Bug 15980
| Summary: | JSCustomSQLTransactionCallback incorrectly converts exception values toObject without checking first. | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Brady Eidson <beidson> |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | dglazkov, oliver |
| Priority: | P2 | ||
| Version: | 528+ (Nightly build) | ||
| Hardware: | All | ||
| OS: | OS X 10.4 | ||
Brady Eidson
See http://bugs.webkit.org/show_bug.cgi?id=15976 and the layout test in
LayoutTests/storage/transaction_callback_exception_crash.html
When an exception is thrown from within a callback, it is logged to the console. But instead of being useful information, the message is simply "undefined"
"throw 0;" and "throw <some string>;" both result in this lack of information.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Oliver Hunt
This is caused by the database code assuming the converting a thrown primitive object to a value will result in it becoming an object with exception information attached (which it can't). The guilty lines are:
131 if (exec->hadException()) {
132 JSObject* exception = exec->exception()->toObject(exec);
133 String message = exception->get(exec, exec->propertyNames().message)->toString(exec);
134 int lineNumber = exception->get(exec, Identifier(exec, "line"))->toInt32(exec);
135 String sourceURL = exception->get(exec, Identifier(exec, "sourceURL"))->toString(exec);
136 m_data->frame()->domWindow()->console()->addMessage(JSMessageSource, ErrorMessageLevel, message, lineNumber, sourceURL);
137 exec->clearException();
138
139 raisedException = true;
140 }
in JSCustomSQLTransactionCallback.cpp
Oliver Hunt
(Also, due to the lack of an isObject check the toObject call may itself throw. Yay!)
Dimitri Glazkov (Google)
This has been fixed in http://trac.webkit.org/changeset/38595.