[chromium-bugs] Re: Issue 24864 in chromium: Crash @ scoped_refptr::~scoped_refptr()

Tue, 05 Jan 2010 20:19:25 -0800
Comment #7 on issue 24864 by [email protected]: Crash @ scoped_refptr<net::ProxyService>::~scoped_refptr<net::ProxyService>() 
http://code.google.com/p/chromium/issues/detail?id=24864

We are closing the browser, deleting the proxy service:

chrome_67e80000!net::InitProxyResolver::`scalar deleting destructor'
chrome_67e80000!net::ProxyService::~ProxyService
chrome_67e80000!scoped_refptr<net::ProxyService>::~scoped_refptr<net::ProxyService>
chrome_67e80000!URLRequestContext::~URLRequestContext
chrome_67e80000!ChromeURLRequestContext::~ChromeURLRequestContext
chrome_67e80000!ChromeURLRequestContext::`scalar deleting destructor'
chrome_67e80000!base::RefCountedThreadSafe<URLRequestContext>::Release
chrome_67e80000!URLRequestHttpJob::~URLRequestHttpJob
chrome_67e80000!URLRequestHttpJob::`scalar deleting destructor'
chrome_67e80000!base::RefCountedThreadSafe<net::SSLConfigService>::Release
chrome_67e80000!RunnableMethod<UserScriptListener,void (__thiscall
UserScriptListener::*)(void),Tuple0>::`scalar deleting destructor'
chrome_67e80000!MessageLoop::RunTask
chrome_67e80000!MessageLoop::DeferOrRunPendingTask
chrome_67e80000!MessageLoop::DoWork
chrome_67e80000!base::MessagePumpForIO::DoRunLoop
chrome_67e80000!base::MessagePumpWin::RunWithDispatcher
chrome_67e80000!base::MessagePumpWin::Run
chrome_67e80000!MessageLoop::RunInternal
chrome_67e80000!MessageLoop::RunHandler

The InitProxyResolver destructor calls Cancel:
  switch (next_state_) {
    case STATE_FETCH_PAC_SCRIPT_COMPLETE:
      proxy_script_fetcher_->Cancel();
      break;
    case STATE_SET_PAC_SCRIPT_COMPLETE:
      resolver_->CancelSetPacScript();  <---------- crash here
      break;
and that crashes after accessing an invalid resolver_ (basically jumps to invalid 
memory attempting to call CancelSetPacScript of a freed object)
The problem is that the ProxyService destructor just leaves the destruction of init_proxy_resolver_ and resolver_ to the compiler, so resolver_ goes first but 
init_proxy_resolver_ keeps a pointer to it.


--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings

-- 
Automated mail from issue updates at http://crbug.com/
Subscription options: http://groups.google.com/group/chromium-bugs

Reply via email to