34899 – [V8] Crash regression in r54305 when window.event is set by a script

RESOLVED FIXED 34899

[V8] Crash regression in r54305 when window.event is set by a script

https://bugs.webkit.org/show_bug.cgi?id=34899

Summary [V8] Crash regression in r54305 when window.event is set by a script

Nate Chapin

Reported 2010-02-12 10:11:13 PST

ScriptController.cpp:174 doesn't handle the possibility that the event field on the global object is set to a v8::Object that isn't a DOM wrapper. This can only happen if a script has directly set window.event.

Attachments
patch (5.18 KB, patch) 2010-02-12 10:23 PST, Nate Chapin	eric: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Nate Chapin

Comment 1 2010-02-12 10:23:33 PST

Created attachment 48651 [details] patch

Eric Seidel (no email)

Comment 2 2010-02-17 16:15:20 PST

Comment on attachment 48651 [details] patch Ideally fast/dom/Window/window-event-override-no-crash.html should have a newline at the end, but this looks great!

Nate Chapin

Comment 3 2010-02-18 09:25:48 PST

http://trac.webkit.org/changeset/54964 ....and, um, http://trac.webkit.org/changeset/54965

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware All

OS All

Product WebKit

Component WebCore Misc.

Assignee

Nate Chapin

Reported

2010-02-12 10:11 PST

Modified

2010-02-18 09:25 PST History

CC List

0 users

URL

Keywords

Depends on

Blocks