image.html on release or debug found an invalid write eror. The command I used was echo LayoutTests/fast/canvas/canvas-as-image.html > bad.txt sh tools/valgrind/chrome_tests.sh -t layout -n 1 bad.txt (This requires a cl I hope to commit today.) Backtrace: 10:56:50 valgrind_analyze.py [ERROR] InvalidWrite Invalid write of size 4 WebCore::HTMLCanvasElement::setObserver(WebCore::CanvasObserver*) (WebKit/WebCore/html/HTMLCanvasElement.h:107) WebCore::CSSCanvasValue::~CSSCanvasValue() (WebKit/WebCore/css/CSSCanvasValue.cpp:37) WTF::RefCounted<WebCore::CSSValue>::deref() (WebKit/JavaScriptCore/wtf/RefCounted.h:94) WTF::RefPtr<WebCore::CSSValue>::~RefPtr() (WebKit/JavaScriptCore/wtf/RefPtr.h:50) WTF::VectorDestructor<true, WTF::RefPtr<WebCore::CSSValue> > ::destruct(WTF::RefPtr<WebCore::CSSValue>*, > WTF::RefPtr<WebCore::CSSValue>*) (WebKit/JavaScriptCore/wtf/Vector.h:80) WTF::VectorTypeOperations<WTF::RefPtr<WebCore::CSSValue> > ::destruct(WTF::RefPtr<WebCore::CSSValue>*, > WTF::RefPtr<WebCore::CSSValue>*) (WebKit/JavaScriptCore/wtf/Vector.h:235) WTF::Vector<WTF::RefPtr<WebCore::CSSValue>, 0u>::shrink(unsigned int) (WebKit/JavaScriptCore/wtf/Vector.h:713) WTF::Vector<WTF::RefPtr<WebCore::CSSValue>, 0u>::~Vector() (WebKit/JavaScriptCore/wtf/Vector.h:462) WebCore::CSSValueList::~CSSValueList() (WebKit/WebCore/css/CSSValueList.cpp:49) WTF::RefCounted<WebCore::CSSValue>::deref() (WebKit/JavaScriptCore/wtf/RefCounted.h:94) WTF::RefPtr<WebCore::CSSValue>::~RefPtr() (WebKit/JavaScriptCore/wtf/RefPtr.h:50) WebCore::CSSProperty::~CSSProperty() (WebKit/WebCore/css/CSSProperty.h:32) WTF::VectorDestructor<true, WebCore::CSSProperty>::destruct(WebCore::CSSProperty*, WebCore::CSSProperty*) (WebKit/JavaScriptCore/wtf/Vector.h:80) WTF::VectorTypeOperations<WebCore::CSSProperty>::destruct(WebCore::CSSProperty*, WebCore::CSSProperty*) (WebKit/JavaScriptCore/wtf/Vector.h:235) WTF::Vector<WebCore::CSSProperty, 4u>::shrink(unsigned int) (WebKit/JavaScriptCore/wtf/Vector.h:713) WTF::Vector<WebCore::CSSProperty, 4u>::~Vector() (WebKit/JavaScriptCore/wtf/Vector.h:462) WebCore::CSSMutableStyleDeclaration::~CSSMutableStyleDeclaration() (WebKit/WebCore/css/CSSMutableStyleDeclaration.h:58) WTF::RefCounted<WebCore::StyleBase>::deref() (WebKit/JavaScriptCore/wtf/RefCounted.h:94) WTF::RefPtr<WebCore::CSSMutableStyleDeclaration>::~RefPtr() (WebKit/JavaScriptCore/wtf/RefPtr.h:50) WebCore::CSSStyleRule::~CSSStyleRule() (WebKit/WebCore/css/CSSStyleRule.cpp:39) WTF::RefCounted<WebCore::StyleBase>::deref() (WebKit/JavaScriptCore/wtf/RefCounted.h:94) WTF::RefPtr<WebCore::StyleBase>::~RefPtr() (WebKit/JavaScriptCore/wtf/RefPtr.h:50) WTF::VectorDestructor<true, WTF::RefPtr<WebCore::StyleBase> > ::destruct(WTF::RefPtr<WebCore::StyleBase>*, > WTF::RefPtr<WebCore::StyleBase>*) (WebKit/JavaScriptCore/wtf/Vector.h:80) WTF::VectorTypeOperations<WTF::RefPtr<WebCore::StyleBase> > ::destruct(WTF::RefPtr<WebCore::StyleBase>*, > WTF::RefPtr<WebCore::StyleBase>*) (WebKit/JavaScriptCore/wtf/Vector.h:235) WTF::Vector<WTF::RefPtr<WebCore::StyleBase>, 0u>::shrink(unsigned int) (WebKit/JavaScriptCore/wtf/Vector.h:713) WTF::Vector<WTF::RefPtr<WebCore::StyleBase>, 0u>::~Vector() (WebKit/JavaScriptCore/wtf/Vector.h:462) WebCore::StyleList::~StyleList() (WebKit/WebCore/css/StyleList.h:33) WebCore::StyleSheet::~StyleSheet() (WebKit/WebCore/css/StyleSheet.cpp:58) WebCore::CSSStyleSheet::~CSSStyleSheet() (WebKit/WebCore/css/CSSStyleSheet.cpp:70) WTF::RefCounted<WebCore::StyleBase>::deref() (WebKit/JavaScriptCore/wtf/RefCounted.h:94) Address 0x121d98a4 is 76 bytes inside a block of size 108 free'd operator delete(void*) (valgrind/trunk/coregrind/m_replacemalloc/vg_replace_malloc.c:362) WebCore::HTMLCanvasElement::~HTMLCanvasElement() (WebKit/WebCore/html/HTMLCanvasElement.cpp:74) WebCore::TreeShared<WebCore::Node>::removedLastRef() (WebKit/WebCore/platform/TreeShared.h:99) WebCore::TreeShared<WebCore::Node>::deref() (WebKit/WebCore/platform/TreeShared.h:69) WTF::RefPtr<WebCore::HTMLCanvasElement>::~RefPtr() (WebKit/JavaScriptCore/wtf/RefPtr.h:50) std::pair<WebCore::String, WTF::RefPtr<WebCore::HTMLCanvasElement> >::~pair() (nclude/c++/4.2/bits/stl_pair.h:69) WTF::HashTable<WebCore::String, std::pair<WebCore::String, WTF::RefPtr<WebCore::HTMLCanvasElement> >, WTF::PairFirstExtractor<std::pair<WebCore::String, WTF::RefPtr<WebCore::HTMLCanvasElement> > >, WebCore::StringHash, WTF::PairHashTraits<WTF::HashTraits<WebCore::String>, WTF::HashTraits<WTF::RefPtr<WebCore::HTMLCanvasElement> > >, WTF::HashTraits<WebCore::String> >::deallocateTable(std::pair<WebCore::String, WTF::RefPtr<WebCore::HTMLCanvasElement> >*, int) (WebKit/JavaScriptCore/wtf/HashTable.h:872) WTF::HashTable<WebCore::String, std::pair<WebCore::String, WTF::RefPtr<WebCore::HTMLCanvasElement> >, WTF::PairFirstExtractor<std::pair<WebCore::String, WTF::RefPtr<WebCore::HTMLCanvasElement> > >, WebCore::StringHash, WTF::PairHashTraits<WTF::HashTraits<WebCore::String>, WTF::HashTraits<WTF::RefPtr<WebCore::HTMLCanvasElement> > >, WTF::HashTraits<WebCore::String> >::clear() (WebKit/JavaScriptCore/wtf/HashTable.h:924) WTF::HashMap<WebCore::String, WTF::RefPtr<WebCore::HTMLCanvasElement>, WebCore::StringHash, WTF::HashTraits<WebCore::String>, WTF::HashTraits<WTF::RefPtr<WebCore::HTMLCanvasElement> > >::clear() (WebKit/JavaScriptCore/wtf/HashMap.h:231) WebCore::Document::removedLastRef() (WebKit/WebCore/dom/Document.cpp:424) WebCore::TreeShared<WebCore::Node>::deref() (WebKit/WebCore/platform/TreeShared.h:69) WebCore::WeakNodeCallback(v8::Persistent<v8::Value>, void*) (webkit/port/bindings/v8/v8_proxy.cpp:710) v8::internal::GlobalHandles::Node::PostGarbageCollectionProcessing() (v8/src/global- v8::internal::GlobalHandles::PostGarbageCollectionProcessing() (v8/src/global- v8::internal::Heap::PostGarbageCollectionProcessing() (v8/src/heap.cc:429) v8::internal::Heap::PerformGarbageCollection(v8::internal::AllocationSpace, v8::internal::GarbageCollector, v8::internal::GCTracer*) (v8/src/heap.cc:412) v8::internal::Heap::CollectGarbage(int, v8::internal::AllocationSpace) (v8/src/heap.cc:342) v8::internal::GCExtension::GC(v8::Arguments const&) (v8/src/execution.cc:629) v8::internal::Builtin_HandleApiCall(int, v8::internal::Object**) (v8/src/builtins.cc:380) 0x12CCC14A () 0x12CDF074 () 0x12CCCBF8 () 0x12CCC673 () v8::internal::Invoke(bool, v8::internal::Handle<v8::internal::JSFunction>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Object***, bool*) (v8/src/execution.cc:89) v8::internal::Execution::Call(v8::internal::Handle<v8::internal::JSFunction>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Object***, bool*) (v8/src/execution.cc:116) v8::Script::Run() (v8/src/api.cc:1048) WebCore::V8Proxy::RunScript(v8::Handle<v8::Script>, bool) (webkit/port/bindings/v8/v8_proxy.cpp:1539) WebCore::V8Proxy::evaluate(WebCore::ScriptSourceCode const&, WebCore::Node*) (webkit/port/bindings/v8/v8_proxy.cpp:1493) WebCore::ScriptController::collectGarbage() (webkit/port/bindings/v8/ScriptController.cpp:289) WebFrameImpl::CallJSGC() (webkit/glue/webframe_impl.cc:854) -- You received this message because you are listed in the owner or CC fields of this issue, or because you starred this issue. You may adjust your issue notification preferences at: http://code.google.com/hosting/settings --~--~---------~--~----~------------~-------~--~----~ Automated mail from issue updates at http://crbug.com/ Subscription options: http://groups.google.com/group/chromium-bugs -~----------~----~----~----~------~----~------~--~---
