198037 – [GLIB] Crash when instantiating a js object registered with jsc_context_register_class on window object cleared

RESOLVED FIXED 198037

[GLIB] Crash when instantiating a js object registered with jsc_context_register_class on window object cleared

https://bugs.webkit.org/show_bug.cgi?id=198037

Summary [GLIB] Crash when instantiating a js object registered with jsc_context_regis...

Carlos Garcia Campos

Reported 2019-05-20 05:31:36 PDT

This happens because JSCClass is keeping a pointer to the JSCContext used when the class is registered, and the context can be destroyed before the class.

Attachments
Patch (16.15 KB, patch) 2019-05-20 05:43 PDT, Carlos Garcia Campos	mcatanzaro: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Carlos Garcia Campos

Comment 1 2019-05-20 05:43:26 PDT

Created attachment 370249 [details] Patch

Michael Catanzaro

Comment 2 2019-05-20 06:19:01 PDT

Comment on attachment 370249 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=370249&action=review > Source/JavaScriptCore/API/glib/JSCClass.cpp:346 > - static_cast<GParamFlags>(WEBKIT_PARAM_READWRITE | G_PARAM_CONSTRUCT_ONLY))); > + static_cast<GParamFlags>(WEBKIT_PARAM_WRITABLE | G_PARAM_CONSTRUCT_ONLY))); Nothing like a good API break to make a change exciting. I think we can get away with this, though.

Carlos Garcia Campos

Comment 3 2019-05-20 06:48:11 PDT

Committed r245514: <https://trac.webkit.org/changeset/245514>

Radar WebKit Bug Importer

Comment 4 2019-05-20 06:49:19 PDT

<rdar://problem/50944708>

Adrian Perez

Comment 5 2019-05-20 07:54:52 PDT

(In reply to Michael Catanzaro from comment #2) > Comment on attachment 370249 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=370249&action=review > > > Source/JavaScriptCore/API/glib/JSCClass.cpp:346 > > - static_cast<GParamFlags>(WEBKIT_PARAM_READWRITE | G_PARAM_CONSTRUCT_ONLY))); > > + static_cast<GParamFlags>(WEBKIT_PARAM_WRITABLE | G_PARAM_CONSTRUCT_ONLY))); > > Nothing like a good API break to make a change exciting. > > I think we can get away with this, though. Well, if people were using the API that allows registering JS classes in the wild, we would have had a bug report for this much earlier. So not many people are using this *for now*, and I also think this change won't bite anybody ;-]

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component JavaScriptCore

Assignee

Nobody

Reported

2019-05-20 05:31 PDT

Modified

2019-05-20 07:54 PDT History

CC List

10 users Show

URL

Keywords Gtk, InRadar

Depends on

Blocks