Bug 34899

Summary:

[V8] Crash regression in r54305 when window.event is set by a script

Product:

WebKit

Reporter:

Nate Chapin <japhet>

Component:

WebCore Misc.

Assignee:

Nate Chapin <japhet>

Status:

RESOLVED FIXED

Severity:

Normal

Priority:

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
patch	eric: review+

Description Nate Chapin 2010-02-12 10:11:13 PST

ScriptController.cpp:174 doesn't handle the possibility that the event field on the global object is set to a v8::Object that isn't a DOM wrapper.  This can only happen if a script has directly set window.event.

Comment 1 Nate Chapin 2010-02-12 10:23:33 PST

Created attachment 48651 [details]
patch

Comment 2 Eric Seidel (no email) 2010-02-17 16:15:20 PST

Comment on attachment 48651 [details]
patch

Ideally fast/dom/Window/window-event-override-no-crash.html should have a newline at the end, but this looks great!

Comment 3 Nate Chapin 2010-02-18 09:25:48 PST

http://trac.webkit.org/changeset/54964

....and, um, http://trac.webkit.org/changeset/54965