fast/dom/Geolocation/disconnected-frame.html test asserts
authorbenjamin@webkit.org <benjamin@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 22 Sep 2012 00:13:14 +0000 (00:13 +0000)
committerbenjamin@webkit.org <benjamin@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 22 Sep 2012 00:13:14 +0000 (00:13 +0000)
https://bugs.webkit.org/show_bug.cgi?id=97376

Patch by Benjamin Poulain <bpoulain@apple.com> on 2012-09-21
Reviewed by Alexey Proskuryakov.

Source/WebKit2:

In GeolocationPermissionRequestManager::cancelRequestForGeolocation, we access an iterator
after its value has been removed from the table.
There are two problems with that:
-The iterator is no longer valid after the container has been modified.
-If it was the last element, the table has been freed and the iterator points to deleted memory.

We solve the issue by keeping a copy of the ID. We could have inverted the order of the calls
but that would make the issue less visible for future change.

Testing covered by fast/dom/Geolocation/disconnected-frame.html.

* WebProcess/Geolocation/GeolocationPermissionRequestManager.cpp:
(WebKit::GeolocationPermissionRequestManager::cancelRequestForGeolocation):

LayoutTests:

* platform/wk2/Skipped:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@129278 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/platform/wk2/Skipped
Source/WebKit2/ChangeLog
Source/WebKit2/WebProcess/Geolocation/GeolocationPermissionRequestManager.cpp

index 91c1b52..efb3a0e 100644 (file)
@@ -1,3 +1,12 @@
+2012-09-21  Benjamin Poulain  <bpoulain@apple.com>
+
+        fast/dom/Geolocation/disconnected-frame.html test asserts
+        https://bugs.webkit.org/show_bug.cgi?id=97376
+
+        Reviewed by Alexey Proskuryakov.
+
+        * platform/wk2/Skipped:
+
 2012-09-21  Roger Fong  <roger_fong@apple.com>
 
         Unreviewed. Fix Windows specific accessibility test results. 
index 6a7a052..34f0072 100644 (file)
@@ -294,7 +294,6 @@ fast/dom/Geolocation/delayed-permission-allowed-for-multiple-requests.html
 fast/dom/Geolocation/delayed-permission-allowed.html
 fast/dom/Geolocation/delayed-permission-denied-for-multiple-requests.html
 fast/dom/Geolocation/delayed-permission-denied.html
-fast/dom/Geolocation/disconnected-frame.html
 fast/dom/Geolocation/error-clear-watch.html
 fast/dom/Geolocation/error.html
 fast/dom/Geolocation/maximum-age.html
index c999d7d..9da812f 100644 (file)
@@ -1,3 +1,24 @@
+2012-09-21  Benjamin Poulain  <bpoulain@apple.com>
+
+        fast/dom/Geolocation/disconnected-frame.html test asserts
+        https://bugs.webkit.org/show_bug.cgi?id=97376
+
+        Reviewed by Alexey Proskuryakov.
+
+        In GeolocationPermissionRequestManager::cancelRequestForGeolocation, we access an iterator
+        after its value has been removed from the table.
+        There are two problems with that:
+        -The iterator is no longer valid after the container has been modified.
+        -If it was the last element, the table has been freed and the iterator points to deleted memory.
+
+        We solve the issue by keeping a copy of the ID. We could have inverted the order of the calls
+        but that would make the issue less visible for future change.
+
+        Testing covered by fast/dom/Geolocation/disconnected-frame.html.
+
+        * WebProcess/Geolocation/GeolocationPermissionRequestManager.cpp:
+        (WebKit::GeolocationPermissionRequestManager::cancelRequestForGeolocation):
+
 2012-09-21  Sam Weinig  <sam@webkit.org>
 
         REGRESSION (r120361) Warnings while preprocessing com.apple.WebProcess.sb.in
index d6bdb8e..7013fcd 100644 (file)
@@ -73,8 +73,9 @@ void GeolocationPermissionRequestManager::cancelRequestForGeolocation(Geolocatio
     if (it == m_geolocationToIDMap.end())
         return;
 
+    uint64_t geolocationID = it->second;
     m_geolocationToIDMap.remove(it);
-    m_idToGeolocationMap.remove(it->second);
+    m_idToGeolocationMap.remove(geolocationID);
 }
 
 void GeolocationPermissionRequestManager::didReceiveGeolocationPermissionDecision(uint64_t geolocationID, bool allowed)