[webkit-reviews] review denied: [Bug 101190] [V8] Remove setDOMWrapper(wrapper, 0) from V8NPObject : [Attachment 172284] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Nov 5 07:45:54 PST 2012
Adam Barth <abarth at webkit.org> has denied Kentaro Hara <haraken at chromium.org>'s
request for review:
Bug 101190: [V8] Remove setDOMWrapper(wrapper, 0) from V8NPObject
https://bugs.webkit.org/show_bug.cgi?id=101190
Attachment 172284: Patch
https://bugs.webkit.org/attachment.cgi?id=172284&action=review
------- Additional Comments from Adam Barth <abarth at webkit.org>
What if other folks have a reference to the v8 object? After this change,
won't they have a use-after-free if they try to access the wrapped object?
In the DOM case, we only remove objects from the wrapper map when we get a weak
handle callback. In the case of NP objects, we can remove them when asked to
do so explicitly by the plugin (you might want to check that I'm right about
that---it's from memory).
More information about the webkit-reviews
mailing list