Bug 93031

Summary: A few objects aren't being safely protected from GC in all cases
Product: WebKit Reporter: Oliver Hunt <oliver>
Component: New BugsAssignee: Oliver Hunt <oliver>
Status: RESOLVED FIXED    
Severity: Normal    
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 93096    
Bug Blocks:    
Attachments:
Description Flags
Patch fpizlo: review+

Description Oliver Hunt 2012-08-02 14:32:20 PDT 
A few objects aren't being safely protected from GC in all cases
Comment 1 Oliver Hunt 2012-08-02 14:33:45 PDT 
Created attachment 156168 [details]
Patch
Comment 2 Oliver Hunt 2012-08-02 15:24:17 PDT 
Committed r124510: <http://trac.webkit.org/changeset/124510>
Comment 3 Chris Dumez 2012-08-12 05:48:15 PDT 
Comment on attachment 156168 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=156168&action=review

> Source/WebCore/bindings/js/JSDictionary.h:51
> +        , m_initializerObject(exec->globalData(), initializerObject)

exec is being used here without null-check. The issue is that exec may be 0, for example when the default constructor for Dictionary is called. This leads to crashes (See Bug 93096).

> Source/WebCore/bindings/js/JSDictionary.h:68
>      bool isValid() const { return m_exec && m_initializerObject; }

This function also hints that both m_exec and m_initializerObject may be NULL.