Title: [107837] trunk/Source/WebCore
- Revision
- 107837
- Author
- [email protected]
- Date
- 2012-02-15 13:59:36 -0800 (Wed, 15 Feb 2012)
Log Message
RootObject::finalize can cause a crash in object->invalidate()
https://bugs.webkit.org/show_bug.cgi?id=78645
Reviewed by Geoffrey Garen.
No new tests.
* bridge/runtime_root.cpp:
(JSC::Bindings::RootObject::finalize): Added a stack-allocated RefPtr to protect the RootObject
during the call to invalidate().
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (107836 => 107837)
--- trunk/Source/WebCore/ChangeLog 2012-02-15 21:57:02 UTC (rev 107836)
+++ trunk/Source/WebCore/ChangeLog 2012-02-15 21:59:36 UTC (rev 107837)
@@ -1,3 +1,16 @@
+2012-02-15 Mark Hahnenberg <[email protected]>
+
+ RootObject::finalize can cause a crash in object->invalidate()
+ https://bugs.webkit.org/show_bug.cgi?id=78645
+
+ Reviewed by Geoffrey Garen.
+
+ No new tests.
+
+ * bridge/runtime_root.cpp:
+ (JSC::Bindings::RootObject::finalize): Added a stack-allocated RefPtr to protect the RootObject
+ during the call to invalidate().
+
2012-02-15 Dan Bernstein <[email protected]>
<rdar://problem/10870238> Box shadow drawing takes an unnecessarily slow code path in some single-shadow, opaque-background cases
Modified: trunk/Source/WebCore/bridge/runtime_root.cpp (107836 => 107837)
--- trunk/Source/WebCore/bridge/runtime_root.cpp 2012-02-15 21:57:02 UTC (rev 107836)
+++ trunk/Source/WebCore/bridge/runtime_root.cpp 2012-02-15 21:59:36 UTC (rev 107837)
@@ -199,6 +199,7 @@
RuntimeObject* object = static_cast<RuntimeObject*>(asObject(handle.get()));
ASSERT(m_runtimeObjects.contains(object));
+ RefPtr<RootObject> protect(this);
object->invalidate();
m_runtimeObjects.remove(object);
}
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
