Bug 60026

Summary: [Chromium] toV8(Node*) will enter infinite recursion when called with a node of type SHADOW_ROOT_NODE
Product: WebKit Reporter: Andrey Kosyakov <caseq>
Component: DOMAssignee: Andrey Kosyakov <caseq>
Status: RESOLVED FIXED    
Severity: Normal CC: antonm, dglazkov, rolandsteiner
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: All   
Attachments:
Description Flags
patch dglazkov: review+

Andrey Kosyakov
Reported 2011-05-03 08:09:15 PDT
There's no IDL class for ShadowRoot, hence there's no toV8(ShadowRoot*) overload, and the following lines in toV8Slow(Node*): http://trac.webkit.org/browser/trunk/Source/WebCore/bindings/v8/custom/V8NodeCustom.cpp?rev=84520#L168 case Node::SHADOW_ROOT_NODE: return toV8(static_cast<ShadowRoot*>(impl), forceNewObject); will resolve toV8() to toV8(Node*), which will invoke toV8Slow(Node*) etc. This isn't normally exposed, as we do not expose ShadowRoot nodes in bindings -- yet this popped up when I started adding shadow DOM support to inspector, as one can access last inspected node in console via $0.
Attachments
patch (1.54 KB, patch)
2011-05-03 08:19 PDT, Andrey Kosyakov 		dglazkov: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Andrey Kosyakov
Comment 1 2011-05-03 08:19:35 PDT
Created attachment 92079 [details] patch
anton muhin
Comment 2 2011-05-03 08:23:42 PDT
LGTM, maybe rearrange cases to have a fall-through to default case.
Dimitri Glazkov (Google)
Comment 3 2011-05-03 08:39:44 PDT
Comment on attachment 92079 [details] patch with antonm's suggestion.
Andrey Kosyakov
Comment 4 2011-05-03 09:20:19 PDT
(In reply to comment #3) > (From update of attachment 92079 [details]) > with antonm's suggestion. Manually committed r85606 (changed as per Anton's comment): http://trac.webkit.org/changeset/85606
Note You need to log in before you can comment on or make changes to this bug.