[Webkit-unassigned] [Bug 35826] New: crash when makeSuccessCallbacks is called after disconnectFrame

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Mar 6 00:36:53 PST 2010


           Summary: crash when makeSuccessCallbacks is called after
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Mac OS X 10.5
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: arno at renevier.net

when a request for geolocation permission is emited, and document asking for
permission is unloaded, it's possible for the embedder to still call
setIsAllowed (possibly other functions) after document has been unloaded.

Then, a crash occurs in Geolocation::makeSuccessCallbacks or
The crash happens in copyToVector inline function.
After investigating, I discovered in this part of copyToVector


        iterator it = collection.begin();
        iterator end = collection.end();
        for (unsigned i = 0; it != end; ++it, ++i)
            vector[i] = (*it).first;

collection.size() evaluates to 1, but loop is entered twice; I don't understood

Is it a good idea to have a boolean member m_isDisconnected, set it to false in
disconnectFrame, and check its value at start of handleError and
makeSuccessCallbacks ? or is there a better solution ?

Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list