Bug 73273 - Crash caused by V8Proxy::retrieveFrameForCallingContext() returning 0 in V8DOMWindowCustom::handlePostMessageCallback
Summary: Crash caused by V8Proxy::retrieveFrameForCallingContext() returning 0 in V8DO...
Status: RESOLVED INVALID
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore JavaScript (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-11-28 17:41 PST by Marshall Greenblatt
Modified: 2014-12-16 00:49 PST (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marshall Greenblatt 2011-11-28 17:41:14 PST 
1. Create a custom V8 binding that executes another V8 function using the frame context.
2. Call that V8 binding from the body onunload event.

In some cases V8Proxy::retrieveFrameForCallingContext() will return 0 causing the following code in retrieveFrameForCallingContext() to crash:

DOMWindow* source = V8Proxy::retrieveFrameForCallingContext()->domWindow();

The 0 result is caused by the "frame->domWindow() == window" check failing in V8Proxy::retrieveFrame() likely due to the context already being detached from the frame.