Skip to site navigation (Press enter)

[webkit-changes] [126679] trunk/Source/WebKit2

ap Fri, 24 Aug 2012 21:54:35 -0700

Title: [126679] trunk/Source/WebKit2

Revision: 126679
Author: [email protected]
Date: 2012-08-24 21:55:10 -0700 (Fri, 24 Aug 2012)

Log Message

<rdar://problem/12157689> REGRESSION: WebProcessProxy destructor is sometimes called recursively
https://bugs.webkit.org/show_bug.cgi?id=94997


Reviewed by Dan Bernstein.

* UIProcess/WebContext.cpp: (WebKit::WebContext::disconnectProcess): Make sure that
we don't try to delete WebProcessProxy while the vector still contains it. Previously,
we used RefPtr::clear, which zeroes out the value before destructing, but doing that
in every RefPtr destructor would be bad for performance.

Modified Paths

trunk/Source/WebKit2/ChangeLog
trunk/Source/WebKit2/UIProcess/WebContext.cpp

Diff

Modified: trunk/Source/WebKit2/ChangeLog (126678 => 126679)


--- trunk/Source/WebKit2/ChangeLog	2012-08-25 03:42:51 UTC (rev 126678)
+++ trunk/Source/WebKit2/ChangeLog	2012-08-25 04:55:10 UTC (rev 126679)
@@ -1,3 +1,15 @@
+2012-08-24  Alexey Proskuryakov  <[email protected]>
+
+        <rdar://problem/12157689> REGRESSION: WebProcessProxy destructor is sometimes called recursively
+        https://bugs.webkit.org/show_bug.cgi?id=94997
+
+        Reviewed by Dan Bernstein.
+
+        * UIProcess/WebContext.cpp: (WebKit::WebContext::disconnectProcess): Make sure that
+        we don't try to delete WebProcessProxy while the vector still contains it. Previously,
+        we used RefPtr::clear, which zeroes out the value before destructing, but doing that
+        in every RefPtr destructor would be bad for performance.
+
 2012-08-24  Benjamin Poulain  <[email protected]>
 
         Unify Number to StringImpl conversion

Modified: trunk/Source/WebKit2/UIProcess/WebContext.cpp (126678 => 126679)


--- trunk/Source/WebKit2/UIProcess/WebContext.cpp	2012-08-25 03:42:51 UTC (rev 126678)
+++ trunk/Source/WebKit2/UIProcess/WebContext.cpp	2012-08-25 04:55:10 UTC (rev 126679)
@@ -457,7 +457,10 @@
     m_pluginSiteDataManager->invalidate();
 #endif
 
-    // This can cause the web context to be destroyed.
+    // The vector may have the last reference to process proxy, which in turn may have the last reference to the context.
+    // Since vector elements are destroyed in place, we would recurse into WebProcessProxy destructor
+    // if it were invoked from Vector::remove(). RefPtr delays destruction until it's safe.
+    RefPtr<WebProcessProxy> protect(process);
     m_processes.remove(m_processes.find(process));
 }

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes