Hello,
I got a question about the script function class(SwfdecAsScriptFunction)
design in swfdec.
Why doesn't a script function mark its
target(SwfdecAsScriptFunction::target) in the marking phase? What if the
function's target has been destroyed while the function itself is still kept
alive? (Answer myself: then there would be a segfault when executing that
function)
Let me give a more specific case:
(1)swf(movie) 'A' defines a script function 'movie_a_func()'
inside its
body.
(2)swf(movie) 'B' loads movie 'A' at runtime by using
loadMovieNum('A.swf',
2);
(3)movie 'B' then create a reference to function
'movie_a_func()' , eg.
movie_b_func = _level2.movie_a_func;
(4)unload movie 'A' by using _level2.unloadMovie();
(5)next frame; //Note target of ''movie_a_func', which is
'A' is destroyed
and collected here.
(6)call function 'movie_b_func'; // bomb, trying to reference its
target(movie A) that is already freed.
The above case could happen more easily when set GC threshold to zero(alway
gc).
The obvious fix to me is always marking the target of a script function, but
I am not 100% sure if it's the right way. It would be helpful if anyone
could confirm with me. (BTW, I'v made the real tests described as above.)
Yes, I'll file a bug if get confirmed or at least there is someone
concerning this mail.
--zou
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.freedesktop.org/archives/swfdec/attachments/20090305/1dcd1ecd/attachment.htm
Benjamin Otte
2009-Mar-05 08:19 UTC
[Swfdec] Question about SwfdecAsScriptFunction in swfdec
That indeed looks like an oversight. You said you have a testcase for this that we can add to the testsuite? Could you send that here, so I don't have to code it? Cheers, Benjamin On Thu, Mar 5, 2009 at 3:17 AM, zou lunkai <zoulunkai at gmail.com> wrote:> Hello, > > I got a question about the script function class(SwfdecAsScriptFunction) > design in swfdec. > > Why doesn't a script function?mark its > target(SwfdecAsScriptFunction::target) in the marking phase?? What if the > function's target has been destroyed while the function itself is still kept > alive? (Answer myself: then there would be? a segfault when executing that > function) > > Let me give a more specific case: > > (1)swf(movie) 'A' defines a script function? 'movie_a_func()' inside its > body. > (2)swf(movie) 'B' loads? movie 'A' at runtime by using loadMovieNum('A.swf', > 2); > (3)movie 'B' then create a reference to function 'movie_a_func()'?, eg. > movie_b_func = _level2.movie_a_func; > (4)unload movie 'A' by using _level2.unloadMovie(); > (5)next frame;? //Note target of? ''movie_a_func', which is?'A'?is destroyed > and collected here. > (6)call function? 'movie_b_func';? // bomb, trying to reference its > target(movie A) that is already freed. > > The above case could happen more easily when set GC threshold to zero(alway > gc). > > The obvious fix?to me is always marking the target of a script function, but > I am not 100% sure if it's the right way.? It would be helpful if anyone > could confirm with me. (BTW, I'v made the real tests described as above.) > > Yes, I'll file a bug if get confirmed or at least there is someone > concerning this mail. > > > --zou > > >
Apparently Analagous Threads
- 10 commits - doc/swfdec-sections.txt libswfdec/swfdec_as_interpret.c libswfdec/swfdec_as_object.c libswfdec/swfdec_as_object.h libswfdec/swfdec_loader.c libswfdec/swfdec_movie.c libswfdec/swfdec_movie_clip_loader.c libswfdec/swfdec_movie.h
- Test if view renders appropriate partial?
- 10 commits - libswfdec/swfdec_as_interpret.c libswfdec/swfdec_as_types.c libswfdec/swfdec_initialize.as libswfdec/swfdec_initialize.h libswfdec/swfdec_movie.c libswfdec/swfdec_movie_clip_loader.c libswfdec/swfdec_movie.h libswfdec/swfdec_resource.c
- Branch 'as' - libswfdec/Makefile.am libswfdec/swfdec_as_context.c libswfdec/swfdec_as_function.c libswfdec/swfdec_as_function.h libswfdec/swfdec_as_interpret.c libswfdec/swfdec_as_native_function.c libswfdec/swfdec_as_native_function.h
- Changes to 'refs/tags/0.5.4'