Bug 34899

Summary:

[V8] Crash regression in r54305 when window.event is set by a script

Product:

WebKit

Reporter:

Nate Chapin <japhet>

Component:

WebCore Misc.

Assignee:

Nate Chapin <japhet>

Status:

RESOLVED FIXED

Severity:

Normal

Priority:

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
patch	eric: review+

Nate Chapin

Reported 2010-02-12 10:11:13 PST

ScriptController.cpp:174 doesn't handle the possibility that the event field on the global object is set to a v8::Object that isn't a DOM wrapper. This can only happen if a script has directly set window.event.

Attachments
patch (5.18 KB, patch) 2010-02-12 10:23 PST, Nate Chapin	eric: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Nate Chapin

Comment 1 2010-02-12 10:23:33 PST

Created attachment 48651 [details] patch

Eric Seidel (no email)

Comment 2 2010-02-17 16:15:20 PST

Comment on attachment 48651 [details] patch Ideally fast/dom/Window/window-event-override-no-crash.html should have a newline at the end, but this looks great!

Nate Chapin

Comment 3 2010-02-18 09:25:48 PST

http://trac.webkit.org/changeset/54964 ....and, um, http://trac.webkit.org/changeset/54965

Note You need to log in before you can comment on or make changes to this bug.