Bug 109211

Summary:

[V8] Binding Integrity crash in V8MediaStream::createWrapper

Product:

WebKit

Reporter:

Thomas Sepez <tsepez>

Component:

WebCore Misc.

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

abarth, cevans, eric.carlson, feature-media-reviews, hta, jschuh, ojan.autocc, tommyw, webkit.review.bot

Priority:

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
A Patch.	none

Description Thomas Sepez 2013-02-07 10:55:21 PST

LocalMediaStream wrapped as a MediaStream despite having IDL that knows better.

0x01fca175	 [Google Chrome Framework]	 + 0x01fa9175]	WebCore::V8MediaStream::createWrapper(WTF::PassRefPtr<WebCore::MediaStream>, v8::Handle<v8::Object>, v8::Isolate*)
0x01eab664	 [Google Chrome Framework]	 + 0x01e8a664]	WebCore::MediaStreamAudioDestinationNodeV8Internal::streamAttrGetter(v8::Local<v8::String>, v8::AccessorInfo const&)
0x0142e86f	 [Google Chrome Framework]	 + 0x0140d86f]	v8::internal::JSObject::GetPropertyWithCallback(v8::internal::Object*, v8::internal::Object*, v8::internal::String*)
0x0142e62c	 [Google Chrome Framework]	 + 0x0140d62c]	v8::internal::Object::GetProperty(v8::internal::Object*, v8::internal::LookupResult*, v8::internal::String*, PropertyAttributes*)
0x013dcc8c	 [Google Chrome Framework]	 + 0x013bbc8c]	v8::internal::LoadIC::Load(v8::internal::InlineCacheState, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::String>)
0x013e06e5	 [Google Chrome Framework]	 + 0x013bf6e5]	v8::internal::LoadIC_Miss(v8::internal::Arguments, v8::internal::Isolate*)

Suppress check for now, but there's an underlying bug that the stop() method in LocalMediaStream.idl won't be available on a local media stream wrapped in this manner. Need a custom wrapper to check if islocal and wrap accordingly.

Comment 1 Adam Barth 2013-02-07 11:18:01 PST

@tommyw: We need to make the toV8 function for MediaStream smarter so that it can create a LocalMediaStream wrapper when appropriate.

Comment 2 Thomas Sepez 2013-02-07 12:03:24 PST

Created attachment 187144 [details]
A Patch.

Comment 3 Adam Barth 2013-02-07 12:29:54 PST

Comment on attachment 187144 [details]
A Patch.

Do we have a LayoutTest for this case?  Also, we should open a bug for fixing the custom wrapping dispatch.

Comment 4 Thomas Sepez 2013-02-07 12:44:03 PST

(In reply to comment #3)
> (From update of attachment 187144 [details])
> Do we have a LayoutTest for this case?  Also, we should open a bug for fixing the custom wrapping dispatch.

No, I don't have a layouttest; the page in the wild which reproduced this was complex.
Followup bug is https://bugs.webkit.org/show_bug.cgi?id=109219

Comment 5 WebKit Review Bot 2013-02-07 14:03:30 PST

Comment on attachment 187144 [details]
A Patch.

Clearing flags on attachment: 187144

Committed r142177: <http://trac.webkit.org/changeset/142177>

Comment 6 WebKit Review Bot 2013-02-07 14:03:36 PST

All reviewed patches have been landed.  Closing bug.