[chromium-bugs] Issue 3949 in chromium: Crash in WebCore::Document::documentElement()

Tue, 20 Jan 2009 19:51:28 -0800 


Comment #8 on issue 3949 by [email protected]: Crash in  
WebCore::Document::documentElement()
http://code.google.com/p/chromium/issues/detail?id=3949

Here's a bit more info about the crash:

A DocLoader object (at address 0x0702D650 in my case) is called to  
setLoadInProgress to false, we eventually get to destroy
the DocLoader with the following call stack:

chrome.dll!WebCore::DocLoader::~DocLoader()  Line 62    C++
chrome.dll!WebCore::DocLoader::`scalar deleting destructor'()  + 0x16 bytes     
 
C++
chrome.dll!WebCore::Document::~Document()  Line 447 + 0x22 bytes        C++
chrome.dll!WebCore::HTMLDocument::~HTMLDocument()  Line 91 + 0x47 bytes C++
chrome.dll!WebCore::HTMLDocument::`scalar deleting destructor'()  + 0x16  
bytes   C++
chrome.dll!WebCore::Document::selfOnlyDeref()  Line 208 + 0x22 bytes    C++
chrome.dll!WebCore::DocPtr<WebCore::Document>::~DocPtr<WebCore::Document>()   
Line  
32 + 0x2d bytes C++
chrome.dll!WebCore::Document::removedLastRef()  Line 420 + 0x8 bytes    C++
chrome.dll!WebCore::TreeShared<WebCore::Node>::deref()  Line 69 + 0xf bytes     
 
C++
chrome.dll!WTF::RefPtr<WebCore::Document>::operator=(const  
WTF::PassRefPtr<WebCore::Document> & o={...})  Line 132 C++
chrome.dll!WebCore::Frame::setDocument(WTF::PassRefPtr<WebCore::Document>  
newDoc={...})  Line 248 C++
chrome.dll!WebCore::FrameLoader::clear(bool clearWindowProperties=false,  
bool clearScriptObjects=true)  Line 854 C++
chrome.dll!WebCore::FrameLoader::cancelAndClear()  Line 816     C++
chrome.dll!WebCore::Frame::~Frame()  Line 157   C++
chrome.dll!WebCore::Frame::`scalar deleting destructor'()  + 0x16 bytes C++
chrome.dll!WTF::RefCounted<WebCore::Frame>::deref()  Line 96 + 0x1c bytes       
 
C++
chrome.dll!WTF::RefPtr<WebCore::Frame>::~RefPtr<WebCore::Frame>()  Line 50  
+ 0x2d bytes    C++
chrome.dll!WebCore::FrameLoader::checkCompleted()  Line 1334 + 0x8 bytes        
C++
chrome.dll!WebCore::FrameLoader::loadDone()  Line 1292  C++
chrome.dll!WebCore::DocLoader::setLoadInProgress(bool load=false)  Line 282     
 
C++

And then, returning from the setLoadInProgress() we try to make another  
call to the same DocLoader, and, of course, we crash
in Loader::Host::didFinishLoading() with the same call stack as in Jon's  
comment above:
[...]
     delete request;
     docLoader->setLoadInProgress(false);
     docLoader->checkForPendingPreloads();
[...]

One obvious solution would be to use a smart pointer for the docLoader in  
this method, but I want to dig a little further to
see if the problem is actually somewhere else and could have other  
symptoms...




--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings

--~--~---------~--~----~------------~-------~--~----~
Automated mail from issue updates at http://crbug.com/
Subscription options: http://groups.google.com/group/chromium-bugs
-~----------~----~----~----~------~----~------~--~---

Reply via email to