[Webkit-unassigned] [Bug 104921] New: Regression causing DOM objects to have unstable NPObject* references with v8 bindings
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Dec 13 09:10:11 PST 2012
https://bugs.webkit.org/show_bug.cgi?id=104921
Summary: Regression causing DOM objects to have unstable
NPObject* references with v8 bindings
Product: WebKit
Version: 528+ (Nightly build)
Platform: Unspecified
OS/Version: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: WebCore Misc.
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: mdempsky at google.com
CC: abarth at webkit.org
Created an attachment (id=179282)
--> (https://bugs.webkit.org/attachment.cgi?id=179282&action=review)
Fix for NPV8Object regression
For details, see crbug.com/165307.
I've identified this WebKit patch as the issue: http://trac.webkit.org/changeset?format=diff&new=135804&old=135803&new_path=%2Ftrunk&old_path=%2Ftrunk
In particular, in the "iter != v8NPObjectMap->end()" case, if the 'for' loop terminates without returning, then objectVector will not be set, and the created NPObject pointer will not be saved and the newly created NPObject will not be saved for future reuse.
I also notice that v8NPObjectMap is keyed off Object::GetIdentityHash(), but the V8 Object documentation explicitly states that identity hashes are not unique: http://code.google.com/p/v8/source/browse/trunk/include/v8.h#1702
So I believe this code:
if (v8npObject->rootObject == root) {
ASSERT(v8npObject->v8Object == object);
should also be changed to:
if (v8npObject->v8Object == object && v8npObject->rootObject == root) {
See attached patch.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list