Summary: | Regression(r189881): release assertion hit in toJS(ExecState*, JSDOMGlobalObject*, DocumentFragment*) | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Chris Dumez <cdumez> | ||||||
Component: | DOM | Assignee: | Chris Dumez <cdumez> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | Normal | CC: | ap, commit-queue, darin, ggaren, rniwa | ||||||
Priority: | P2 | ||||||||
Version: | Other | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Attachments: |
|
Description
Chris Dumez
2015-09-17 13:00:35 PDT
The assertion is: // If you hit this assertion you either have a use after free bug, or // DocumentFragment has subclasses. If DocumentFragment has subclasses that get passed // to toJS() we currently require DocumentFragment you to opt out of binding hardening // by adding the SkipVTableValidation attribute to the interface IDL definition RELEASE_ASSERT(actualVTablePointer == expectedVTablePointer); DocumentFragment does have a subclass: ShadowRoot. However, ShadowRoot does not have a Web-Exposed type. Therefore, I believe the current code is safe and we should bypass the assertion here. ShadowRoot will be exposed to Web now. Created attachment 261420 [details]
Patch
Created attachment 261443 [details]
Patch
Comment on attachment 261443 [details] Patch Clearing flags on attachment: 261443 Committed r189949: <http://trac.webkit.org/changeset/189949> All reviewed patches have been landed. Closing bug. |