Bug 15980 - JSCustomSQLTransactionCallback incorrectly converts exception values toObject without checking first.
Summary: JSCustomSQLTransactionCallback incorrectly converts exception values toObject...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: All OS X 10.4
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-11-13 22:50 PST by Brady Eidson
Modified: 2009-01-31 20:52 PST (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Brady Eidson 2007-11-13 22:50:33 PST
See http://bugs.webkit.org/show_bug.cgi?id=15976 and the layout test in
LayoutTests/storage/transaction_callback_exception_crash.html

When an exception is thrown from within a callback, it is logged to the console.  But instead of being useful information, the message is simply "undefined"

"throw 0;" and "throw <some string>;" both result in this lack of information.
Comment 1 Oliver Hunt 2008-07-20 01:47:46 PDT
This is caused by the database code assuming the converting a thrown primitive object to a value will result in it becoming an object with exception information attached (which it can't).  The guilty lines are:
131	    if (exec->hadException()) {
132	        JSObject* exception = exec->exception()->toObject(exec);
133	        String message = exception->get(exec, exec->propertyNames().message)->toString(exec);
134	        int lineNumber = exception->get(exec, Identifier(exec, "line"))->toInt32(exec);
135	        String sourceURL = exception->get(exec, Identifier(exec, "sourceURL"))->toString(exec);
136	        m_data->frame()->domWindow()->console()->addMessage(JSMessageSource, ErrorMessageLevel, message, lineNumber, sourceURL);
137	        exec->clearException();
138	        
139	        raisedException = true;
140	    }

in JSCustomSQLTransactionCallback.cpp

Comment 2 Oliver Hunt 2008-07-20 01:51:19 PDT
(Also, due to the lack of an isObject check the toObject call may itself throw. Yay!)
Comment 3 Dimitri Glazkov (Google) 2009-01-31 20:52:12 PST
This has been fixed in http://trac.webkit.org/changeset/38595.