Bug 143521

Summary: [GTK] Crash in DOMObjectCache when a wrapped object owned by the cache is unreffed by the user
Product: WebKit Reporter: Carlos Garcia Campos <cgarcia>
Component: WebKitGTKAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: gustavo, mcrha, mrobinson, pnormand, svillar
Priority: P2 Keywords: Gtk
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch mrobinson: review+

Carlos Garcia Campos
Reported 2015-04-08 06:34:06 PDT
This is a case we claim to support, but it only works if the object has only one reference. In that case, when the user unrefs it, the weak ref notify callback removes the object from the cache. However, if the object has more than one ref, the cache doesn't know the user unreffed it, and when clearing the cache we try to remove more references that what the object actually has, causing a crash in g_object_unref. See the backtrace in bug #118788.
Attachments
Patch (7.06 KB, patch)
2015-04-08 06:37 PDT, Carlos Garcia Campos 		mrobinson: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Carlos Garcia Campos
Comment 1 2015-04-08 06:37:10 PDT
Created attachment 250347 [details] Patch
Martin Robinson
Comment 2 2015-04-08 07:36:31 PDT
Comment on attachment 250347 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=250347&action=review > Source/WebCore/ChangeLog:13 > + try to remove more references that what the object actually has, Nit: that what -> than what > Source/WebCore/bindings/gobject/DOMObjectCache.cpp:48 > + cacheReferences = std::min(static_cast<unsigned>(object->ref_count), cacheReferences); It might be worth dropping a comment here explaining why cacheReferences might be incorrect at this point.
Sergio Villar Senin
Comment 3 2015-04-08 07:50:59 PDT
Comment on attachment 250347 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=250347&action=review >> Source/WebCore/bindings/gobject/DOMObjectCache.cpp:48 >> + cacheReferences = std::min(static_cast<unsigned>(object->ref_count), cacheReferences); > > It might be worth dropping a comment here explaining why cacheReferences might be incorrect at this point. Also, coulnd't we completely forget about cacheReferences and simply use GObject's ref_count ?
Martin Robinson
Comment 4 2015-04-08 07:59:33 PDT
(In reply to comment #3) > Also, coulnd't we completely forget about cacheReferences and simply use > GObject's ref_count ? I don't think we can, because if the user explicitly refs the object, we should not delete it.
Carlos Garcia Campos
Comment 5 2015-04-08 08:19:12 PDT
(In reply to comment #4) > (In reply to comment #3) > > > Also, coulnd't we completely forget about cacheReferences and simply use > > GObject's ref_count ? > > I don't think we can, because if the user explicitly refs the object, we > should not delete it. Exactly, cacheReferences only keeps track of the references owned by the cache itself. In a normal case, we just drop our refs, but users can do weird things.
Carlos Garcia Campos
Comment 6 2015-04-08 08:19:56 PDT
(In reply to comment #2) > Comment on attachment 250347 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=250347&action=review > > > Source/WebCore/ChangeLog:13 > > + try to remove more references that what the object actually has, > > Nit: that what -> than what I always doubt :-P > > Source/WebCore/bindings/gobject/DOMObjectCache.cpp:48 > > + cacheReferences = std::min(static_cast<unsigned>(object->ref_count), cacheReferences); > > It might be worth dropping a comment here explaining why cacheReferences > might be incorrect at this point. Sure!
Carlos Garcia Campos
Comment 7 2015-04-08 08:30:27 PDT
Committed r182537: <http://trac.webkit.org/changeset/182537>
Note You need to log in before you can comment on or make changes to this bug.