• commit-queue@webkit.org's avatar
    [BlackBerry] Dangling pointer in WebPagePrivate::setCompositor() message · 9ccf1231
    commit-queue@webkit.org authored
    https://bugs.webkit.org/show_bug.cgi?id=87590
    
    Patch by Arvid Nilsson <anilsson@rim.com> on 2012-05-28
    Reviewed by Rob Buis.
    
    A crash would be seen in GuardedPointerBase::getWithGuardLocked when
    attempting to unpickle and execute serialized call to setCompositor.
    
    The problem was that the message had been created with a dangling
    pointer as the target. The web page failed to inform its compositor
    that it was being destroyed due to an early return in
    WebPagePrivate::destroyCompositor.
    
    The root cause was that a method called "destroyCompositor" was being
    called in two situations, when navigating to a new page as well as when
    actually deleting the web page. And in one case, we really only wanted
    to free up some memory by clearing textures, while in the other case we
    really did want to destroy the compositor.
    
    Fixed by calling a method to release textures when that's what we want
    to do, and calling a method to destroy the compositor when that's what
    we want to do, and making that latter method unconditional.
    
    Reviewed internally by Jeff Rogers.
    
    PR #156765
    
    * Api/WebPage.cpp:
    (BlackBerry::WebKit::WebPagePrivate::setLoadState):
    (BlackBerry::WebKit::WebPagePrivate::destroyCompositor):
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@118702 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    9ccf1231
WebPage.cpp 217 KB