[Webkit-unassigned] [Bug 29903] New: BarInfo crash seen with fuzzer from bug 29692

Tue Sep 29 15:47:00 PDT 2009

https://bugs.webkit.org/show_bug.cgi?id=29903

           Summary: BarInfo crash seen with fuzzer from bug 29692
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Mac OS X 10.5
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: eric at webkit.org
            Blocks: 29692

BarInfo crash seen with fuzzer from bug 29692

See attached crash report.

    case Scrollbars:
        return m_frame->page()->chrome()->scrollbarsVisible(); // CRASH HERE

at 0x08, which means that we have a NULL pointer and are trying to dereference
the pointer which we expect to be stored at 0x8 bytes from the start of the
expected object.

To get here means that m_frame is non-null, page or chrome could be null.  I
expect that page() is NULL and we're trying to grab at chrome() which is likely
stored 0x8 off of the start of Page (we could confirm this with code
inspection).

I'm just not sure how you ever get javascript to run with a Frame object which
has a NULL page.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.