Bug 22001

Summary: AtomicStringImpl* keys of event listener maps can outlive their strings
Product: WebKit Reporter: Alexey Proskuryakov <ap>
Component: WebCore Misc.Assignee: Alexey Proskuryakov <ap>
Status: RESOLVED FIXED    
Severity: Normal CC: simon.fraser
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.5   
Attachments:
Description Flags
test case
none
proposed fix darin: review+

Alexey Proskuryakov
Reported 2008-10-31 08:22:06 PDT
Turns out that we actually have bugs caused by not ref'ing HashMap and HashSet keys, see attachment. We should audit other uses of StringImpl* and AtomicStringImpl*, too.
Attachments
test case (481 bytes, text/html)
2008-10-31 08:23 PDT, Alexey Proskuryakov 		no flags
Details
proposed fix (17.18 KB, patch)
2008-10-31 12:25 PDT, Alexey Proskuryakov 		darin: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2008-10-31 08:23:39 PDT
Created attachment 24799 [details] test case
Simon Fraser (smfr)
Comment 2 2008-10-31 09:04:13 PDT
It would be good if the testcase printed a PASS or FAIL; it's hard to see what it's doing. Have you identified the HashMap/HashSet in question?
Darin Adler
Comment 3 2008-10-31 10:07:22 PDT
I'm not sure I agree with the title of this bug. Sure, it'd be easier to program with a map and set that did a ref/deref on its keys. But there are at least two other solutions to problems at any individual call site: 1) Add code to remove the string when it no longer should be in the collection. That code can be run by the owner of the string. 2) Add explicit ref/deref. These are both possibly tricky to get right, and may be inferior solutions to the problem. But I generally would prefer not to name bugs after a particular solution to a problem.
Alexey Proskuryakov
Comment 4 2008-10-31 11:25:03 PDT
I was (and still am) going to tackle this myself, so the test is indeed somewhat sub-standard, and the bug title indeed implies the solution I plan to employ. This particular case is XMLHttpRequest::m_eventListeners, but similar code exists elsewhere.
Alexey Proskuryakov
Comment 5 2008-10-31 11:39:19 PDT
On the other hand, the promise to audit all the uses of AtomicStringImpl* as a key was a bit presumptuous, as many of these are in code I'm not closely familiar with. So I'm going to fix just the EventListenersMap bug here.
Alexey Proskuryakov
Comment 6 2008-10-31 12:25:49 PDT
Created attachment 24807 [details] proposed fix
Darin Adler
Comment 7 2008-10-31 12:37:54 PDT
Comment on attachment 24807 [details] proposed fix r=me
Alexey Proskuryakov
Comment 8 2008-11-01 00:26:08 PDT
Committed r38064.
Note You need to log in before you can comment on or make changes to this bug.