73273 – Crash caused by V8Proxy::retrieveFrameForCallingContext() returning 0 in V8DOMWindowCustom::handlePostMessageCallback

RESOLVED INVALID 73273

Crash caused by V8Proxy::retrieveFrameForCallingContext() returning 0 in V8DOMWindowCustom::handlePostMessageCallback

https://bugs.webkit.org/show_bug.cgi?id=73273

Summary Crash caused by V8Proxy::retrieveFrameForCallingContext() returning 0 in V8DO...

Marshall Greenblatt

Reported 2011-11-28 17:41:14 PST

1. Create a custom V8 binding that executes another V8 function using the frame context. 2. Call that V8 binding from the body onunload event. In some cases V8Proxy::retrieveFrameForCallingContext() will return 0 causing the following code in retrieveFrameForCallingContext() to crash: DOMWindow* source = V8Proxy::retrieveFrameForCallingContext()->domWindow(); The 0 result is caused by the "frame->domWindow() == window" check failing in V8Proxy::retrieveFrame() likely due to the context already being detached from the frame.

Attachments
Add attachment proposed patch, testcase, etc.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution INVALID

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware All

OS All

Product WebKit

Component WebCore JavaScript

Assignee

Nobody

Reported

2011-11-28 17:41 PST

Modified

2014-12-16 00:49 PST History

CC List

2 users Show

URL

Keywords

Depends on

Blocks