RESOLVED FIXED 109211
[V8] Binding Integrity crash in V8MediaStream::createWrapper 
https://bugs.webkit.org/show_bug.cgi?id=109211
Summary [V8] Binding Integrity crash in V8MediaStream::createWrapper
Thomas Sepez
Reported 2013-02-07 10:55:21 PST
LocalMediaStream wrapped as a MediaStream despite having IDL that knows better. 0x01fca175 [Google Chrome Framework] + 0x01fa9175] WebCore::V8MediaStream::createWrapper(WTF::PassRefPtr<WebCore::MediaStream>, v8::Handle<v8::Object>, v8::Isolate*) 0x01eab664 [Google Chrome Framework] + 0x01e8a664] WebCore::MediaStreamAudioDestinationNodeV8Internal::streamAttrGetter(v8::Local<v8::String>, v8::AccessorInfo const&) 0x0142e86f [Google Chrome Framework] + 0x0140d86f] v8::internal::JSObject::GetPropertyWithCallback(v8::internal::Object*, v8::internal::Object*, v8::internal::String*) 0x0142e62c [Google Chrome Framework] + 0x0140d62c] v8::internal::Object::GetProperty(v8::internal::Object*, v8::internal::LookupResult*, v8::internal::String*, PropertyAttributes*) 0x013dcc8c [Google Chrome Framework] + 0x013bbc8c] v8::internal::LoadIC::Load(v8::internal::InlineCacheState, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::String>) 0x013e06e5 [Google Chrome Framework] + 0x013bf6e5] v8::internal::LoadIC_Miss(v8::internal::Arguments, v8::internal::Isolate*) Suppress check for now, but there's an underlying bug that the stop() method in LocalMediaStream.idl won't be available on a local media stream wrapped in this manner. Need a custom wrapper to check if islocal and wrap accordingly.
Attachments
A Patch. (1.12 KB, patch)
2013-02-07 12:03 PST, Thomas Sepez 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Adam Barth
Comment 1 2013-02-07 11:18:01 PST
@tommyw: We need to make the toV8 function for MediaStream smarter so that it can create a LocalMediaStream wrapper when appropriate.
Thomas Sepez
Comment 2 2013-02-07 12:03:24 PST
Created attachment 187144 [details] A Patch.
Adam Barth
Comment 3 2013-02-07 12:29:54 PST
Comment on attachment 187144 [details] A Patch. Do we have a LayoutTest for this case? Also, we should open a bug for fixing the custom wrapping dispatch.
Thomas Sepez
Comment 4 2013-02-07 12:44:03 PST
(In reply to comment #3) > (From update of attachment 187144 [details]) > Do we have a LayoutTest for this case? Also, we should open a bug for fixing the custom wrapping dispatch. No, I don't have a layouttest; the page in the wild which reproduced this was complex. Followup bug is https://bugs.webkit.org/show_bug.cgi?id=109219
WebKit Review Bot
Comment 5 2013-02-07 14:03:30 PST
Comment on attachment 187144 [details] A Patch. Clearing flags on attachment: 187144 Committed r142177: <http://trac.webkit.org/changeset/142177>
WebKit Review Bot
Comment 6 2013-02-07 14:03:36 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.