Bug 73273
| Summary: | Crash caused by V8Proxy::retrieveFrameForCallingContext() returning 0 in V8DOMWindowCustom::handlePostMessageCallback | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Marshall Greenblatt <marshall> |
| Component: | WebCore JavaScript | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED INVALID | ||
| Severity: | Normal | CC: | abarth, burg |
| Priority: | P2 | ||
| Version: | 528+ (Nightly build) | ||
| Hardware: | All | ||
| OS: | All | ||
Marshall Greenblatt
1. Create a custom V8 binding that executes another V8 function using the frame context.
2. Call that V8 binding from the body onunload event.
In some cases V8Proxy::retrieveFrameForCallingContext() will return 0 causing the following code in retrieveFrameForCallingContext() to crash:
DOMWindow* source = V8Proxy::retrieveFrameForCallingContext()->domWindow();
The 0 result is caused by the "frame->domWindow() == window" check failing in V8Proxy::retrieveFrame() likely due to the context already being detached from the frame.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |