Bug 14764 - Javascript object created on the stack causes seg fault.
Summary: Javascript object created on the stack causes seg fault.
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 523.x (Safari 3)
Hardware: Macintosh OS X 10.4
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2007-07-25 14:06 PDT by Patrick
Modified: 2007-07-27 05:02 PDT (History)
2 users (show)

See Also:


Attachments
Proposed changes (1.35 KB, patch)
2007-07-25 14:07 PDT, Patrick
darin: review+
Details | Formatted Diff | Diff
Patch with email address. (1.35 KB, patch)
2007-07-26 05:28 PDT, Patrick
darin: review-
Details | Formatted Diff | Diff
For real this time (1.32 KB, patch)
2007-07-27 04:47 PDT, Patrick
mrowe: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Patrick 2007-07-25 14:06:17 PDT
PluginFunc::callAsFunction creates a PluginBase object on the stack and Collector tries to access the CollectorBitmap for an invalid address.
Comment 1 Patrick 2007-07-25 14:07:06 PDT
Created attachment 15685 [details]
Proposed changes
Comment 2 mitz 2007-07-25 14:11:41 PDT
Comment on attachment 15685 [details]
Proposed changes

Patrick, note that you should have set the review flag to "?" to indicate that you want your patch reviewed.
Comment 3 Darin Adler 2007-07-25 14:24:08 PDT
Comment on attachment 15685 [details]
Proposed changes

This looks like the right fix!

I'm going to mark this r=me even though I have two complaints:

1) The ChangeLog needs an email address.

2) We prefer to check in regression tests any time we fix a bug. Is there any way to reproduce the crash in a layout test?
Comment 4 David Kilzer (:ddkilzer) 2007-07-25 23:34:46 PDT
<rdar://problem/5361860>
Comment 5 Patrick 2007-07-26 05:23:49 PDT
I will update the changelog to have my email address in it.

There is a layout test that uncovered the bug for me. LayoutTests/plugins/plugin-javascript-access.html crashes for me every time. But this is on ARM and it crashes when running optimized release code. I'm not sure why it doesn't crash in debug code.
Comment 6 Patrick 2007-07-26 05:28:42 PDT
Created attachment 15689 [details]
Patch with email address.

Added email address to ChangeLog.
Comment 7 Maxime BRITTO 2007-07-26 05:44:00 PDT
(In reply to comment #6)
> Created an attachment (id=15689) [edit]
> Patch with email address.
> 
> Added email address to ChangeLog.
> 

It seems that you sent the same file.. with no email address :-)
Comment 8 Darin Adler 2007-07-26 18:48:36 PDT
Comment on attachment 15689 [details]
Patch with email address.

Oops! Still no email address.
Comment 9 Patrick 2007-07-27 04:47:53 PDT
Created attachment 15702 [details]
For real this time
Comment 10 Mark Rowe (bdash) 2007-07-27 05:02:44 PDT
Landed in r24719.