Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Issue 14514 Null pointer dereference in document wrapper caching code
Starred by 1 user Project Member Reported by ager@chromium.org, Jun 18 2009 Back to list
Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Jun 2009
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 3
Type: Bug

Restricted
  • Only users with Commit permission may comment.



Sign in to add a comment
If instantiation of the document wrapper fails we get an empty handle.  Using 
an empty handle in ForceSet will lead to a null pointer dereference.

We just need to bail out in that case and clear the cache.
 
Comment 1 by bugdro...@gmail.com, Jun 18 2009
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=18697 

------------------------------------------------------------------------
r18697 | ager@chromium.org | 2009-06-18 00:41:19 -0700 (Thu, 18 Jun 2009) | 8 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/webkit/port/bindings/v8/v8_proxy.cpp?r1=18697&r2=18696

Add missing null handle check to document wrapper caching code.

If instantiation of the document wrapper fails (for instance in out of
memory situations) we get a null handle which will lead to a crash when
using ForceSet.

BUG= 14514 
Review URL: http://codereview.chromium.org/133001
------------------------------------------------------------------------

Comment 2 by ager@chromium.org, Jun 18 2009
Status: Fixed
Labels: -Pri-2 Pri-3 Crash-3.0.189.0
This crash was found in 3.0.189.0 and is currently ranked #128 (based on the relative number of reports in the release).  There have been 1 reports from 1 clients.
http://crash/search?query=Chrome+3.0.189.0+v8%3A%3Ainternal%3A%3ARuntime%3A%3AForceSetObjectProperty%28v8%3A%3Ainternal%3A%3AHandle%3Cv8%3A%3Ainternal%3A%3AJSObject%3E%2Cv8%3A%3Ainternal%3A%3AHandle%3Cv8%3A%3Ainternal%3A%3AObject%3E%2Cv8%3A%3Ainternal%3A%3AHandle%3Cv8%3A%3Ainternal%3A%3AObject%3E%2CPropertyAttributes%29
This crash looks like it has re-appeared in 3.0.189.0
Project Member Comment 4 by bugdroid1@chromium.org, Oct 12 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Sign in to add a comment