[Webkit-unassigned] [Bug 45882] WebCore..Frame..domWindow ReadAV at NULL (f8cd71f24fff11a7dbb6a39e738fe929)
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Jan 25 01:41:37 PST 2011
https://bugs.webkit.org/show_bug.cgi?id=45882
--- Comment #2 from SkyLined <skylined at chromium.org> 2011-01-25 01:41:37 PST ---
Created an attachment (id=80035)
--> (https://bugs.webkit.org/attachment.cgi?id=80035&action=review)
Patch
The problem is in v8 bindings; the code calls "V8Proxy::retrieveFrameForCallingContext" and assumes it always returns an object. It then calls a method on the returned value, which leads to the NULL pointer crash.
http://codesearch.google.com/codesearch/p?hl=en#OAMlx_jo-ck/src/third_party/WebKit/Source/WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp&q=V8DOMWindow::postMessageCallback&exact_package=chromium&sa=N&cd=1&ct=rc&l=318
v8::Handle<v8::Value> V8DOMWindow::postMessageCallback(const v8::Arguments& args)
{
INC_STATS("DOM.DOMWindow.postMessage()");
DOMWindow* window = V8DOMWindow::toNative(args.Holder());
DOMWindow* source = V8Proxy::retrieveFrameForCallingContext()->domWindow(); // Call here, then crash w/ NULL ptr.
http://codesearch.google.com/codesearch/p?hl=en#OAMlx_jo-ck/src/third_party/WebKit/WebCore/bindings/v8/V8Proxy.cpp&q=V8Proxy::retrieveFrameForCallingContext&exact_package=chromium&sa=N&cd=1&ct=rc&l=565
Frame* V8Proxy::retrieveFrameForCallingContext()
{
v8::Handle<v8::Context> context = v8::Context::GetCalling();
if (context.IsEmpty())
return 0; // return NULL here
return retrieveFrame(context);
}
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list