Bug 14764 - Javascript object created on the stack causes seg fault.
Summary: Javascript object created on the stack causes seg fault.
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 523.x (Safari 3)
Hardware: Mac OS X 10.4
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2007-07-25 14:06 PDT by Patrick
Modified: 2007-07-27 05:02 PDT (History)
2 users (show)

See Also:

Attachments
Proposed changes (1.35 KB, patch)
2007-07-25 14:07 PDT, Patrick 		darin: review+
Details | Formatted Diff | Diff
Patch with email address. (1.35 KB, patch)
2007-07-26 05:28 PDT, Patrick 		darin: review-
Details | Formatted Diff | Diff
For real this time (1.32 KB, patch)
2007-07-27 04:47 PDT, Patrick 		mrowe: review+
Details | Formatted Diff | Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Patrick 2007-07-25 14:06:17 PDT 
PluginFunc::callAsFunction creates a PluginBase object on the stack and Collector tries to access the CollectorBitmap for an invalid address.
Comment 1 Patrick 2007-07-25 14:07:06 PDT 
Created attachment 15685 [details]
Proposed changes
Comment 2 mitz 2007-07-25 14:11:41 PDT 
Comment on attachment 15685 [details]
Proposed changes

Patrick, note that you should have set the review flag to "?" to indicate that you want your patch reviewed.
Comment 3 Darin Adler 2007-07-25 14:24:08 PDT 
Comment on attachment 15685 [details]
Proposed changes

This looks like the right fix!

I'm going to mark this r=me even though I have two complaints:

1) The ChangeLog needs an email address.

2) We prefer to check in regression tests any time we fix a bug. Is there any way to reproduce the crash in a layout test?
Comment 4 David Kilzer (:ddkilzer) 2007-07-25 23:34:46 PDT 
<rdar://problem/5361860>
Comment 5 Patrick 2007-07-26 05:23:49 PDT 
I will update the changelog to have my email address in it.

There is a layout test that uncovered the bug for me. LayoutTests/plugins/plugin-javascript-access.html crashes for me every time. But this is on ARM and it crashes when running optimized release code. I'm not sure why it doesn't crash in debug code.
Comment 6 Patrick 2007-07-26 05:28:42 PDT 
Created attachment 15689 [details]
Patch with email address.

Added email address to ChangeLog.
Comment 7 Maxime BRITTO 2007-07-26 05:44:00 PDT 
(In reply to comment #6)
> Created an attachment (id=15689) [edit]
> Patch with email address.
> 
> Added email address to ChangeLog.
> 

It seems that you sent the same file.. with no email address :-)
Comment 8 Darin Adler 2007-07-26 18:48:36 PDT 
Comment on attachment 15689 [details]
Patch with email address.

Oops! Still no email address.
Comment 9 Patrick 2007-07-27 04:47:53 PDT 
Created attachment 15702 [details]
For real this time
Comment 10 Mark Rowe (bdash) 2007-07-27 05:02:44 PDT 
Landed in r24719.