Bug 143521

Summary:

[GTK] Crash in DOMObjectCache when a wrapped object owned by the cache is unreffed by the user

Product:

WebKit

Reporter:

Carlos Garcia Campos <cgarcia>

Component:

WebKitGTK

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

gustavo, mcrha, mrobinson, pnormand, svillar

Priority:

Keywords:

Gtk

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	mrobinson: review+

Description Carlos Garcia Campos 2015-04-08 06:34:06 PDT

This is a case we claim to support, but it only works if the object has only one reference. In that case, when the user unrefs it, the weak ref notify callback removes the object from the cache. However, if the object has more than one ref, the cache doesn't know the user unreffed it, and when clearing the cache we try to remove more references that what the object actually has, causing a crash in g_object_unref. See the backtrace in bug #118788.

Comment 1 Carlos Garcia Campos 2015-04-08 06:37:10 PDT

Created attachment 250347 [details]
Patch

Comment 2 Martin Robinson 2015-04-08 07:36:31 PDT

Comment on attachment 250347 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=250347&action=review

> Source/WebCore/ChangeLog:13
> +        try to remove more references that what the object actually has,

Nit: that what -> than what

> Source/WebCore/bindings/gobject/DOMObjectCache.cpp:48
> +        cacheReferences = std::min(static_cast<unsigned>(object->ref_count), cacheReferences);

It might be worth dropping a comment here explaining why cacheReferences might be incorrect at this point.

Comment 3 Sergio Villar Senin 2015-04-08 07:50:59 PDT

Comment on attachment 250347 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=250347&action=review

>> Source/WebCore/bindings/gobject/DOMObjectCache.cpp:48
>> +        cacheReferences = std::min(static_cast<unsigned>(object->ref_count), cacheReferences);
> 
> It might be worth dropping a comment here explaining why cacheReferences might be incorrect at this point.

Also, coulnd't we completely forget about cacheReferences and simply use GObject's ref_count ?

Comment 4 Martin Robinson 2015-04-08 07:59:33 PDT

(In reply to comment #3)
 
> Also, coulnd't we completely forget about cacheReferences and simply use
> GObject's ref_count ?

I don't think we can, because if the user explicitly refs the object, we should not delete it.

Comment 5 Carlos Garcia Campos 2015-04-08 08:19:12 PDT

(In reply to comment #4)
> (In reply to comment #3)
>  
> > Also, coulnd't we completely forget about cacheReferences and simply use
> > GObject's ref_count ?
> 
> I don't think we can, because if the user explicitly refs the object, we
> should not delete it.

Exactly, cacheReferences only keeps track of the references owned by the cache itself. In a normal case, we just drop our refs, but users can do weird things.

Comment 6 Carlos Garcia Campos 2015-04-08 08:19:56 PDT

(In reply to comment #2)
> Comment on attachment 250347 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=250347&action=review
> 
> > Source/WebCore/ChangeLog:13
> > +        try to remove more references that what the object actually has,
> 
> Nit: that what -> than what

I always doubt :-P
 
> > Source/WebCore/bindings/gobject/DOMObjectCache.cpp:48
> > +        cacheReferences = std::min(static_cast<unsigned>(object->ref_count), cacheReferences);
> 
> It might be worth dropping a comment here explaining why cacheReferences
> might be incorrect at this point.

Sure!

Comment 7 Carlos Garcia Campos 2015-04-08 08:30:27 PDT

Committed r182537: <http://trac.webkit.org/changeset/182537>