Bug 143521 - [GTK] Crash in DOMObjectCache when a wrapped object owned by the cache is unreffed by the user
Summary: [GTK] Crash in DOMObjectCache when a wrapped object owned by the cache is unr...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKitGTK (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: Gtk
Depends on:
Blocks:
 
Reported: 2015-04-08 06:34 PDT by Carlos Garcia Campos
Modified: 2015-04-08 08:30 PDT (History)
5 users (show)

See Also:

Attachments
Patch (7.06 KB, patch)
2015-04-08 06:37 PDT, Carlos Garcia Campos 		mrobinson: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos Garcia Campos 2015-04-08 06:34:06 PDT 
This is a case we claim to support, but it only works if the object has only one reference. In that case, when the user unrefs it, the weak ref notify callback removes the object from the cache. However, if the object has more than one ref, the cache doesn't know the user unreffed it, and when clearing the cache we try to remove more references that what the object actually has, causing a crash in g_object_unref. See the backtrace in bug #118788.
Comment 1 Carlos Garcia Campos 2015-04-08 06:37:10 PDT 
Created attachment 250347 [details]
Patch
Comment 2 Martin Robinson 2015-04-08 07:36:31 PDT 
Comment on attachment 250347 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=250347&action=review

> Source/WebCore/ChangeLog:13
> +        try to remove more references that what the object actually has,

Nit: that what -> than what

> Source/WebCore/bindings/gobject/DOMObjectCache.cpp:48
> +        cacheReferences = std::min(static_cast<unsigned>(object->ref_count), cacheReferences);

It might be worth dropping a comment here explaining why cacheReferences might be incorrect at this point.
Comment 3 Sergio Villar Senin 2015-04-08 07:50:59 PDT 
Comment on attachment 250347 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=250347&action=review

>> Source/WebCore/bindings/gobject/DOMObjectCache.cpp:48
>> +        cacheReferences = std::min(static_cast<unsigned>(object->ref_count), cacheReferences);
> 
> It might be worth dropping a comment here explaining why cacheReferences might be incorrect at this point.

Also, coulnd't we completely forget about cacheReferences and simply use GObject's ref_count ?
Comment 4 Martin Robinson 2015-04-08 07:59:33 PDT 
(In reply to comment #3)
 
> Also, coulnd't we completely forget about cacheReferences and simply use
> GObject's ref_count ?

I don't think we can, because if the user explicitly refs the object, we should not delete it.
Comment 5 Carlos Garcia Campos 2015-04-08 08:19:12 PDT 
(In reply to comment #4)
> (In reply to comment #3)
>  
> > Also, coulnd't we completely forget about cacheReferences and simply use
> > GObject's ref_count ?
> 
> I don't think we can, because if the user explicitly refs the object, we
> should not delete it.

Exactly, cacheReferences only keeps track of the references owned by the cache itself. In a normal case, we just drop our refs, but users can do weird things.
Comment 6 Carlos Garcia Campos 2015-04-08 08:19:56 PDT 
(In reply to comment #2)
> Comment on attachment 250347 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=250347&action=review
> 
> > Source/WebCore/ChangeLog:13
> > +        try to remove more references that what the object actually has,
> 
> Nit: that what -> than what

I always doubt :-P
 
> > Source/WebCore/bindings/gobject/DOMObjectCache.cpp:48
> > +        cacheReferences = std::min(static_cast<unsigned>(object->ref_count), cacheReferences);
> 
> It might be worth dropping a comment here explaining why cacheReferences
> might be incorrect at this point.

Sure!
Comment 7 Carlos Garcia Campos 2015-04-08 08:30:27 PDT 
Committed r182537: <http://trac.webkit.org/changeset/182537>