[Webkit-unassigned] [Bug 113434] New: Crash when calling QWebFrame::evaluateJavaScript

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Mar 27 12:45:03 PDT 2013 

https://bugs.webkit.org/show_bug.cgi?id=113434

           Summary: Crash when calling QWebFrame::evaluateJavaScript
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Windows 7
            Status: UNCONFIRMED
          Severity: Critical
          Priority: P1
         Component: WebKit Qt
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: sfcheng at gmail.com


In Qt 5.0.1, when I use QWebFrame::evaluateJavaScript to execute some script within a QWebFrame, it's very likely to crash at the same place in MarkedAllocator.cpp.


void* MarkedAllocator::allocateSlowCase(size_t bytes)
{
    ASSERT(m_heap->globalData()->apiLock().currentThreadIsHoldingLock());
#if COLLECT_ON_EVERY_ALLOCATION
    m_heap->collectAllGarbage();
    ASSERT(m_heap->m_operationInProgress == NoOperation);
#endif
...

}

The debug assertion  ASSERT(m_heap->globalData()->apiLock().currentThreadIsHoldingLock()) was fired right after the entrance of this function. 

I did find a similar bug with the blackberry port that's already resolved here: https://bugs.webkit.org/show_bug.cgi?id=100504 . I added the following line "JSC::JSLockHolder lock(exec)" into QVariant QWebFrameAdapter::evaluateJavaScript(const QString &scriptSource) in QWebFrameAdapter.cpp:

QVariant QWebFrameAdapter::evaluateJavaScript(const QString &scriptSource)
{
    ScriptController* proxy = frame->script();
    QVariant rc;
    if (proxy) {
        int distance = 0;
        JSC::JSValue v = frame->script()->executeScript(ScriptSourceCode(scriptSource)).jsValue();
        JSC::ExecState* exec = proxy->globalObject(mainThreadNormalWorld())->globalExec();
        JSC::JSLockHolder lock(exec);    //This line fixes the bug.
        JSValueRef* ignoredException = 0;
        rc = JSC::Bindings::convertValueToQVariant(toRef(exec), toRef(exec, v), QMetaType::Void, &distance, ignoredException);
    }
    return rc;
}

It seems to work and stops the crash. However, I am not an inside developer and don't really know what I am doing. Can someone look into this bug and provide a real fix?

This is a serious bug since it will crash any applications who attempts to run their own scripts within web pages.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list