109211 – [V8] Binding Integrity crash in V8MediaStream::createWrapper

Bug 109211 - [V8] Binding Integrity crash in V8MediaStream::createWrapper

Summary: [V8] Binding Integrity crash in V8MediaStream::createWrapper

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebCore Misc. (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2013-02-07 10:55 PST by Thomas Sepez
Modified:	2013-02-07 14:03 PST (History)
CC List:	9 users (show)

See Also:

Attachments
A Patch. (1.12 KB, patch) 2013-02-07 12:03 PST, Thomas Sepez	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Sepez 2013-02-07 10:55:21 PST

LocalMediaStream wrapped as a MediaStream despite having IDL that knows better.

0x01fca175	 [Google Chrome Framework]	 + 0x01fa9175]	WebCore::V8MediaStream::createWrapper(WTF::PassRefPtr<WebCore::MediaStream>, v8::Handle<v8::Object>, v8::Isolate*)
0x01eab664	 [Google Chrome Framework]	 + 0x01e8a664]	WebCore::MediaStreamAudioDestinationNodeV8Internal::streamAttrGetter(v8::Local<v8::String>, v8::AccessorInfo const&)
0x0142e86f	 [Google Chrome Framework]	 + 0x0140d86f]	v8::internal::JSObject::GetPropertyWithCallback(v8::internal::Object*, v8::internal::Object*, v8::internal::String*)
0x0142e62c	 [Google Chrome Framework]	 + 0x0140d62c]	v8::internal::Object::GetProperty(v8::internal::Object*, v8::internal::LookupResult*, v8::internal::String*, PropertyAttributes*)
0x013dcc8c	 [Google Chrome Framework]	 + 0x013bbc8c]	v8::internal::LoadIC::Load(v8::internal::InlineCacheState, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::String>)
0x013e06e5	 [Google Chrome Framework]	 + 0x013bf6e5]	v8::internal::LoadIC_Miss(v8::internal::Arguments, v8::internal::Isolate*)

Suppress check for now, but there's an underlying bug that the stop() method in LocalMediaStream.idl won't be available on a local media stream wrapped in this manner. Need a custom wrapper to check if islocal and wrap accordingly.

Comment 1 Adam Barth 2013-02-07 11:18:01 PST

@tommyw: We need to make the toV8 function for MediaStream smarter so that it can create a LocalMediaStream wrapper when appropriate.

Comment 2 Thomas Sepez 2013-02-07 12:03:24 PST

Created attachment 187144 [details]
A Patch.

Comment 3 Adam Barth 2013-02-07 12:29:54 PST

Comment on attachment 187144 [details]
A Patch.

Do we have a LayoutTest for this case?  Also, we should open a bug for fixing the custom wrapping dispatch.

Comment 4 Thomas Sepez 2013-02-07 12:44:03 PST

(In reply to comment #3)
> (From update of attachment 187144 [details])
> Do we have a LayoutTest for this case?  Also, we should open a bug for fixing the custom wrapping dispatch.

No, I don't have a layouttest; the page in the wild which reproduced this was complex.
Followup bug is https://bugs.webkit.org/show_bug.cgi?id=109219

Comment 5 WebKit Review Bot 2013-02-07 14:03:30 PST

Comment on attachment 187144 [details]
A Patch.

Clearing flags on attachment: 187144

Committed r142177: <http://trac.webkit.org/changeset/142177>

Comment 6 WebKit Review Bot 2013-02-07 14:03:36 PST

All reviewed patches have been landed.  Closing bug.