Changeset 51312 in webkit

Timestamp:

Nov 23, 2009 11:12:08 AM (14 years ago)

Author:

abarth@webkit.org

Message:

2009-11-23 Adam Barth <​abarth@webkit.org>

Reviewed by Dimitri Glazkov.

[V8] Don't crash when OOM in creating isolated world
​https://bugs.webkit.org/show_bug.cgi?id=31805

We need to add some more null checks to avoid crashing. No new tests
because we don't have a good way to test out-of-memory bugs.

• bindings/v8/V8Proxy.cpp: (WebCore::V8Proxy::evaluateInIsolatedWorld): (WebCore::V8Proxy::evaluateInNewContext): (WebCore::V8Proxy::setInjectedScriptContextDebugId):
• bindings/v8/V8Proxy.h:

Location:

trunk/WebCore

Files:

• ChangeLog (modified) (1 diff)
• bindings/v8/V8Proxy.cpp (modified) (3 diffs)
• bindings/v8/V8Proxy.h (modified) (1 diff)

trunk/WebCore/ChangeLog

@@ +1 @@
+2009-11-23  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Dimitri Glazkov.
+
+        [V8] Don't crash when OOM in creating isolated world
+        https://bugs.webkit.org/show_bug.cgi?id=31805
+
+        We need to add some more null checks to avoid crashing.  No new tests
+        because we don't have a good way to test out-of-memory bugs.
+
+        * bindings/v8/V8Proxy.cpp:
+        (WebCore::V8Proxy::evaluateInIsolatedWorld):
+        (WebCore::V8Proxy::evaluateInNewContext):
+        (WebCore::V8Proxy::setInjectedScriptContextDebugId):
+        * bindings/v8/V8Proxy.h:
+
 2009-11-23  Dirk Schulze  <krit@webkit.org>
 

trunk/WebCore/bindings/v8/V8Proxy.cpp

@@ -312 +312 @@
 
             // Setup context id for JS debugger.
-            setInjectedScriptContextDebugId(world->context());
+            if (!setInjectedScriptContextDebugId(world->context())) {
+                m_isolatedWorlds.take(worldID);
+                delete world;
+                return;
+            }
         }
     } else {
@@ -351 +355 @@
 
     // Setup context id for JS debugger.
-    setInjectedScriptContextDebugId(context);
+    if (!setInjectedScriptContextDebugId(context)) {
+        context.Dispose();
+        return;
+    }
 
     v8::Handle<v8::Object> global = context->Global();
@@ -377 +384 @@
 }
 
-void V8Proxy::setInjectedScriptContextDebugId(v8::Handle<v8::Context> targetContext)
+bool V8Proxy::setInjectedScriptContextDebugId(v8::Handle<v8::Context> targetContext)
 {
     // Setup context id for JS debugger.
     v8::Context::Scope contextScope(targetContext);
     v8::Handle<v8::Object> contextData = v8::Object::New();
-
+    if (contextData.IsEmpty())
+        return false;
+
+    if (m_context.IsEmpty())
+        return false;
     v8::Handle<v8::Value> windowContextData = m_context->GetData();
     if (windowContextData->IsObject()) {
         v8::Handle<v8::String> propertyName = v8::String::New(kContextDebugDataValue);
+        if (propertyName.IsEmpty())
+            return false;
         contextData->Set(propertyName, v8::Object::Cast(*windowContextData)->Get(propertyName));
     }
-    contextData->Set(v8::String::New(kContextDebugDataType), v8::String::New("injected"));
+    v8::Handle<v8::String> propertyName = v8::String::New(kContextDebugDataType);
+    if (propertyName.IsEmpty())
+        return false;
+    contextData->Set(propertyName, v8::String::New("injected"));
     targetContext->SetData(contextData);
+    return true;
 }
 

trunk/WebCore/bindings/v8/V8Proxy.h

@@ -388 +388 @@
         void resetIsolatedWorlds();
 
-        void setInjectedScriptContextDebugId(v8::Handle<v8::Context> targetContext);
+        // Returns false when we're out of memory in V8.
+        bool setInjectedScriptContextDebugId(v8::Handle<v8::Context> targetContext);
 
         static bool canAccessPrivate(DOMWindow*);