Title: [139209] trunk/Source/WebCore
- Revision
- 139209
- Author
- commit-qu...@webkit.org
- Date
- 2013-01-09 10:52:12 -0800 (Wed, 09 Jan 2013)
Log Message
If ImageLoader's loadEventSender or errorEventSender fires after document is detached, the document will be leaked.
https://bugs.webkit.org/show_bug.cgi?id=106394
Patch by Yongjun Zhang <yongjun_zh...@apple.com> on 2013-01-09
Reviewed by Alexey Proskuryakov.
ImageLoader's loadEventSender and errorEventSender schedule event dispatching in separate timers and refs
the Element in updatedHasPendingEvent. If the Document is detached before either eventSender dispatches,
we would leak the Document since we bail out early in dispatchPendingLoadEvent or dispatchPendingErrorEvent,
without deref-ing the Element itself.
No new tests. Verified manually by using heap tool to count the living HTMLDocuments.
* loader/ImageLoader.cpp:
(WebCore::ImageLoader::dispatchPendingLoadEvent): also call updatedHasPendingEvent to deref the Element if
the document is detached.
(WebCore::ImageLoader::dispatchPendingErrorEvent): ditto.
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (139208 => 139209)
--- trunk/Source/WebCore/ChangeLog 2013-01-09 18:50:36 UTC (rev 139208)
+++ trunk/Source/WebCore/ChangeLog 2013-01-09 18:52:12 UTC (rev 139209)
@@ -1,3 +1,23 @@
+2013-01-09 Yongjun Zhang <yongjun_zh...@apple.com>
+
+ If ImageLoader's loadEventSender or errorEventSender fires after document is detached, the document will be leaked.
+
+ https://bugs.webkit.org/show_bug.cgi?id=106394
+
+ Reviewed by Alexey Proskuryakov.
+
+ ImageLoader's loadEventSender and errorEventSender schedule event dispatching in separate timers and refs
+ the Element in updatedHasPendingEvent. If the Document is detached before either eventSender dispatches,
+ we would leak the Document since we bail out early in dispatchPendingLoadEvent or dispatchPendingErrorEvent,
+ without deref-ing the Element itself.
+
+ No new tests. Verified manually by using heap tool to count the living HTMLDocuments.
+
+ * loader/ImageLoader.cpp:
+ (WebCore::ImageLoader::dispatchPendingLoadEvent): also call updatedHasPendingEvent to deref the Element if
+ the document is detached.
+ (WebCore::ImageLoader::dispatchPendingErrorEvent): ditto.
+
2013-01-09 Dimitri Glazkov <dglaz...@chromium.org>
Unreviewed, rolling out r139143.
Modified: trunk/Source/WebCore/loader/ImageLoader.cpp (139208 => 139209)
--- trunk/Source/WebCore/loader/ImageLoader.cpp 2013-01-09 18:50:36 UTC (rev 139208)
+++ trunk/Source/WebCore/loader/ImageLoader.cpp 2013-01-09 18:52:12 UTC (rev 139209)
@@ -414,10 +414,9 @@
return;
if (!m_image)
return;
- if (!document()->attached())
- return;
m_hasPendingLoadEvent = false;
- dispatchLoadEvent();
+ if (document()->attached())
+ dispatchLoadEvent();
// Only consider updating the protection ref-count of the Element immediately before returning
// from this function as doing so might result in the destruction of this ImageLoader.
@@ -428,10 +427,13 @@
{
if (!m_hasPendingErrorEvent)
return;
- if (!document()->attached())
- return;
m_hasPendingErrorEvent = false;
- client()->imageElement()->dispatchEvent(Event::create(eventNames().errorEvent, false, false));
+ if (document()->attached())
+ client()->imageElement()->dispatchEvent(Event::create(eventNames().errorEvent, false, false));
+
+ // Only consider updating the protection ref-count of the Element immediately before returning
+ // from this function as doing so might result in the destruction of this ImageLoader.
+ updatedHasPendingEvent();
}
void ImageLoader::dispatchPendingBeforeLoadEvents()
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes
