Bug 32111 - Geolocation bug causes crash when watch is cleared from some callbacks
Summary: Geolocation bug causes crash when watch is cleared from some callbacks
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Steve Block
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-12-03 03:10 PST by Steve Block
Modified: 2009-12-04 03:30 PST (History)
3 users (show)

See Also:


Attachments
Patch 1 for Bug 32111 (11.07 KB, patch)
2009-12-03 07:11 PST, Steve Block
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Steve Block 2009-12-03 03:10:31 PST
In Geolocation::GeoNotifier::timerFired, a JS callback may be invoked if a fatal error was registered on this GeoNotifier or if this request has timed out. If the request is a watch, and is cleared by a call to clearWatch in the callback, the GeoNotifier object will be destroyed. This then causes a crash when the m_geolocation member is accessed to call Geolocation::fatalErrorOccurred or Geolocation::requestTimedOut.

Note that use of the GeoNotifier this pointer as a parameter for the Geolocation methods is safe, even if the GeoNotifier object has been destroyed, as the this pointer is used only as a look-up in a map.
Comment 1 Steve Block 2009-12-03 07:11:28 PST
Created attachment 44241 [details]
Patch 1 for Bug 32111
Comment 2 WebKit Review Bot 2009-12-03 07:15:14 PST
style-queue ran check-webkit-style on attachment 44241 [details] without any errors.
Comment 3 Darin Adler 2009-12-03 16:58:19 PST
Comment on attachment 44241 [details]
Patch 1 for Bug 32111

> +    // Cache our pointer to the Geolocation object, as this GeoNotifier object
> +    // could be deleted by a call to clearWatch in a callback.
> +    Geolocation* geolocation = m_geolocation;

Since the Geolocation object is reference counted, shouldn't this be a RefPtr? If not, then why is the Geolocation object reference counted? In other words, what guarantees it will not be destroyed?
Comment 4 Steve Block 2009-12-04 03:18:31 PST
> Since the Geolocation object is reference counted, shouldn't this be a RefPtr?
> If not, then why is the Geolocation object reference counted? In other words,
> what guarantees it will not be destroyed?
The GeoNotifier objects are owned by the Geolocation object and their lifetime is controlled with RefPtrs. Each GeoNotifier has a raw pointer back to the Geolocation object which it uses to make callbacks. Since the GeoNotifier objects are owned by the Geolocation object, the Geolocation object is guaranteed to have a longer lifespan, so the raw Geolocation pointers held by the GeoNotifier objects will always be valid.
Comment 5 WebKit Commit Bot 2009-12-04 03:30:49 PST
Comment on attachment 44241 [details]
Patch 1 for Bug 32111

Clearing flags on attachment: 44241

Committed r51692: <http://trac.webkit.org/changeset/51692>
Comment 6 WebKit Commit Bot 2009-12-04 03:30:54 PST
All reviewed patches have been landed.  Closing bug.