2009-12-07 Kenneth Russell <kbr@google.com>
authoreric@webkit.org <eric@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 7 Dec 2009 19:36:34 +0000 (19:36 +0000)
committereric@webkit.org <eric@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 7 Dec 2009 19:36:34 +0000 (19:36 +0000)
        Reviewed by Dimitri Glazkov.

        [v8] WebCore::WebGLArrayBufferInternal::byteLengthAttrGetter NULL pointer
        https://bugs.webkit.org/show_bug.cgi?id=31889

        Fixed bug in handling of zero-argument constructor call.

        Test: fast/canvas/webgl/bug-31889.html

        * fast/canvas/webgl/bug-31889-expected.txt: Added.
        * fast/canvas/webgl/bug-31889.html: Added.
2009-12-07  Kenneth Russell  <kbr@google.com>

        Reviewed by Dimitri Glazkov.

        [v8] WebCore::WebGLArrayBufferInternal::byteLengthAttrGetter NULL pointer
        https://bugs.webkit.org/show_bug.cgi?id=31889

        Fixed bug in handling of zero-argument constructor call.

        Test: fast/canvas/webgl/bug-31889.html

        * bindings/v8/custom/V8WebGLArrayBufferCustom.cpp:
        (WebCore::CALLBACK_FUNC_DECL):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@51785 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/canvas/webgl/bug-31889-expected.txt [new file with mode: 0644]
LayoutTests/fast/canvas/webgl/bug-31889.html [new file with mode: 0644]
WebCore/ChangeLog
WebCore/bindings/v8/custom/V8WebGLArrayBufferCustom.cpp

index 1af1740aa98e67b442562ff4885f4e5d6401d44e..5ebc1fd2b8b0d01fd87b8079cf6faec37a2222bd 100644 (file)
@@ -1,3 +1,17 @@
+2009-12-07  Kenneth Russell  <kbr@google.com>
+
+        Reviewed by Dimitri Glazkov.
+
+        [v8] WebCore::WebGLArrayBufferInternal::byteLengthAttrGetter NULL pointer
+        https://bugs.webkit.org/show_bug.cgi?id=31889
+
+        Fixed bug in handling of zero-argument constructor call.
+
+        Test: fast/canvas/webgl/bug-31889.html
+
+        * fast/canvas/webgl/bug-31889-expected.txt: Added.
+        * fast/canvas/webgl/bug-31889.html: Added.
+
 2009-12-07  Gustavo Noronha Silva  <gustavo.noronha@collabora.co.uk>
 
         Unreviewed. Landing files I forgot to add to my working copy
diff --git a/LayoutTests/fast/canvas/webgl/bug-31889-expected.txt b/LayoutTests/fast/canvas/webgl/bug-31889-expected.txt
new file mode 100644 (file)
index 0000000..2255193
--- /dev/null
@@ -0,0 +1,9 @@
+Regression test for https://bugs.webkit.org/show_bug.cgi?id=31889 : [v8] WebCore::WebGLArrayBufferInternal::byteLengthAttrGetter NULL pointer
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+PASS new WebGLArrayBuffer().byteLength did not crash
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/fast/canvas/webgl/bug-31889.html b/LayoutTests/fast/canvas/webgl/bug-31889.html
new file mode 100644 (file)
index 0000000..eba1de7
--- /dev/null
@@ -0,0 +1,28 @@
+<html>
+<head>
+<link rel="stylesheet" href="../../js/resources/js-test-style.css"/>
+<script src="../../js/resources/js-test-pre.js"></script>
+<script src="resources/webgl-test.js"></script>
+</head>
+<body>
+<div id="description"></div>
+<div id="console"></div>
+
+<script>
+
+description('Regression test for <a href="https://bugs.webkit.org/show_bug.cgi?id=31889">https://bugs.webkit.org/show_bug.cgi?id=31889</a> : <code>[v8] WebCore::WebGLArrayBufferInternal::byteLengthAttrGetter NULL pointer</code>');
+
+<!-- The following used to cause a crash in Chrome -->
+new WebGLArrayBuffer().byteLength;
+
+testPassed("new WebGLArrayBuffer().byteLength did not crash");
+successfullyParsed = true;
+
+</script>
+<script src="../../js/resources/js-test-post.js"></script>
+
+<script>
+</script>
+
+</body>
+</html>
index f2cd7a1d7698b3e473865dc0d427a8461c995bb1..f4178cf5d1a68a21e13ed081e753352919dbc78a 100644 (file)
@@ -1,3 +1,17 @@
+2009-12-07  Kenneth Russell  <kbr@google.com>
+
+        Reviewed by Dimitri Glazkov.
+
+        [v8] WebCore::WebGLArrayBufferInternal::byteLengthAttrGetter NULL pointer
+        https://bugs.webkit.org/show_bug.cgi?id=31889
+
+        Fixed bug in handling of zero-argument constructor call.
+
+        Test: fast/canvas/webgl/bug-31889.html
+
+        * bindings/v8/custom/V8WebGLArrayBufferCustom.cpp:
+        (WebCore::CALLBACK_FUNC_DECL):
+
 2009-12-07  Gyuyoung Kim  <gyuyoung@gmail.com>
 
         Reviewed by Eric Seidel.
index 699667edf7bffc7194386f165b997aa18cef3986..16a1f5188f3de04b1336174cebafdbeaa65bbbe1 100644 (file)
@@ -48,28 +48,31 @@ CALLBACK_FUNC_DECL(WebGLArrayBufferConstructor)
     if (!args.IsConstructCall())
         return throwError("DOM object constructor cannot be called as a function.");
 
-    int argLen = args.Length();
-    if (argLen == 0) {
-        // This happens when we return a previously constructed
-        // WebGLArrayBuffer, e.g. from the call to WebGLArray.buffer.
-        // The V8DOMWrapper will set the internal pointer in the
-        // created object. Unfortunately it doesn't look like it's
-        // possible to distinguish between this case and that where
-        // the user calls "new WebGLArrayBuffer()" from JavaScript.
-        return args.Holder();
-    }
+    // If we return a previously constructed WebGLArrayBuffer,
+    // e.g. from the call to WebGLArray.buffer, this code is called
+    // with a zero-length argument list. The V8DOMWrapper will then
+    // set the internal pointer in the newly-created object.
+    // Unfortunately it doesn't look like it's possible to distinguish
+    // between this case and that where the user calls "new
+    // WebGLArrayBuffer()" from JavaScript. To guard against problems,
+    // we always create at least a zero-length WebGLArrayBuffer, even
+    // if it is immediately overwritten by the V8DOMWrapper.
 
     // Supported constructors:
     // WebGLArrayBuffer(n) where n is an integer:
     //   -- create an empty buffer of n bytes
 
-    if (argLen != 1)
+    int argLen = args.Length();
+    if (argLen > 1)
         return throwError("Wrong number of arguments specified to constructor (requires 1)");
 
     int len = 0;
-    if (!args[0]->IsInt32())
-        return throwError("Argument to WebGLArrayBuffer constructor was not an integer");
-    len = toInt32(args[0]);
+    if (argLen > 0) {
+        if (!args[0]->IsInt32())
+            return throwError("Argument to WebGLArrayBuffer constructor was not an integer");
+        len = toInt32(args[0]);
+    }
+
     RefPtr<WebGLArrayBuffer> buffer = WebGLArrayBuffer::create(len);
     // Transform the holder into a wrapper object for the array.
     V8DOMWrapper::setDOMWrapper(args.Holder(), V8ClassIndex::ToInt(V8ClassIndex::WEBGLARRAYBUFFER), buffer.get());