[Webkit-unassigned] [Bug 35826] New: crash when makeSuccessCallbacks is called after disconnectFrame

Sat Mar 6 00:36:53 PST 2010

https://bugs.webkit.org/show_bug.cgi?id=35826

           Summary: crash when makeSuccessCallbacks is called after
                    disconnectFrame
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Mac OS X 10.5
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: arno at renevier.net

Hi,
when a request for geolocation permission is emited, and document asking for
permission is unloaded, it's possible for the embedder to still call
setIsAllowed (possibly other functions) after document has been unloaded.

Then, a crash occurs in Geolocation::makeSuccessCallbacks or
Geolocation::handleError
The crash happens in copyToVector inline function.
After investigating, I discovered in this part of copyToVector

        vector.resize(collection.size());

        iterator it = collection.begin();
        iterator end = collection.end();
        for (unsigned i = 0; it != end; ++it, ++i)
            vector[i] = (*it).first;

collection.size() evaluates to 1, but loop is entered twice; I don't understood
why.

Is it a good idea to have a boolean member m_isDisconnected, set it to false in
disconnectFrame, and check its value at start of handleError and
makeSuccessCallbacks ? or is there a better solution ?

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.