[Webkit-unassigned] [Bug 106308] New: [Chromium] WebGL typed array constructor crashes on exception

Tue Jan 8 00:01:27 PST 2013

https://bugs.webkit.org/show_bug.cgi?id=106308

           Summary: [Chromium] WebGL typed array constructor crashes on
                    exception
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: mstarzinger at chromium.org
                CC: kbr at google.com

An object whose 'length' property is an accessor that throws an exception might crash the WebGL typed array constructor when passed as a single parameter. The underlying cause is a missing check for an empty handle after the 'length' property is read. This only applies to the V8 bindings. I have attached a simplified test case that reproduces the problem.

Note that I strongly suspect that the same problem exists when one of the elements is defined as a throwing accessor, but I didn't write a repro for this yet.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.