On Jul 25, 2007, at 1:02 PM, Patrick Hanna wrote:
I am running into a segmentation fault in
Collector::collectOnMainThreadOnly on the line that reads:
cellBlock(cell)->collectOnMainThreadOnly.set(cellOffset(cell));
I believe that the reason is because the address passed in as
'value' is the address of a stack variable. This address comes from
PluginsFunc::callAsFunction. PluginBase is created on the stack and
the constructor for DOMObject calls
Collector::collectOnMainThreadOnly with 'this' as the parameter.
My question is, should Collector::collectOnMainThreadOnly work with
stack pointers? If it is supposed to work, when does the
CollectorBlock for the stack object get created? Specificy,
CollectorBlock::collectOnMainThreadOnly is the structure that I'm
running in to problems with.
That's definitely a bug. It's illegal to create JSObject subclasses on
the stack at all, as this will break garbage collection. Please file
it. I think it's only through luck that it's not crashing for others
(and maybe it is, but we just don't know it yet.)
Two possible solutions:
1) make refresh() a static member function of PluginBase, since it
only touches static data members anyway. Then you won't need to
instantiate a PluginBase object.
2) Have PluginFuncs look at the "this" object, which should be a
Plugins, which inherits from PluginBase and thus should have the
refresh method.
Do you have steps to consistently reproduce this bug?
Regards,
Maciej
_______________________________________________
webkit-dev mailing list
webkit-dev@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-dev
