[Webkit-unassigned] [Bug 39879] Geolocation activity started after frame has been disconnected can cause crash

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Jun 2 12:29:54 PDT 2010 

https://bugs.webkit.org/show_bug.cgi?id=39879


Jeremy Orlow <jorlow at chromium.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jorlow at chromium.org




--- Comment #11 from Jeremy Orlow <jorlow at chromium.org>  2010-06-02 12:29:52 PST ---
(In reply to comment #10)
> > In fact, is there a more general problem here? Is it ever safe for Geolocation
> > to allow callbacks to the script context of another frame, for these reasons?
> I've looked into this and, yes this is dangerous. I have a test case where frame A calls a method on frame B's Geolocation object, then frame A's script exectution context gets torn down before frame B's Geolocation object makes the callback, causing a crash.
> 
> It seems like the right fix is for the Geolocation object to hold a weak pointer to the script context associated with each method call. Callbacks are then made in this context, checking for existence of the context first.
> 
> andreip and jorlow have run into exactly the same problem when implementing IndexedDB. They're implementing the weak pointer for the script context in Bug 40071

I totally spaced out on this one.  What you should actually be doing is making something implement an ActiveDOMObject.  That way you'll get notified when the script execution context goes away + you'll know when the page is suspended and such.  I believe this will entirely solve the problem.

> Note that this crash doesn't occur with the Database callbacks because the Database object holds a RefPtr to the script context of it's owning frame and makes callbacks in this context. This seems wrong for two reasons ...
> - Callbacks are made in the context of the frame owning the Database, not the frame from which the Database method was invoked.
> - Objects should not hold onto the script context. See https://bugs.webkit.org/show_bug.cgi?id=39388#c6

Good point!  Would you mind filing a bug on this?  cc dumi at chromium.org dglazkov at chromium.org ericu at chromium.org jorlow at chromium.org and michaeln at chromium.org  Thanks!

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list