[Webkit-unassigned] [Bug 43776] [Chromium] 51670 WebCore::GeolocationService::positionChanged memory corruption

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Aug 10 15:12:26 PDT 2010 

https://bugs.webkit.org/show_bug.cgi?id=43776


Justin Schuh <jschuh at chromium.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|Chromium 51670              |[Chromium] 51670
                   |WebCore::GeolocationService |WebCore::GeolocationService
                   |::positionChanged memory    |::positionChanged memory
                   |corruption                  |corruption
                 CC|                            |bulach at chromium.org,
                   |                            |jschuh at chromium.org




--- Comment #1 from Justin Schuh <jschuh at chromium.org>  2010-08-10 15:12:26 PST ---
Marcus, do you mind taking care of this? I poked at it a bit and here's what I've worked out.

It looks like WebGeolocationService::detachBridge() isn't called before the associated WebGeolocationServiceBridge is deleted. So, GeolocationDispatcher::bridges_map_ ends up holding a stale WebGeolocationServiceBridge pointer. The lifetime of these objects seems to be handled in the platform code, and I'm not triggering the same crash in WebKit trunk. So, it's probably Chromium-specific.

Here's the stack snippet where the stale pointer is referenced (haven't identified exactly where the free is occurring yet):

GeolocationDispatcher::OnGeolocationPositionUpdated(const Geoposition & geoposition={...})  Line 104
DispatchToMethod<GeolocationDispatcher,void (__thiscall GeolocationDispatcher::*)(Geoposition const &),Geoposition>(GeolocationDispatcher * obj=0x059eed90, void (const Geoposition &)* method=0x55e653f0, const Tuple1<Geoposition> & arg={...})  Line 499
IPC::MessageWithTuple<Tuple1<Geoposition> >::Dispatch<GeolocationDispatcher,void (__thiscall GeolocationDispatcher::*)(Geoposition const &)>(const IPC::Message * msg=class=16, index=166, GeolocationDispatcher * obj=0x059eed90, void (const Geoposition &)* func=0x55e653f0)  Line 1047

It's also a lot easier to follow the problem in a debugger if you simplify the repro to this:

<meta http-equiv="refresh" content="0">
<script>
  if (location.search)
    window.navigator.geolocation.getCurrentPosition(function(){});
  else
    document.write('<iframe src="' + location + '?go"></iframe>');
</script>


And, just for reference, the bug was originally reported by kuzzcc at:
http://code.google.com/p/chromium/issues/detail?id=51670

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list