Bug 38040

Summary: WebCore::WebGLArrayInternal::lengthAttrGetter ReadAV@NULL (b1a3e1a3e9d01f17fd493d68eeb2742f)
Product: WebKit Reporter: Berend-Jan Wever <skylined>
Component: WebGLAssignee: Kenneth Russell <kbr>
Status: RESOLVED FIXED    
Severity: Normal CC: cmarrin, dglazkov, eric, kbr, oliver, zmo
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
URL: http://jssh.skypher.com/4.4/Main.html?command%3Dnew%20window.WebGLUnsignedIntArray().length;&execute
Attachments:
Description Flags
Patch oliver: review+, kbr: commit-queue-

Berend-Jan Wever
Reported 2010-04-23 02:12:15 PDT
Repro: new window.WebGLUnsignedIntArray().length; Id: WebCore::WebGLArrayInternal::lengthAttrGetter ReadAV@NULL (b1a3e1a3e9d01f17fd493d68eeb2742f) Description: Attempt to read from NULL pointer in WebCore::WebGLArrayInternal::lengthAttrGetter
Attachments
Patch (5.96 KB, patch)
2010-06-30 11:24 PDT, Kenneth Russell 		oliver: review+
kbr: commit-queue-
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Kenneth Russell
Comment 1 2010-06-30 11:23:19 PDT
This crash occurs in both Safari and Chrome -- i.e., in both the JSC and V8 bindings.
Kenneth Russell
Comment 2 2010-06-30 11:24:44 PDT
Created attachment 60136 [details] Patch From the ChangeLog: Changed custom ArrayBufferView constructors to create a fully-initialized, zero-length array when called with zero arguments. This is the simplest fix which works identically in both the JSC and V8 bindings.
Oliver Hunt
Comment 3 2010-06-30 11:47:21 PDT
Comment on attachment 60136 [details] Patch r=me
Kenneth Russell
Comment 4 2010-06-30 12:17:25 PDT
Committed r62194: <http://trac.webkit.org/changeset/62194>
Note You need to log in before you can comment on or make changes to this bug.