Currently there is no guard to prevent wrap-around of the IDs used for Geolocation requests. This means that when the ID overflows, a previously existing request will be canceled and its ID reused. The orignal ID will then reference the wrong request.
I looked at how window.setTimeout() handles overflow of its timer IDs. It looks like it simply allows the overflow to happen (while ensuring the ID remains positive), thus overwriting the previous timer. See http://trac.webkit.org/browser/trunk/WebCore/page/DOMTimer.cpp. I suggest we do the same for Geolocation requests - allow the overflow, making sure the ID remains positive or negative as appropriate.
Created attachment 42043 [details] Patch 1 for Bug 30122 It's not practical to add a test for this, as triggering the overflow would require so many watches to be started that it would be prohibitively slow.
Comment on attachment 42043 [details] Patch 1 for Bug 30122 r=me If you want to be pedantic, overflow has defined behavior for unsigned but not for int. So it's best to code this sort of thing so it detects overflow before it happens or use unsigned. But that's not a realistic concern.
Comment on attachment 42043 [details] Patch 1 for Bug 30122 Clearing flags on attachment: 42043 Committed r50229: <http://trac.webkit.org/changeset/50229>
All reviewed patches have been landed. Closing bug.