Hello,
I got a question about the script function class(SwfdecAsScriptFunction)
design in swfdec.
Why doesn't a script function mark its
target(SwfdecAsScriptFunction::target) in the marking phase? What if the
function's target has been destroyed while the function itself is still kept
alive? (Answer myself: then there would be a segfault when executing that
function)
Let me give a more specific case:
(1)swf(movie) 'A' defines a script function 'movie_a_func()' inside its
body.
(2)swf(movie) 'B' loads movie 'A' at runtime by using loadMovieNum('A.swf',
2);
(3)movie 'B' then create a reference to function 'movie_a_func()' , eg.
movie_b_func = _level2.movie_a_func;
(4)unload movie 'A' by using _level2.unloadMovie();
(5)next frame; //Note target of ''movie_a_func', which is 'A' is destroyed
and collected here.
(6)call function 'movie_b_func'; // bomb, trying to reference its
target(movie A) that is already freed.
The above case could happen more easily when set GC threshold to zero(alway
gc).
The obvious fix to me is always marking the target of a script function, but
I am not 100% sure if it's the right way. It would be helpful if anyone
could confirm with me. (BTW, I'v made the real tests described as above.)
Yes, I'll file a bug if get confirmed or at least there is someone
concerning this mail.
--zou
_______________________________________________
Swfdec mailing list
Swfdec@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/swfdec
