RESOLVED WONTFIX 96567
[V8] ScriptController::compileAndRunScript() can crash 
https://bugs.webkit.org/show_bug.cgi?id=96567
Summary [V8] ScriptController::compileAndRunScript() can crash
Kentaro Hara
Reported 2012-09-12 15:12:42 PDT
See chromium bug: http://code.google.com/p/chromium/issues/detail?id=146776 The root cause is the following code in ScriptSourceCode.h: CachedScript* cachedScript() const { return m_cachedScript.get(); } Here m_cachedScript can be 0.
Attachments
Patch (2.64 KB, patch)
2012-09-12 15:21 PDT, Kentaro Hara 		no flags
DetailsFormatted DiffDiff
Patch (2.52 KB, patch)
2012-09-18 17:55 PDT, Kentaro Hara 		no flags
DetailsFormatted DiffDiff
patch for landing (2.51 KB, patch)
2012-09-19 17:05 PDT, Kentaro Hara 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Kentaro Hara
Comment 1 2012-09-12 15:21:58 PDT
Created attachment 163715 [details] Patch
Adam Barth
Comment 2 2012-09-12 15:40:27 PDT
Comment on attachment 163715 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=163715&action=review > Source/WebCore/bindings/v8/ScriptSourceCode.h:67 > - CachedScript* cachedScript() const { return m_cachedScript.get(); } > + CachedScript* cachedScript() const { return m_cachedScript ? m_cachedScript.get() : 0; } What does it mean for m_cachedScript to be 0? It is held as a member, not as a pointer.
Kentaro Hara
Comment 3 2012-09-12 15:50:49 PDT
Comment on attachment 163715 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=163715&action=review >> Source/WebCore/bindings/v8/ScriptSourceCode.h:67 >> + CachedScript* cachedScript() const { return m_cachedScript ? m_cachedScript.get() : 0; } > > What does it mean for m_cachedScript to be 0? It is held as a member, not as a pointer. Ah, good point... maybe I was confused. More investigation is needed.
Kentaro Hara
Comment 4 2012-09-18 17:55:16 PDT
Created attachment 164640 [details] Patch
Adam Barth
Comment 5 2012-09-19 11:24:50 PDT
Comment on attachment 164640 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=164640&action=review ok > Source/WebCore/bindings/v8/ScriptSourceCode.cpp:53 > + if (!scriptData.get()) > + return nullptr; There's no reason to call get() here. OwnPtr has a bool operator.
Kentaro Hara
Comment 6 2012-09-19 17:05:33 PDT
Created attachment 164805 [details] patch for landing
WebKit Review Bot
Comment 7 2012-09-19 17:41:04 PDT
Comment on attachment 164805 [details] patch for landing Clearing flags on attachment: 164805 Committed r129077: <http://trac.webkit.org/changeset/129077>
Kentaro Hara
Comment 8 2012-09-19 17:41:54 PDT
Comment on attachment 164640 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=164640&action=review >> Source/WebCore/bindings/v8/ScriptSourceCode.cpp:53 >> + return nullptr; > > There's no reason to call get() here. OwnPtr has a bool operator. Fixed. Thanks.
Anders Carlsson
Comment 9 2013-09-12 22:35:41 PDT
V8 is gone.
Note You need to log in before you can comment on or make changes to this bug.