diff options
| author | Yongjun Zhang <yongjun_zhang@apple.com> | 2013-08-06 12:07:02 +0200 |
|---|---|---|
| committer | The Qt Project <gerrit-noreply@qt-project.org> | 2013-08-08 18:33:16 +0200 |
| commit | 6ba7d28706c770b0921de5a56cb24be85d8f179a (patch) | |
| tree | a3ff61b99d5fcdc897385a10d80932d860844d76 | |
| parent | fe109d34374117ce5a1b37f56f8f04dbcb7ba65e (diff) | |
| download | qtwebkit-6ba7d28706c770b0921de5a56cb24be85d8f179a.tar.gz | |
If ImageLoader's loadEventSender or errorEventSender fires after document is detached, the document will be leaked.
https://bugs.webkit.org/show_bug.cgi?id=106394
Patch by Yongjun Zhang <yongjun_zhang@apple.com> on 2013-01-09
Reviewed by Alexey Proskuryakov.
ImageLoader's loadEventSender and errorEventSender schedule event dispatching in separate timers and refs
the Element in updatedHasPendingEvent. If the Document is detached before either eventSender dispatches,
we would leak the Document since we bail out early in dispatchPendingLoadEvent or dispatchPendingErrorEvent,
without deref-ing the Element itself.
No new tests. Verified manually by using heap tool to count the living HTMLDocuments.
* loader/ImageLoader.cpp:
(WebCore::ImageLoader::dispatchPendingLoadEvent): also call updatedHasPendingEvent to deref the Element if
the document is detached.
(WebCore::ImageLoader::dispatchPendingErrorEvent): ditto.
Change-Id: Ie1102e0659bf37f4cf0002ce1d2ee259c6840921
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@139209 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
| -rw-r--r-- | Source/WebCore/loader/ImageLoader.cpp | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/Source/WebCore/loader/ImageLoader.cpp b/Source/WebCore/loader/ImageLoader.cpp index e2247d254..c717f915c 100644 --- a/Source/WebCore/loader/ImageLoader.cpp +++ b/Source/WebCore/loader/ImageLoader.cpp @@ -407,10 +407,9 @@ void ImageLoader::dispatchPendingLoadEvent() return; if (!m_image) return; - if (!document()->attached()) - return; m_hasPendingLoadEvent = false; - dispatchLoadEvent(); + if (document()->attached()) + dispatchLoadEvent(); // Only consider updating the protection ref-count of the Element immediately before returning // from this function as doing so might result in the destruction of this ImageLoader. @@ -421,10 +420,13 @@ void ImageLoader::dispatchPendingErrorEvent() { if (!m_hasPendingErrorEvent) return; - if (!document()->attached()) - return; m_hasPendingErrorEvent = false; - client()->imageElement()->dispatchEvent(Event::create(eventNames().errorEvent, false, false)); + if (document()->attached()) + client()->imageElement()->dispatchEvent(Event::create(eventNames().errorEvent, false, false)); + + // Only consider updating the protection ref-count of the Element immediately before returning + // from this function as doing so might result in the destruction of this ImageLoader. + updatedHasPendingEvent(); } void ImageLoader::dispatchPendingBeforeLoadEvents() |