Updates:
Cc: [email protected] [email protected] [email protected]
Comment #5 on issue 18686 by [email protected]: Linux crash on
LayoutTests/fast/xmlhttprequest/xmlhttprequest-nonexistent-file.html
http://code.google.com/p/chromium/issues/detail?id=18686
This is a use after free. The follow valgrind output gives decent light as
to what's
going on. One of the network stack guys can probably understand why
quicker.
==32390== Invalid read of size 4
==32390== at 0xD805F77: std::string::assign(std::string const&) (in
/usr/lib32/libstdc++.so.6.0.9)
==32390== by 0xD806063: std::string::operator=(std::string const&) (in
/usr/lib32/libstdc++.so.6.0.9)
==32390== by 0x8941705: GURL::operator=(GURL const&) (gurl.h:41)
==32390== by 0x8D86C66: URLRequestJob::FollowDeferredRedirect()
(url_request_job.cc:130)
==32390== by 0x8D79C04: URLRequest::FollowDeferredRedirect()
(url_request.cc:361)
==32390== by 0x894013E: (anonymous
namespace)::RequestProxy::AsyncFollowDeferredRedirect()
(simple_resource_loader_bridge.cc:243)
==32390== by 0x893D4D0: void DispatchToMethod<(anonymous
namespace)::RequestProxy,
void ((anonymous namespace)::RequestProxy::*)()>((anonymous
namespace)::RequestProxy*, void ((anonymous namespace)::RequestProxy::*)(),
Tuple0
const&) (tuple.h:412)
==32390== by 0x893D507: RunnableMethod<(anonymous
namespace)::RequestProxy, void
((anonymous namespace)::RequestProxy::*)(), Tuple0>::Run() (task.h:307)
==32390== by 0x898D2BD: MessageLoop::RunTask(Task*) (message_loop.cc:314)
==32390== by 0x898D86C:
MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&)
(message_loop.cc:322)
==32390== by 0x898DC18: MessageLoop::DoWork() (message_loop.cc:429)
==32390== by 0x8997B47:
base::MessagePumpLibevent::Run(base::MessagePump::Delegate*)
(message_pump_libevent.cc:224)
==32390== Address 0x13a903bc is 60 bytes inside a block of size 220 free'd
==32390== at 0x7CAD5AC: operator delete(void*) (vg_replace_malloc.c:342)
==32390== by 0x8DFB3BC: URLRequestFileDirJob::~URLRequestFileDirJob()
(url_request_file_dir_job.cc:37)
==32390== by 0x8D7CD06:
base::RefCountedThreadSafe<URLRequestJob>::Release()
(ref_counted.h:107)
==32390== by 0x8D7CD3C:
scoped_refptr<URLRequestJob>::operator=(URLRequestJob*)
(ref_counted.h:219)
==32390== by 0x8D7952B: URLRequest::OrphanJob() (url_request.cc:404)
==32390== by 0x8D79612: URLRequest::PrepareToRestart()
(url_request.cc:394)
==32390== by 0x8D7B284: URLRequest::Redirect(GURL const&, int)
(url_request.cc:463)
==32390== by 0x8D86B50: URLRequestJob::FollowRedirect(GURL const&, int)
(url_request_job.cc:209)
==32390== by 0x8D86C46: URLRequestJob::FollowDeferredRedirect()
(url_request_job.cc:129)
==32390== by 0x8D79C04: URLRequest::FollowDeferredRedirect()
(url_request.cc:361)
==32390== by 0x894013E: (anonymous
namespace)::RequestProxy::AsyncFollowDeferredRedirect()
(simple_resource_loader_bridge.cc:243)
==32390== by 0x893D4D0: void DispatchToMethod<(anonymous
namespace)::RequestProxy,
void ((anonymous namespace)::RequestProxy::*)()>((anonymous
namespace)::RequestProxy*, void ((anonymous namespace)::RequestProxy::*)(),
Tuple0
const&) (tuple.h:412)
==32390==
--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
--~--~---------~--~----~------------~-------~--~----~
Automated mail from issue updates at http://crbug.com/
Subscription options: http://groups.google.com/group/chromium-bugs
-~----------~----~----~----~------~----~------~--~---
