Bug 45882

Summary: WebCore..Frame..domWindow ReadAV@NULL (f8cd71f24fff11a7dbb6a39e738fe929)
Product: WebKit Reporter: Berend-Jan Wever <skylined>
Component: DOMAssignee: Berend-Jan Wever <skylined>
Status: RESOLVED WONTFIX    
Severity: Normal CC: abarth, annevk, eric
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Windows Vista   
Attachments:
Description Flags
Repro
none
Patch
skylined: review-
Patch abarth: review-

Berend-Jan Wever
Reported 2010-09-16 05:22:57 PDT
Created attachment 67783 [details] Repro <script> setTimeout(window.postMessage,1); </script> Result in Chromium latest: id: WebCore::Frame::domWindow ReadAV@NULL (f8cd71f24fff11a7dbb6a39e738fe929) description: Attempt to read from NULL pointer (+0x338) in WebCore::Frame::domWindow stack: WebCore::Frame::domWindow WebCore::V8DOMWindow::postMessageCallback v8::internal::HandleApiCallHelper<...> v8::internal::Builtin_HandleApiCall v8::internal::Invoke v8::internal::Execution::Call v8::Function::Call WebCore::V8Proxy::callFunction WebCore::ScheduledAction::execute WebCore::ScheduledAction::execute WebCore::DOMTimer::fired WebCore::ThreadTimers::sharedTimerFiredInternal MessageLoop::RunTask MessageLoop::DeferOrRunPendingTask MessageLoop::DoDelayedWork base::MessagePumpDefault::Run MessageLoop::RunInternal MessageLoop::Run RendererMain ChromeMain MainDllLoader::Launch wWinMain __tmainCRTStartup BaseThreadInitThunk RtlInitializeExceptionChain RtlInitializeExceptionChain
Attachments
Repro (54 bytes, text/html)
2010-09-16 05:22 PDT, Berend-Jan Wever 		no flags
Details
Patch (1.67 KB, patch)
2011-01-25 01:41 PST, Berend-Jan Wever 		skylined: review-
DetailsFormatted DiffDiff
Patch (2.10 KB, patch)
2011-03-09 07:42 PST, Berend-Jan Wever 		abarth: review-
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2010-09-16 11:37:32 PDT
Doesn't crash in Safari on Mac, and an exception is raised: SYNTAX_ERR: DOM Exception 12: An invalid or illegal string was specified.
Berend-Jan Wever
Comment 2 2011-01-25 01:41:37 PST
Created attachment 80035 [details] Patch The problem is in v8 bindings; the code calls "V8Proxy::retrieveFrameForCallingContext" and assumes it always returns an object. It then calls a method on the returned value, which leads to the NULL pointer crash. http://codesearch.google.com/codesearch/p?hl=en#OAMlx_jo-ck/src/third_party/WebKit/Source/WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp&q=V8DOMWindow::postMessageCallback&exact_package=chromium&sa=N&cd=1&ct=rc&l=318 v8::Handle<v8::Value> V8DOMWindow::postMessageCallback(const v8::Arguments& args) { INC_STATS("DOM.DOMWindow.postMessage()"); DOMWindow* window = V8DOMWindow::toNative(args.Holder()); DOMWindow* source = V8Proxy::retrieveFrameForCallingContext()->domWindow(); // Call here, then crash w/ NULL ptr. http://codesearch.google.com/codesearch/p?hl=en#OAMlx_jo-ck/src/third_party/WebKit/WebCore/bindings/v8/V8Proxy.cpp&q=V8Proxy::retrieveFrameForCallingContext&exact_package=chromium&sa=N&cd=1&ct=rc&l=565 Frame* V8Proxy::retrieveFrameForCallingContext() { v8::Handle<v8::Context> context = v8::Context::GetCalling(); if (context.IsEmpty()) return 0; // return NULL here return retrieveFrame(context); }
Berend-Jan Wever
Comment 3 2011-02-17 04:04:17 PST
*** Bug 43549 has been marked as a duplicate of this bug. ***
Berend-Jan Wever
Comment 4 2011-03-02 04:14:38 PST
Comment on attachment 80035 [details] Patch I'll file a proper patch
Berend-Jan Wever
Comment 5 2011-03-09 07:42:39 PST
Created attachment 85175 [details] Patch
Berend-Jan Wever
Comment 6 2011-03-11 05:49:24 PST
Chromium: http://code.google.com/p/chromium/issues/detail?id=55844 @abarth: It seems you introduced this in the fix for https://bugs.webkit.org/show_bug.cgi?id=26004 - does this fix make sense to you?
Adam Barth
Comment 7 2011-03-11 09:42:32 PST
Comment on attachment 85175 [details] Patch All patches need a ChangeLog. Please see http://www.webkit.org/coding/contributing.html for instructions about preparing patches. I'm not sure this change is correct. The correct fix is to using the following idiom: V8BindingState* state = V8BindingState::Only(); DOMWindow* activeWindow = state->activeWindow();
Anne van Kesteren
Comment 8 2023-12-30 02:14:23 PST
Chromium-specific.
Note You need to log in before you can comment on or make changes to this bug.