[Webkit-unassigned] [Bug 26974] New: js: Segfault when accessing 'window' object copied from other context

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Jul 4 23:30:13 PDT 2009 

https://bugs.webkit.org/show_bug.cgi?id=26974

           Summary: js: Segfault when accessing 'window' object copied
                    from other context
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: dx at dxzone.com.ar


I have two contexts in the same group, A and B.
A is the webkit one with a loaded page
B was just created in that group and is empty.

I get the window object from A, and set it in B. No problem here, since
contexts in the same group are supposed to allow sharing objects. And it works
(mostly) fine with other objects, i tried document.getElementById for example,
but not much more.

But when I call my eval function, which runs in context B, with just "window",
it crashes with the following:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb51b3930 (LWP 19527)]
0xb7e7397a in WebCore::JSDOMWindow::getOwnPropertySlot () from
/usr/lib/libwebkit-1.0.so.2
(gdb) bt
#0  0xb7e7397a in WebCore::JSDOMWindow::getOwnPropertySlot () from
/usr/lib/libwebkit-1.0.so.2
#1  0xb77decb9 in WebCore::JSDOMWindowShell::getOwnPropertySlot () from
/usr/lib/libwebkit-1.0.so.2
#2  0xb775523b in JSC::JSObject::defaultValue () from
/usr/lib/libwebkit-1.0.so.2
#3  0xb7667837 in JSC::JSObject::toPrimitive () from
/usr/lib/libwebkit-1.0.so.2
#4  0xb7753ace in JSC::JSObject::toString () from /usr/lib/libwebkit-1.0.so.2
#5  0xb76789fb in JSValueToStringCopy () from /usr/lib/libwebkit-1.0.so.2
#6  0x0804db89 in eval_js (web_view=0x8c5f800, script=0x8d2bf70 "window",
result=0x8d49dc0) at uzbl.c:990
#7  0x0804dcee in run_js (web_view=0x8c5f800, argv=0x8d4bfa8, result=0x8d49dc0)
at uzbl.c:1015
#8  0x0804f51e in parse_command (cmd=0x8d2be40 "js", param=0x8d2bf70 "window",
result=0x8d49dc0) at uzbl.c:1570
#9  0x0805037e in parse_cmd_line (ctl_line=0x8c545a0 "js window\n",
result=0x8d49dc0) at uzbl.c:1914
#10 0x080509e9 in control_client_socket (clientchan=0x8d44148) at uzbl.c:2079
#11 0xb6e28f0b in g_io_unix_dispatch () from /usr/lib/libglib-2.0.so.0
#12 0xb6df2d98 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#13 0xb6df63e0 in g_main_context_iterate () from /usr/lib/libglib-2.0.so.0
#14 0xb6df684f in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#15 0xb72e75b9 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
#16 0x08052f43 in main (argc=1, argv=0xbf95b9c4) at uzbl.c:2840

Using webkitgtk 1.1.10. Reproducible always. The code does not use threads,
altough it seems that webkit does. I'll write a test case. I could never enable
debug output because compilation fails strangely or runs out of memory.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list