[Webkit-unassigned] [Bug 119074] New: Crash when sharing JS context

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Jul 24 22:23:57 PDT 2013


https://bugs.webkit.org/show_bug.cgi?id=119074

           Summary: Crash when sharing JS context
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: WebCore JavaScript
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: mathstuf at gmail.com


With the code below[1] executed on every WEBKIT_LOAD_COMMITTED from the WebKitWebView's "load-changed" signal, I get the backtrace when accessing the "window" variable ("document" is fine). I think that if the JS context is not the page's main context, access should be allowed (since this is the browser's doing). The easiest way to detect this is probably to allow if "activeDOMWindow(exec)" is NULL, but that might be naive.

webkitgtk3-2.1.3-1.fc20.x86_64

(gdb) info locals
activeOrigin = <optimized out>
message = {m_impl = {m_ptr = 0x0}}
activeURL = {m_string = {m_impl = {m_ptr = 0x0}}, m_isValid = false, m_protocolIsInHTTPFamily = false, m_schemeEnd = 0, m_userStart = 0, m_userEnd = 0, m_passwordEnd = 0, m_hostEnd = 0, m_portEnd = 0, m_pathAfterLastSlash = 0, m_pathEnd = 0, m_queryEnd = 0, m_fragmentEnd = 0}
targetOrigin = <optimized out>
targetURL = {m_string = {m_impl = {m_ptr = 0x0}}, m_isValid = false, m_protocolIsInHTTPFamily = false, m_schemeEnd = 0, m_userStart = 0, m_userEnd = 0, m_passwordEnd = 0, m_hostEnd = 0, m_portEnd = 0, m_pathAfterLastSlash = 0, m_pathEnd = 0, m_queryEnd = 0, m_fragmentEnd = 0}
(gdb) list
<snip>
1814        const KURL& activeWindowURL = activeWindow->document()->url();
<snip>
(gdb) up
<snip seebacktrace>
(gdb) list
<snip>
275         message = target->crossDomainAccessErrorMessage(activeDOMWindow(exec));
<snip>
(gdb) bt
#0  WebCore::DOMWindow::document (this=this at entry=0x0) at Source/WebCore/page/DOMWindow.cpp:1334
#1  0x00007ffff69794a5 in WebCore::DOMWindow::crossDomainAccessErrorMessage (this=this at entry=0x7ffff7f08dc0, activeWindow=0x0) at Source/WebCore/page/DOMWindow.cpp:1814
#2  0x00007ffff633afc6 in WebCore::shouldAllowAccessToDOMWindow (exec=exec at entry=0x7fff936bf4d8, target=0x7ffff7f08dc0, message=...) at Source/WebCore/bindings/js/JSDOMBinding.cpp:275
#3  0x00007ffff6343d96 in WebCore::JSDOMWindow::getOwnPropertySlot (cell=0x7fff936bf870, exec=0x7fff936bf4d8, propertyName=..., slot=...) at Source/WebCore/bindings/js/JSDOMWindowCustom.cpp:149
#4  0x00007ffff58c474b in fastGetOwnPropertySlot (slot=..., propertyName=..., exec=0x7fff936bf4d8, this=0x7fff936fffd8) at Source/JavaScriptCore/runtime/JSCellInlines.h:169
#5  getPropertySlot (slot=..., propertyName=..., exec=0x7fff936bf4d8, this=<optimized out>) at Source/JavaScriptCore/runtime/JSObject.h:1186
#6  JSC::JSObject::get (this=<optimized out>, exec=0x7fff936bf4d8, propertyName=...) at Source/JavaScriptCore/runtime/JSObject.h:1211
#7  0x00007ffff5a26662 in callDefaultValueFunction (propertyName=..., object=0x7fff936fffd8, exec=0x7fff936bf4d8) at Source/JavaScriptCore/runtime/JSObject.cpp:1333
#8  JSC::JSObject::defaultValue (object=0x7fff936fffd8, exec=0x7fff936bf4d8, hint=<optimized out>) at Source/JavaScriptCore/runtime/JSObject.cpp:1365
#9  0x00007ffff5a02806 in toPrimitive (preferredType=JSC::PreferString, exec=0x7fff936bf4d8, this=<optimized out>) at Source/JavaScriptCore/runtime/JSObject.h:1402
#10 JSC::JSCell::toPrimitive (this=<optimized out>, exec=exec at entry=0x7fff936bf4d8, preferredType=preferredType at entry=JSC::PreferString) at Source/JavaScriptCore/runtime/JSCell.cpp:145
#11 0x00007ffff5a41981 in JSC::JSValue::toStringSlowCase (this=this at entry=0x7fffffffcac0, exec=exec at entry=0x7fff936bf4d8) at Source/JavaScriptCore/runtime/JSCJSValue.cpp:314
#12 0x00007ffff575b26e in toString (exec=0x7fff936bf4d8, this=0x7fffffffcac0) at Source/JavaScriptCore/runtime/JSString.h:530
#13 JSValueToStringCopy (ctx=0x7fff936bf4d8, value=0x7fff936fffd8, exception=0x0) at Source/JavaScriptCore/API/JSValueRef.cpp:401
#14 0x0000000000414316 in uzbl_js_to_string (ctx=0x7fff936bf4d8, val=0x7fff936fffd8) at src/js.c:96
#15 0x000000000040e538 in cmd_js (argv=0x8714f0, result=0x730200) at src/commands.c:2413
#16 0x000000000040ad5d in uzbl_commands_run_parsed (info=0x41bf20 <builtin_command_table+576>, argv=0x8714f0, result=0x730200) at src/commands.c:177
#17 0x000000000040ae90 in uzbl_commands_run (cmd=0x8703a0 "js shared string window", result=0x730200) at src/commands.c:215
#18 0x000000000041347b in run_command (item=0x909ec0, data=0x0) at src/io.c:237
#19 0x000000000041a766 in uzbl_rb_async_queue_watch_dispatch (source=0x6ab650, callback=0x41341e <run_command>, user_data=0x0) at src/3p/async-queue-source/rb-async-queue-watch.c:85
#20 0x00007ffff30f9f26 in g_main_dispatch (context=0x67a810) at gmain.c:3064
#21 g_main_context_dispatch (context=context at entry=0x67a810) at gmain.c:3640
#22 0x00007ffff30fa2a8 in g_main_context_iterate (context=0x67a810, block=block at entry=1, dispatch=dispatch at entry=1, self=<optimized out>) at gmain.c:3711
#23 0x00007ffff30fa6ba in g_main_loop_run (loop=0x75cb90) at gmain.c:3905
#24 0x00007ffff509a46d in gtk_main () at gtkmain.c:1157
#25 0x0000000000409dd7 in main (argc=9, argv=0x7fffffffcfa8) at src/uzbl-core.c:297

[1]
void
uzbl_js_init_shared_context ()
{
    JSGlobalContextRef webkit_ctx = NULL;
#ifdef USE_WEBKIT2
    webkit_ctx = webkit_web_view_get_javascript_global_context (uzbl.gui.web_view);
#else
    WebKitWebFrame *frame = webkit_web_view_get_main_frame (uzbl.gui.web_view);
    webkit_ctx = webkit_web_frame_get_global_context (frame);
#endif
    JSContextGroupRef group = JSContextGetGroup (webkit_ctx);

    if (uzbl.state.sharedjscontext) {
        JSGlobalContextRelease (uzbl.state.sharedjscontext);
    }
    uzbl.state.sharedjscontext = JSGlobalContextCreateInGroup (group, NULL);

    JSObjectRef webkit_object = JSContextGetGlobalObject (webkit_ctx);
    JSObjectRef shared_object = JSContextGetGlobalObject (uzbl.state.sharedjscontext);

    JSPropertyNameArrayRef props = JSObjectCopyPropertyNames (webkit_ctx, webkit_object);
    size_t nprop = JSPropertyNameArrayGetCount (props);
    size_t i;
    for (i = 0; i < nprop; ++i) {
        JSStringRef prop = JSPropertyNameArrayGetNameAtIndex (props, i);
        gchar *prop_str = uzbl_js_extract_string (prop);

        JSValueRef value = uzbl_js_get (webkit_ctx, webkit_object, prop_str);

        uzbl_js_set (uzbl.state.sharedjscontext,
            shared_object, prop_str, value,
            kJSPropertyAttributeReadOnly | kJSPropertyAttributeDontDelete);

        g_free (prop_str);
    }
    JSPropertyNameArrayRelease (props);

    JSObjectSetPrototype (uzbl.state.sharedjscontext,
        shared_object, webkit_object);
}

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.



More information about the webkit-unassigned mailing list