Bug 14764

Summary:

Javascript object created on the stack causes seg fault.

Product:

WebKit

Reporter:

Patrick <phanna>

Component:

JavaScriptCore

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

mbritto, sroret

Priority:

Keywords:

InRadar

Version:

523.x (Safari 3)

Hardware:

Mac

OS:

OS X 10.4

Attachments:

Description	Flags
Proposed changes	darin: review+
Patch with email address.	darin: review-
For real this time	mrowe: review+

Patrick

Reported 2007-07-25 14:06:17 PDT

PluginFunc::callAsFunction creates a PluginBase object on the stack and Collector tries to access the CollectorBitmap for an invalid address.

Attachments
Proposed changes (1.35 KB, patch) 2007-07-25 14:07 PDT, Patrick	darin: review+	Details Formatted Diff Diff
Patch with email address. (1.35 KB, patch) 2007-07-26 05:28 PDT, Patrick	darin: review-	Details Formatted Diff Diff
For real this time (1.32 KB, patch) 2007-07-27 04:47 PDT, Patrick	mrowe: review+	Details Formatted Diff Diff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.

Patrick

Comment 1 2007-07-25 14:07:06 PDT

Created attachment 15685 [details] Proposed changes

mitz

Comment 2 2007-07-25 14:11:41 PDT

Comment on attachment 15685 [details] Proposed changes Patrick, note that you should have set the review flag to "?" to indicate that you want your patch reviewed.

Darin Adler

Comment 3 2007-07-25 14:24:08 PDT

Comment on attachment 15685 [details] Proposed changes This looks like the right fix! I'm going to mark this r=me even though I have two complaints: 1) The ChangeLog needs an email address. 2) We prefer to check in regression tests any time we fix a bug. Is there any way to reproduce the crash in a layout test?

David Kilzer (:ddkilzer)

Comment 4 2007-07-25 23:34:46 PDT

<rdar://problem/5361860>

Patrick

Comment 5 2007-07-26 05:23:49 PDT

I will update the changelog to have my email address in it. There is a layout test that uncovered the bug for me. LayoutTests/plugins/plugin-javascript-access.html crashes for me every time. But this is on ARM and it crashes when running optimized release code. I'm not sure why it doesn't crash in debug code.

Patrick

Comment 6 2007-07-26 05:28:42 PDT

Created attachment 15689 [details] Patch with email address. Added email address to ChangeLog.

Maxime BRITTO

Comment 7 2007-07-26 05:44:00 PDT

(In reply to comment #6) > Created an attachment (id=15689) [edit] > Patch with email address. > > Added email address to ChangeLog. > It seems that you sent the same file.. with no email address :-)

Darin Adler

Comment 8 2007-07-26 18:48:36 PDT

Comment on attachment 15689 [details] Patch with email address. Oops! Still no email address.

Patrick

Comment 9 2007-07-27 04:47:53 PDT

Created attachment 15702 [details] For real this time

Mark Rowe (bdash)

Comment 10 2007-07-27 05:02:44 PDT

Landed in r24719.

Note You need to log in before you can comment on or make changes to this bug.