[Webkit-unassigned] [Bug 113285] New: document.createTouch crashes when document has no frame.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Mar 26 02:20:45 PDT 2013 

https://bugs.webkit.org/show_bug.cgi?id=113285

           Summary: document.createTouch crashes when document has no
                    frame.
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: tasak at google.com


Created an attachment (id=195039)
 --> (https://bugs.webkit.org/attachment.cgi?id=195039&action=review)
repro.html

reported by fuzzer:

Crash type    UNKNOWN
Crash address    0x000000000b00
Crash state    - crash stack -
WebCore::Touch::Touch
WebCore::Document::createTouch
WebCore::DocumentV8Internal::createTouchMethodCallback

    #0 0x551f47 in WebCore::Frame::pageZoomFactor() const third_party/WebKit/Source/WebCore/page/Frame.h:155
    #1 0xadd78a in WebCore::Touch::Touch(WebCore::Frame*, WebCore::EventTarget*, unsigned int, int, int, int, int, int, int, float, float) third_party/WebKit/Source/WebCore/dom/Touch.cpp:72
    #2 0x9cdc59 in WebCore::Touch::create(WebCore::Frame*, WebCore::EventTarget*, unsigned int, int, int, int, int, int, int, float, float) third_party/WebKit/Source/WebCore/dom/Touch.h:47
    #3 0x9cdbbf in WebCore::Document::createTouch(WebCore::DOMWindow*, WebCore::EventTarget*, int, int, int, int, int, int, int, float, float, int&) const third_party/WebKit/Source/WebCore/dom/Document.cpp:5609
    #4 0x2820762 in WebCore::DocumentV8Internal::createTouchMethod(v8::Arguments const&) out/Release/obj/gen/webcore/bindings/V8Document.cpp:2648
    #5 0xd56ca3 in v8::internal::MaybeObject* v8::internal::HandleApiCallHelper<false>(v8::internal::(anonymous namespace)::BuiltinArguments<(v8::internal::BuiltinExtraArguments)1>, v8::internal::Isolate*) v8/src/builtins.cc:1327

https://cluster-fuzz.appspot.com/testcase?key=171689017

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list