Title: [104196] trunk
- Revision
- 104196
- Author
- [email protected]
- Date
- 2012-01-05 12:41:16 -0800 (Thu, 05 Jan 2012)
Log Message
[v8] Null pointer exception if a typed array constructor set to a primitive value.
https://bugs.webkit.org/show_bug.cgi?id=75532
Make sure that V8ArrayBufferViewCustomScript.js does not throw exception.
Patch by Ulan Degenbaev <[email protected]> on 2012-01-05
Reviewed by Kenneth Russell.
* LayoutTests/fast/canvas/webgl/array-buffer-view-crash-when-reassigned-expected.txt: Added.
* LayoutTests/fast/canvas/webgl/array-buffer-view-crash-when-reassigned.html: Added.
* Source/WebCore/bindings/v8/custom/V8ArrayBufferViewCustom.cpp:
* Source/WebCore/bindings/v8/custom/V8ArrayBufferViewCustomScript.js:
Modified Paths
Added Paths
Diff
Modified: trunk/ChangeLog (104195 => 104196)
--- trunk/ChangeLog 2012-01-05 20:28:48 UTC (rev 104195)
+++ trunk/ChangeLog 2012-01-05 20:41:16 UTC (rev 104196)
@@ -1,3 +1,17 @@
+2012-01-05 Ulan Degenbaev <[email protected]>
+
+ [v8] Null pointer exception if a typed array constructor set to a primitive value.
+ https://bugs.webkit.org/show_bug.cgi?id=75532
+
+ Make sure that V8ArrayBufferViewCustomScript.js does not throw exception.
+
+ Reviewed by Kenneth Russell.
+
+ * LayoutTests/fast/canvas/webgl/array-buffer-view-crash-when-reassigned-expected.txt: Added.
+ * LayoutTests/fast/canvas/webgl/array-buffer-view-crash-when-reassigned.html: Added.
+ * Source/WebCore/bindings/v8/custom/V8ArrayBufferViewCustom.cpp:
+ * Source/WebCore/bindings/v8/custom/V8ArrayBufferViewCustomScript.js:
+
2012-01-05 Zeno Albisser <[email protected]>
[Qt][WK2] Implement custom URL schemes defined in QML.
Added: trunk/LayoutTests/fast/canvas/webgl/array-buffer-view-crash-when-reassigned-expected.txt (0 => 104196)
--- trunk/LayoutTests/fast/canvas/webgl/array-buffer-view-crash-when-reassigned-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/canvas/webgl/array-buffer-view-crash-when-reassigned-expected.txt 2012-01-05 20:41:16 UTC (rev 104196)
@@ -0,0 +1,9 @@
+Verify that reassigning typed array constructor does not crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+PASS reassigning typed array constructor did not crash
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/fast/canvas/webgl/array-buffer-view-crash-when-reassigned.html (0 => 104196)
--- trunk/LayoutTests/fast/canvas/webgl/array-buffer-view-crash-when-reassigned.html (rev 0)
+++ trunk/LayoutTests/fast/canvas/webgl/array-buffer-view-crash-when-reassigned.html 2012-01-05 20:41:16 UTC (rev 104196)
@@ -0,0 +1,32 @@
+<html>
+<head>
+<script src=""
+<script src=""
+</head>
+<body>
+<div id="description"></div>
+<div id="console"></div>
+
+<script>
+
+description('Verify that reassigning typed array constructor does not crash.');
+
+<!-- The following used to cause a crash in Chrome -->
+Uint8Array = 0;
+Uint16Array = "string";
+Uint32Array = function() {};
+Int16Array = function() {};
+Int16Array.prototype.set = 0;
+new Float64Array(function () {});
+new Float32Array([1, 2, 3], 1);
+new Int16Array(function() {});
+testPassed("reassigning typed array constructor did not crash");
+
+</script>
+<script src=""
+
+<script>
+</script>
+
+</body>
+</html>
Modified: trunk/Source/WebCore/bindings/v8/custom/V8ArrayBufferViewCustom.cpp (104195 => 104196)
--- trunk/Source/WebCore/bindings/v8/custom/V8ArrayBufferViewCustom.cpp 2012-01-05 20:28:48 UTC (rev 104195)
+++ trunk/Source/WebCore/bindings/v8/custom/V8ArrayBufferViewCustom.cpp 2012-01-05 20:41:16 UTC (rev 104196)
@@ -47,6 +47,8 @@
void installFastSet(v8::Handle<v8::Object> array)
{
+ v8::TryCatch tryCatch;
+ tryCatch.SetVerbose(true);
v8::Handle<v8::Object> global = array->CreationContext()->Global();
v8::Handle<v8::String> key = v8::String::New(fastSetFlagName);
global->SetHiddenValue(key, v8::Boolean::New(true));
Modified: trunk/Source/WebCore/bindings/v8/custom/V8ArrayBufferViewCustomScript.js (104195 => 104196)
--- trunk/Source/WebCore/bindings/v8/custom/V8ArrayBufferViewCustomScript.js 2012-01-05 20:28:48 UTC (rev 104195)
+++ trunk/Source/WebCore/bindings/v8/custom/V8ArrayBufferViewCustomScript.js 2012-01-05 20:41:16 UTC (rev 104196)
@@ -26,24 +26,28 @@
var optimizeSetMethod = function(type)
{
- type.prototype.set = (function() {
- var nativeSet = type.prototype.set;
- var f = function(source, offset)
- {
- if (source.constructor === Array) {
- var length = source.length;
- offset = offset || 0;
- if (offset < 0 || offset + length > this.length) {
+ if (typeof type === 'function' &&
+ typeof type.prototype !== 'undefined' &&
+ typeof type.prototype.set === 'function') {
+ type.prototype.set = (function() {
+ var nativeSet = type.prototype.set;
+ var f = function(source, offset)
+ {
+ if (source.constructor === Array) {
+ var length = source.length;
+ offset = offset || 0;
+ if (offset < 0 || offset + length > this.length) {
+ return nativeSet.call(this, source, offset);
+ }
+ for (var i = 0; i < length; i++)
+ this[i + offset] = source[i];
+ } else
return nativeSet.call(this, source, offset);
- }
- for (var i = 0; i < length; i++)
- this[i + offset] = source[i];
- } else
- return nativeSet.call(this, source, offset);
- }
- f.name = "set";
- return f;
- })();
+ }
+ f.name = "set";
+ return f;
+ })();
+ }
};
optimizeSetMethod(Float32Array);
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
