[Webkit-unassigned] [Bug 82383] Crash Firing Signals Through QtWebKit Bridge
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Mar 30 14:27:51 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=82383
--- Comment #3 from Ryan Cumming <rcumming at ea.com> 2012-03-30 14:27:51 PST ---
The root of the problem is this code in Source/WebCore/bridge/qt/qt_runtime.cpp:
// Stuff in the __qt_sender property, if we can
ScopeChainNode* oldsc = 0;
JSFunction* fimp = 0;
if (m_funcObject->inherits(&JSFunction::s_info)) {
fimp = static_cast<JSFunction*>(m_funcObject.get());
JSObject* qt_sender = QtInstance::getQtInstance(sender(), ro, QScriptEngine::QtOwnership)->createRuntimeObject(exec);
JSObject* wrapper = constructEmptyObject(exec, createEmptyObjectStructure(exec->globalData(), jsNull()));
PutPropertySlot slot;
wrapper->put(exec, Identifier(exec, "__qt_sender__"), qt_sender, slot);
oldsc = fimp->scope();
fimp->setScope(exec->globalData(), oldsc->push(wrapper));
}
This code is trying to expose the "__qt_sender__" object in the scope of the called JavaScript function. To accomplish this it creates an empty object, adds __qt_sender__ then temporarily inserts it in to the called function's scope chain. However, the only objects allowed in the JavaScript scope chain are variable objects (JSVariableObject in JSC). This causes JavaScriptCore to blow up if we try to walk the scope chain up to the __qt_sender__ container scope.
The correct thing to do seems to be to instantiate a JSStaticScope instead of a JSObject but we don't need the __qt_sender__ feature so I've merely commented out the code.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list