dangling pointer in Element->GetOwnerDocument()

[menne386]

Experienced crash when clicking mouse and holding mouse button, then unloading the document then releasing mouse.

Traced it to Element->GetOwnerDocument() owner_document is cached for child elements, but when that document is gone, you have a dangling pointer in the child.
(When you click mouse element is placed in list inside Context.cpp, when doc unloads element survives as refcount in increased, but owner_document is not reset, while document itself is deleted.)

My version of Element->GetOwnerDocument():

// Gets the document this element belongs to.
ElementDocument* Element::GetOwnerDocument()
{
if (owner_document) {
return owner_document;
}
return parent? parent->GetOwnerDocument():nullptr;
}

Another solution could be to reset owner_document variable of all children when a document unloads.

[viciious]

Doesn't that actually mean that something's holding a pointer to your DOM element? It should have been garbage collected by the time the owner document was about to get destroyed..

[viciious]

Sorry, missed the original explanation in the parenthesis. Imo the proper solution would be to also destroy child elements placed in the context when/if the parent document gets destroyed.

[menne386]

Works too..

In essence owner_document pointer is like a non-owning reference.
The reference_countable class does not provide an implementation/protection for that...

[viciious]

This is probably related too #276