Changeset 155495 in webkit for trunk/Source/JavaScriptCore/API


Ignore:
Timestamp:
Sep 10, 2013, 6:16:50 PM (12 years ago)
Author:
[email protected]
Message:

WebKit crashes when trying to send a msg via 'today's birthdays' dialogue box on Facebook
https://bugs.webkit.org/show_bug.cgi?id=120612#add_comment
Patch by Chris Curtis <[email protected]> on 2013-09-10
Reviewed by Geoffrey Garen.

The codeBlock was assumed to exist when appendSourceToMessage was set.
This was an invalid assumption. I added a check to ensure that there is a
valid codeBlock before accessing it.

  • API/tests/testapi.c:

(valueToObjectExceptionCallAsFunction):
(valueToObjectExceptionTest):
(main):

  • runtime/VM.cpp:

(JSC::VM::throwException):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/API/tests/testapi.c

    r154647 r155495  
    10441044}
    10451045
     1046static JSValueRef valueToObjectExceptionCallAsFunction(JSContextRef ctx, JSObjectRef function, JSObjectRef thisObject, size_t argumentCount, const JSValueRef arguments[], JSValueRef* exception)
     1047{
     1048    UNUSED_PARAM(function);
     1049    UNUSED_PARAM(thisObject);
     1050    UNUSED_PARAM(argumentCount);
     1051    UNUSED_PARAM(arguments);
     1052    JSValueRef jsUndefined = JSValueMakeUndefined(JSContextGetGlobalContext(ctx));
     1053    JSValueToObject(JSContextGetGlobalContext(ctx), jsUndefined, exception);
     1054   
     1055    return JSValueMakeUndefined(ctx);
     1056}
     1057static bool valueToObjectExceptionTest()
     1058{
     1059    JSGlobalContextRef testContext;
     1060    JSClassDefinition globalObjectClassDefinition = kJSClassDefinitionEmpty;
     1061    globalObjectClassDefinition.initialize = globalObject_initialize;
     1062    globalObjectClassDefinition.staticValues = globalObject_staticValues;
     1063    globalObjectClassDefinition.staticFunctions = globalObject_staticFunctions;
     1064    globalObjectClassDefinition.attributes = kJSClassAttributeNoAutomaticPrototype;
     1065    JSClassRef globalObjectClass = JSClassCreate(&globalObjectClassDefinition);
     1066    testContext = JSGlobalContextCreateInGroup(NULL, globalObjectClass);
     1067    JSObjectRef globalObject = JSContextGetGlobalObject(testContext);
     1068
     1069    JSStringRef valueToObject = JSStringCreateWithUTF8CString("valueToObject");
     1070    JSObjectRef valueToObjectFunction = JSObjectMakeFunctionWithCallback(testContext, valueToObject, valueToObjectExceptionCallAsFunction);
     1071    JSObjectSetProperty(testContext, globalObject, valueToObject, valueToObjectFunction, kJSPropertyAttributeNone, NULL);
     1072    JSStringRelease(valueToObject);
     1073
     1074    JSStringRef test = JSStringCreateWithUTF8CString("valueToObject();");
     1075    JSEvaluateScript(testContext, test, NULL, NULL, 1, NULL);
     1076   
     1077    JSStringRelease(test);
     1078    JSClassRelease(globalObjectClass);
     1079    JSGlobalContextRelease(testContext);
     1080   
     1081    return true;
     1082}
     1083
    10461084static void checkConstnessInJSObjectNames()
    10471085{
     
    19762014        failed = true;
    19772015    }
     2016    if (valueToObjectExceptionTest())
     2017        printf("PASS: throwException did not crash when handling an error with appendMessageToError set and no codeBlock available.\n");
    19782018
    19792019    if (failed) {
Note: See TracChangeset for help on using the changeset viewer.