| Summary: | [Chromium] WebGL typed array constructor crashes on exception | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | mstarzinger | ||||||||
| Component: | WebGL | Assignee: | Kenneth Russell <kbr> | ||||||||
| Status: | RESOLVED FIXED | ||||||||||
| Severity: | Normal | CC: | abarth, dglazkov, eric, haraken, japhet, kbr, webkit.review.bot | ||||||||
| Priority: | P2 | ||||||||||
| Version: | 528+ (Nightly build) | ||||||||||
| Hardware: | Unspecified | ||||||||||
| OS: | Unspecified | ||||||||||
| Attachments: |
|
||||||||||
|
Description
mstarzinger
2013-01-08 00:03:21 PST
Created attachment 181661 [details]
Test case to reproduce bug.
Created attachment 182243 [details]
Patch
Comment on attachment 182243 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=182243&action=review > Source/WebCore/bindings/v8/custom/V8ArrayBufferViewCustom.h:176 > + v8::Local<v8::Value> val = srcArray->Get(v8::String::NewSymbol("length")); > + if (val.IsEmpty()) { > + // Exception thrown during fetch of length property. Another way to detect an exception is: v8::TryCatch block; v8::Local<v8::Value> val = srcArray->Get(v8::String::NewSymbol("length")); if (block->hadException()) return v8Null(); But as far as I see other code, it looks like we are likely to check IsEmpty() rather than using v8::TryCatch. So your code looks fine. > Source/WebCore/bindings/v8/custom/V8ArrayBufferViewCustom.h:177 > + return v8::Null(); Nit: v8::Null() => v8Null() Are you sure that this should be not v8Undefined() but v8Null()? Comment on attachment 182243 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=182243&action=review >> Source/WebCore/bindings/v8/custom/V8ArrayBufferViewCustom.h:176 >> + // Exception thrown during fetch of length property. > > Another way to detect an exception is: > > v8::TryCatch block; > v8::Local<v8::Value> val = srcArray->Get(v8::String::NewSymbol("length")); > if (block->hadException()) > return v8Null(); > > But as far as I see other code, it looks like we are likely to check IsEmpty() rather than using v8::TryCatch. So your code looks fine. Yes, I saw the TryCatch class in the V8 API but it seemed more direct to check for the failure case. >> Source/WebCore/bindings/v8/custom/V8ArrayBufferViewCustom.h:177 >> + return v8::Null(); > > Nit: v8::Null() => v8Null() > > Are you sure that this should be not v8Undefined() but v8Null()? Looking at other similar code it should be v8Undefined. The return value is ignored however since the exception is thrown to the calling code. I'll upload a new patch. Created attachment 182359 [details]
Patch
Comment on attachment 182359 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=182359&action=review > Source/WebCore/bindings/v8/custom/V8ArrayBufferViewCustom.h:179 > + len = toUInt32(val); This conversion can fail too. So you might want to do: bool ok; len = toUInt32(val, ok); if (!ok) { ...; } Either way let's fix it in a follow-up patch. Comment on attachment 182359 [details] Patch Clearing flags on attachment: 182359 Committed r139459: <http://trac.webkit.org/changeset/139459> All reviewed patches have been landed. Closing bug. |