[webkit-reviews] review requested: [Bug 86131] [V8] Crash in npObjectGetProperty() in V8NPObject.cpp : [Attachment 141234] Speculative fix
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu May 10 13:17:30 PDT 2012
Nate Chapin <japhet at chromium.org> has asked for review:
Bug 86131: [V8] Crash in npObjectGetProperty() in V8NPObject.cpp
https://bugs.webkit.org/show_bug.cgi?id=86131
Attachment 141234: Speculative fix
https://bugs.webkit.org/attachment.cgi?id=141234&action=review
------- Additional Comments from Nate Chapin <japhet at chromium.org>
Rationale:
* We don't early exit at
http://trac.webkit.org/browser/trunk/Source/WebCore/bindings/v8/V8NPObject.cpp?
rev=113111#L190, so the NPObject* is present in the liveObjectMap() in
npruntime.cpp and _NPN_IsAlive must return true.
* The only function that frees NPObjects (_NPN_DeallocateObject) also removes
the NPObject from the liveObjectMap() via _NPN_UnregisterObject, so the
NPObject* must be alive and properly registered at the entry point.
* The only way to reach the point at which we crash AND have the NPObject* be
invalid would be if the call to npObject->_class->hasProperty() at
http://trac.webkit.org/browser/trunk/Source/WebCore/bindings/v8/V8NPObject.cpp?
rev=113111#L194 re-enters JS and deletes the NPObject, then returns false.
* Ergo, recheck _NPN_IsAlive before trying to call hasMethod().
More information about the webkit-reviews
mailing list