[Webkit-unassigned] [Bug 88451] Extra HandleScope in V8Proxy
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Jun 6 14:01:15 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=88451
--- Comment #3 from Eriq Augustine <eaugusti at chromium.org> 2012-06-06 14:01:14 PST ---
I have not been able to get a test to expose this error in WebKit alone, however I have got it to crash chromium.
Regardless, I believe that there is a clear problem here.
In V8Proxy::evaluateInIsolatedWorld(), the extra HandleScope will cause any Values placed into |results| to be destroyed with the HandleScope.
The V8Proxy is only called from the v8 ScriptController, and a HandleScope is created there. The ScriptController then wraps any Value in a ScriptValue which internally uses a Persistent Handle, ensuring the safety of the Values.
An alternative to just deleting the HandleScope would be to add the ability for a HandleScope to Close() around multiple Handles.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list