[Webkit-unassigned] [Bug 40162] Prevent Geolocation making callbacks to a ScriptExecutionContext that no longer exists

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Jun 4 05:36:30 PDT 2010


Steve Block <steveblock at google.com> changed:

           What    |Removed                     |Added
                 CC|                            |steveblock at google.com

--- Comment #2 from Steve Block <steveblock at google.com>  2010-06-04 05:36:29 PST ---
The fix for this proposed in https://bugs.webkit.org/show_bug.cgi?id=39879#c11 was have the callbacks inherit from ActiveDOMObject, so as to provide way to know when the ScriptExecutionContext has gone away.

The problem is that the ScriptExecutionContext is ref'ed from script, so isn't destroyed until the GC runs. So we may not get the notification that the context is gone until some time after it is disconnected from its frame. But the current code path in JSCallbackData obtains the ScriptExecutionContext through DOMWindow::document() which in turn uses the Frame. So there exists a time between frame detachment and garbage collection when JSCallbackData can't get to the ScriptExecutionContext, but we haven't yet been notified through ActiveDOMObject that it's gone.

The call to DOMWindow::document() fails gracefully if the frame is detached, so we can fix this bug by modifying JSCallbackData without using ActiveDOMObject.

If we want to use ActiveDOMObject, I think more substantial changes will be required.

Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list