93031 – A few objects aren't being safely protected from GC in all cases

Bug 93031 - A few objects aren't being safely protected from GC in all cases

Summary: A few objects aren't being safely protected from GC in all cases

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	New Bugs (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Oliver Hunt

URL:
Keywords:

Depends on:	93096
Blocks:
	Show dependency tree / graph

Reported:	2012-08-02 14:32 PDT by Oliver Hunt
Modified:	2012-08-12 07:08 PDT (History)
CC List:	0 users

See Also:

Attachments
Patch (7.69 KB, patch) 2012-08-02 14:33 PDT, Oliver Hunt	fpizlo: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Oliver Hunt 2012-08-02 14:32:20 PDT

A few objects aren't being safely protected from GC in all cases

Comment 1 Oliver Hunt 2012-08-02 14:33:45 PDT

Created attachment 156168 [details]
Patch

Comment 2 Oliver Hunt 2012-08-02 15:24:17 PDT

Committed r124510: <http://trac.webkit.org/changeset/124510>

Comment 3 Chris Dumez 2012-08-12 05:48:15 PDT

Comment on attachment 156168 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=156168&action=review

> Source/WebCore/bindings/js/JSDictionary.h:51
> +        , m_initializerObject(exec->globalData(), initializerObject)

exec is being used here without null-check. The issue is that exec may be 0, for example when the default constructor for Dictionary is called. This leads to crashes (See Bug 93096).

> Source/WebCore/bindings/js/JSDictionary.h:68
>      bool isValid() const { return m_exec && m_initializerObject; }

This function also hints that both m_exec and m_initializerObject may be NULL.