[Webkit-unassigned] [Bug 137425] Plugin process crashes in NPN_InvokeDefault
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Oct 31 01:21:21 PDT 2016
https://bugs.webkit.org/show_bug.cgi?id=137425
Darin Adler <darin at apple.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #293400|review? |review-
Flags| |
--- Comment #28 from Darin Adler <darin at apple.com> ---
Comment on attachment 293400
--> https://bugs.webkit.org/attachment.cgi?id=293400
Updated patch
View in context: https://bugs.webkit.org/attachment.cgi?id=293400&action=review
> Source/WebCore/bridge/NP_jsobject.cpp:171
> + if (!npp || !o || !o->_class || !o->_class->invokeDefault)
> + return false;
This is a change in behavior. Before we would return true with a void value in result when the invokeDefault pointer was null. I don’t see any test coverage for this change in behavior.
> Source/WebCore/bridge/NP_jsobject.cpp:173
> if (o->_class == NPScriptObjectClass) {
This is broken now, because invokeDefault is null in NPScriptObjectClass, so this code will never run. No test coverage?
> Source/WebCore/bridge/NP_jsobject.cpp:213
> + if (!npp || !o || !o->_class || !o->_class->invoke)
> + return false;
This is a change in behavior. Before we would return true with a void value for result when the invoke pointer was null. I don’t see any test coverage for this change in behavior.
> Source/WebCore/bridge/NP_jsobject.cpp:215
> if (o->_class == NPScriptObjectClass) {
Also broken like the other case above.
> Source/WebCore/bridge/NP_jsobject.cpp:293
> + if (!npp || !o || !o->_class || !o->_class->getProperty)
> + return false;
This is a change in behavior. Before we would set result to a void value when the getProperty pointer was null. Maybe we should test this?
> Source/WebCore/bridge/NP_jsobject.cpp:295
> if (o->_class == NPScriptObjectClass) {
Also broken like the other cases above.
> Source/WebCore/bridge/NP_jsobject.cpp:322
> - if (o->_class->hasProperty && o->_class->getProperty) {
> - if (o->_class->hasProperty(o, propertyName))
> - return o->_class->getProperty(o, propertyName, variant);
> - return false;
> - }
> + if (o->_class->hasProperty(o, propertyName))
> + return o->_class->getProperty(o, propertyName, variant);
Why is it OK to drop the check of o->_class->hasProperty for null? Do we have a test case covering that?
> Source/WebCore/bridge/NP_jsobject.cpp:333
> if (o->_class == NPScriptObjectClass) {
Also broken like the other cases above.
> Source/WebCore/bridge/NP_jsobject.cpp:408
> if (o->_class == NPScriptObjectClass) {
Also broken like the other cases above.
> Source/WebCore/bridge/NP_jsobject.cpp:441
> if (o->_class == NPScriptObjectClass) {
Also broken like the other cases above.
> Source/WebCore/bridge/NP_jsobject.cpp:522
> if (o->_class == NPScriptObjectClass) {
Also broken like the other cases above.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20161031/c3cf0af3/attachment.html>
More information about the webkit-unassigned
mailing list