WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
32111
Geolocation bug causes crash when watch is cleared from some callbacks
https://bugs.webkit.org/show_bug.cgi?id=32111
Summary
Geolocation bug causes crash when watch is cleared from some callbacks
Steve Block
Reported
2009-12-03 03:10:31 PST
In Geolocation::GeoNotifier::timerFired, a JS callback may be invoked if a fatal error was registered on this GeoNotifier or if this request has timed out. If the request is a watch, and is cleared by a call to clearWatch in the callback, the GeoNotifier object will be destroyed. This then causes a crash when the m_geolocation member is accessed to call Geolocation::fatalErrorOccurred or Geolocation::requestTimedOut. Note that use of the GeoNotifier this pointer as a parameter for the Geolocation methods is safe, even if the GeoNotifier object has been destroyed, as the this pointer is used only as a look-up in a map.
Attachments
Patch 1 for Bug 32111
(11.07 KB, patch)
2009-12-03 07:11 PST
,
Steve Block
no flags
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Steve Block
Comment 1
2009-12-03 07:11:28 PST
Created
attachment 44241
[details]
Patch 1 for
Bug 32111
WebKit Review Bot
Comment 2
2009-12-03 07:15:14 PST
style-queue ran check-webkit-style on
attachment 44241
[details]
without any errors.
Darin Adler
Comment 3
2009-12-03 16:58:19 PST
Comment on
attachment 44241
[details]
Patch 1 for
Bug 32111
> + // Cache our pointer to the Geolocation object, as this GeoNotifier object > + // could be deleted by a call to clearWatch in a callback. > + Geolocation* geolocation = m_geolocation;
Since the Geolocation object is reference counted, shouldn't this be a RefPtr? If not, then why is the Geolocation object reference counted? In other words, what guarantees it will not be destroyed?
Steve Block
Comment 4
2009-12-04 03:18:31 PST
> Since the Geolocation object is reference counted, shouldn't this be a RefPtr? > If not, then why is the Geolocation object reference counted? In other words, > what guarantees it will not be destroyed?
The GeoNotifier objects are owned by the Geolocation object and their lifetime is controlled with RefPtrs. Each GeoNotifier has a raw pointer back to the Geolocation object which it uses to make callbacks. Since the GeoNotifier objects are owned by the Geolocation object, the Geolocation object is guaranteed to have a longer lifespan, so the raw Geolocation pointers held by the GeoNotifier objects will always be valid.
WebKit Commit Bot
Comment 5
2009-12-04 03:30:49 PST
Comment on
attachment 44241
[details]
Patch 1 for
Bug 32111
Clearing flags on attachment: 44241 Committed
r51692
: <
http://trac.webkit.org/changeset/51692
>
WebKit Commit Bot
Comment 6
2009-12-04 03:30:54 PST
All reviewed patches have been landed. Closing bug.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug