RESOLVED FIXED 93031
A few objects aren't being safely protected from GC in all cases 
https://bugs.webkit.org/show_bug.cgi?id=93031
Summary A few objects aren't being safely protected from GC in all cases
Oliver Hunt
Reported 2012-08-02 14:32:20 PDT
A few objects aren't being safely protected from GC in all cases
Attachments
Patch (7.69 KB, patch)
2012-08-02 14:33 PDT, Oliver Hunt 		fpizlo: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Oliver Hunt
Comment 1 2012-08-02 14:33:45 PDT
Created attachment 156168 [details] Patch
Oliver Hunt
Comment 2 2012-08-02 15:24:17 PDT
Committed r124510: <http://trac.webkit.org/changeset/124510>
Chris Dumez
Comment 3 2012-08-12 05:48:15 PDT
Comment on attachment 156168 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=156168&action=review > Source/WebCore/bindings/js/JSDictionary.h:51 > + , m_initializerObject(exec->globalData(), initializerObject) exec is being used here without null-check. The issue is that exec may be 0, for example when the default constructor for Dictionary is called. This leads to crashes (See Bug 93096). > Source/WebCore/bindings/js/JSDictionary.h:68 > bool isValid() const { return m_exec && m_initializerObject; } This function also hints that both m_exec and m_initializerObject may be NULL.
Note You need to log in before you can comment on or make changes to this bug.