| Summary: | [v8] Null pointer exception if a typed array constructor set to a primitive value. | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Ulan Degenbaev <ulan> | ||||||||
| Component: | WebGL | Assignee: | Ulan Degenbaev <ulan> | ||||||||
| Status: | RESOLVED FIXED | ||||||||||
| Severity: | Normal | CC: | abarth, japhet, kbr, webkit.review.bot | ||||||||
| Priority: | P2 | ||||||||||
| Version: | 528+ (Nightly build) | ||||||||||
| Hardware: | Unspecified | ||||||||||
| OS: | Unspecified | ||||||||||
| Bug Depends on: | 68890 | ||||||||||
| Bug Blocks: | |||||||||||
| Attachments: |
|
||||||||||
Created attachment 121089 [details]
Make sure that V8ArrayBufferViewCustomScript.js does not throw exception.
Added guards in V8ArrayBufferViewCustomScript.js so that we do not try to optimize the "set" method if the typed array constructor was redefined.
Created attachment 121106 [details]
More robust guard
Avoid using hasOwnProperty since it might be also redefined.
Comment on attachment 121106 [details] More robust guard View in context: https://bugs.webkit.org/attachment.cgi?id=121106&action=review > Source/WebCore/bindings/v8/custom/V8ArrayBufferViewCustomScript.js:27 > var optimizeSetMethod = function(type) I'm not really familiar with this file. Is there someone you had in mind to review this patch? If not, I can study the code and try to review it. Thanks Adam, I was hoping that Ken could review the patch since he reviewed my previous patches and is familiar with the code. (In reply to comment #3) > (From update of attachment 121106 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=121106&action=review > > > Source/WebCore/bindings/v8/custom/V8ArrayBufferViewCustomScript.js:27 > > var optimizeSetMethod = function(type) > > I'm not really familiar with this file. Is there someone you had in mind to review this patch? If not, I can study the code and try to review it. In general writing this kind of patch script for JavaScript is impossible to get right. In your patch, for example, the new version of set will trigger a getter on the global object for Array (e.g., window.__defineGetter__("Array", function() {...}); )
Is there no way to avoid trying to patch the context with JavaScript?
Comment on attachment 121106 [details]
More robust guard
Thanks for the quick fix. The revised code looks fine, but for better robustness I think the following two lines should also be added above the call to "script->Run()" in installFastSet (V8ArrayBufferViewCustom.cpp):
v8::TryCatch tryCatch;
tryCatch.SetVerbose(true);
Would those two lines have also worked around the problem?
(In reply to comment #5) > In general writing this kind of patch script for JavaScript is impossible to get right. In your patch, for example, the new version of set will trigger a getter on the global object for Array (e.g., window.__defineGetter__("Array", function() {...}); ) > > Is there no way to avoid trying to patch the context with JavaScript? I don't know whether it might be possible to implement more of this patching logic using the V8 API; however, having the JavaScript wrapper for the set() method is essential for performance. Created attachment 121246 [details]
Add TryCatch scope
Thank you for the suggestion, Ken. Those two lines even without guards would indeed fix the issue.
Adam, I had a solution that avoided patching, but it was several factors slower then the current solution because V8 couldn't inline it.
Comment on attachment 121246 [details]
Add TryCatch scope
Thanks, looks great.
Ok. Thanks. Comment on attachment 121246 [details] Add TryCatch scope Clearing flags on attachment: 121246 Committed r104196: <http://trac.webkit.org/changeset/104196> All reviewed patches have been landed. Closing bug. |
Running the following script generates a null pointer exception: <script> window.Uint8Array = 0; new Float64Array(function () {}); </script> For more details, see http://code.google.com/p/v8/issues/detail?id=1877.