Reviewed by Geoff.

        Fix http://bugs.webkit.org/show_bug.cgi?id=13060
        REGRESSION: Repro ASSERT failure in Cache::adjustSize running layout tests
        <rdar://5060208>

        Script evaluation may have dereffed the CachedScript object already, causing double deref and
        eventually m_liveResourcesSize underflow.

        * html/HTMLScriptElement.cpp:
        (WebCore::HTMLScriptElement::notifyFinished):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@20194 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 64fef549c63c237acf9bf375610129a85db4a646..8acbf137666baae77259cb5c127fab1a5418f83d 100644 (file)
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,17 @@
+2007-03-14  Antti Koivisto  <antti@apple.com>
+
+        Reviewed by Geoff.
+
+        Fix http://bugs.webkit.org/show_bug.cgi?id=13060
+        REGRESSION: Repro ASSERT failure in Cache::adjustSize running layout tests
+        <rdar://5060208>
+        
+        Script evaluation may have dereffed the CachedScript object already, causing double deref and
+        eventually m_liveResourcesSize underflow.
+
+        * html/HTMLScriptElement.cpp:
+        (WebCore::HTMLScriptElement::notifyFinished):
+
 2007-03-14  Adele Peterson  <adele@apple.com>
 
         Reviewed by Darin.

diff --git a/WebCore/html/HTMLScriptElement.cpp b/WebCore/html/HTMLScriptElement.cpp
index dbcfc0e337adc1a53f9c8099151ebadfb7f0dac4..de0a7bdfa6eebc1f9c2a60e9273e0cacad5ce1a7 100644 (file)
--- a/WebCore/html/HTMLScriptElement.cpp
+++ b/WebCore/html/HTMLScriptElement.cpp
@@ -155,8 +155,11 @@ void HTMLScriptElement::notifyFinished(CachedResource* o)
         dispatchHTMLEvent(loadEvent, false, false);
     }
 
-    cs->deref(this);
-    m_cachedScript = 0;
+    // script evaluation may have dereffed it already
+    if (m_cachedScript) {
+        m_cachedScript->deref(this);
+        m_cachedScript = 0;
+    }
 }
 
 bool HTMLScriptElement::shouldExecuteAsJavaScript()