Skip to site navigation (Press enter)

[webkit-changes] [124229] trunk/Source/WebCore

antti Tue, 31 Jul 2012 11:47:26 -0700

Title: [124229] trunk/Source/WebCore

Revision: 124229
Author: [email protected]
Date: 2012-07-31 11:47:33 -0700 (Tue, 31 Jul 2012)

Log Message

Crash in FrameLoader::checkLoadComplete with non-browser client app
https://bugs.webkit.org/show_bug.cgi?id=92774


Reviewed by Alexey Proskuryakov..

Speculative fix. It is possible that CSSFontSelector could get deleted during the timer callback
and memory reused, making m_document point to some garbage when it is tested at the end.

* css/CSSFontSelector.cpp:
(WebCore::CSSFontSelector::beginLoadTimerFired):

Modified Paths

trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/css/CSSFontSelector.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (124228 => 124229)


--- trunk/Source/WebCore/ChangeLog	2012-07-31 18:44:03 UTC (rev 124228)
+++ trunk/Source/WebCore/ChangeLog	2012-07-31 18:47:33 UTC (rev 124229)
@@ -1,3 +1,16 @@
+2012-07-31  Antti Koivisto  <[email protected]>
+
+        Crash in FrameLoader::checkLoadComplete with non-browser client app
+        https://bugs.webkit.org/show_bug.cgi?id=92774
+
+        Reviewed by Alexey Proskuryakov..
+
+        Speculative fix. It is possible that CSSFontSelector could get deleted during the timer callback
+        and memory reused, making m_document point to some garbage when it is tested at the end.
+
+        * css/CSSFontSelector.cpp:
+        (WebCore::CSSFontSelector::beginLoadTimerFired):
+
 2012-07-31  Hans Wennborg  <[email protected]>
 
         Speech _javascript_ API: Throw exception for start() when already started

Modified: trunk/Source/WebCore/css/CSSFontSelector.cpp (124228 => 124229)


--- trunk/Source/WebCore/css/CSSFontSelector.cpp	2012-07-31 18:44:03 UTC (rev 124228)
+++ trunk/Source/WebCore/css/CSSFontSelector.cpp	2012-07-31 18:47:33 UTC (rev 124229)
@@ -578,6 +578,9 @@
     Vector<CachedResourceHandle<CachedFont> > fontsToBeginLoading;
     fontsToBeginLoading.swap(m_fontsToBeginLoading);
 
+    // CSSFontSelector could get deleted via beginLoadIfNeeded() or loadDone() unless protected.
+    RefPtr<CSSFontSelector> protect(this);
+
     CachedResourceLoader* cachedResourceLoader = m_document->cachedResourceLoader();
     for (size_t i = 0; i < fontsToBeginLoading.size(); ++i) {
         fontsToBeginLoading[i]->beginLoadIfNeeded(cachedResourceLoader);

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes