2011-02-03 Anton Muhin <antonm@chromium.org>

        Reviewed by Adam Barth.

        [v8] Bail out if to string conversion returned empty handle
        https://bugs.webkit.org/show_bug.cgi?id=53687

        This a temporary measure: actually one probably should never get empty handle
        if there was no exception.  The root cause is under investigation.
        The bailout though allows Chromium not to crash---attempt to convert an empty
        v8 hande into WebCore string crashes with invalid memory access.

        See http://code.google.com/p/chromium/issues/detail?id=71544

        There is no known reduction expressible as a layout test so far.  The crash found with automated testing tools.

        * bindings/v8/V8Binding.cpp:
        (WebCore::v8NonStringValueToWebCoreString): Bail out on empty handle
        * bindings/v8/V8Binding.h:
        (WebCore::V8ParameterBase::prepareBase): Ditto

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77597 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 3b54b9208f5469edce600eac6517eb5356d9b99c..619ab4475ddd38290ccc320c53bec4f6ac9f31b7 100644 (file)
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,24 @@
+2011-02-03  Anton Muhin  <antonm@chromium.org>
+
+        Reviewed by Adam Barth.
+
+        [v8] Bail out if to string conversion returned empty handle
+        https://bugs.webkit.org/show_bug.cgi?id=53687
+
+        This a temporary measure: actually one probably should never get empty handle
+        if there was no exception.  The root cause is under investigation.
+        The bailout though allows Chromium not to crash---attempt to convert an empty
+        v8 hande into WebCore string crashes with invalid memory access.
+
+        See http://code.google.com/p/chromium/issues/detail?id=71544
+
+        There is no known reduction expressible as a layout test so far.  The crash found with automated testing tools.
+
+        * bindings/v8/V8Binding.cpp:
+        (WebCore::v8NonStringValueToWebCoreString): Bail out on empty handle
+        * bindings/v8/V8Binding.h:
+        (WebCore::V8ParameterBase::prepareBase): Ditto
+
 2011-02-03  Adam Barth  <abarth@webkit.org>
 
         Attempt to fix Chromium build.

diff --git a/Source/WebCore/bindings/v8/V8Binding.cpp b/Source/WebCore/bindings/v8/V8Binding.cpp
index 4ac00a557b207c787ff8dcaa620eee227fb5dc63..2acd29a8e18a789fda185cc7609534c5ad282f17 100644 (file)
--- a/Source/WebCore/bindings/v8/V8Binding.cpp
+++ b/Source/WebCore/bindings/v8/V8Binding.cpp
@@ -413,6 +413,13 @@ String v8NonStringValueToWebCoreString(v8::Handle<v8::Value> object)
         throwError(block.Exception());
         return StringImpl::empty();
     }
+    // This path is unexpected.  However there is hypothesis that it
+    // might be combination of v8 and v8 bindings bugs.  For now
+    // just bailout as we'll crash if attempt to convert empty handle into a string.
+    if (v8String.IsEmpty()) {
+        ASSERT_NOT_REACHED();
+        return StringImpl::empty();
+    }
     return v8StringToWebCoreString<String>(v8String, DoNotExternalize);
 }
 

diff --git a/Source/WebCore/bindings/v8/V8Binding.h b/Source/WebCore/bindings/v8/V8Binding.h
index df92b48c9b32708a63bcdda33766d565208c21ba..7873b54eb7005be78ca52381bb14b11151ed225b 100644 (file)
--- a/Source/WebCore/bindings/v8/V8Binding.h
+++ b/Source/WebCore/bindings/v8/V8Binding.h
@@ -236,6 +236,14 @@ namespace WebCore {
                 return false;
             }
 
+            // This path is unexpected.  However there is hypothesis that it
+            // might be combination of v8 and v8 bindings bugs.  For now
+            // just bailout as we'll crash if attempt to convert empty handle into a string.
+            if (m_v8Object.IsEmpty()) {
+                ASSERT_NOT_REACHED();
+                return false;
+            }
+
             return true;
         }