[SCM] WebKit Debian packaging branch, webkit-1.2, updated. upstream/1.1.90-6072-g9a69373

eric at webkit.org eric at webkit.org
Wed Apr 7 23:09:12 UTC 2010 

The following commit has been merged in the webkit-1.2 branch:
commit f1b11a58333b9b8da2eabc424d2a3625a34552cd
Author: eric at webkit.org <eric at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Tue Oct 27 18:03:20 2009 +0000

    2009-10-27  Mads Ager  <ager at chromium.org>
    
            Reviewed by Adam Barth.
    
            [V8] Missing null check after string conversion in error reporting
            https://bugs.webkit.org/show_bug.cgi?id=30774
    
            Test case for toString conversion failure on an error object in
            stack overflow situations.  Test passes if it doesn't crash.
    
            * fast/dom/error-to-string-stack-overflow-expected.txt: Added.
            * fast/dom/error-to-string-stack-overflow.html: Added.
    2009-10-27  Mads Ager  <ager at chromium.org>
    
            Reviewed by Adam Barth.
    
            [V8] Missing null check after string conversion in error reporting
            https://bugs.webkit.org/show_bug.cgi?id=30774
    
            Add null check after string conversion in error reporting code.
            ToString conversion can fail for instance when an exception is
            thrown during conversion.
    
            Test: fast/dom/error-to-string-stack-overflow.html
    
            * bindings/v8/V8Utilities.cpp:
            (WebCore::reportException):
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@50160 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index cebf518..1709dba 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,16 @@
+2009-10-27  Mads Ager  <ager at chromium.org>
+
+        Reviewed by Adam Barth.
+
+        [V8] Missing null check after string conversion in error reporting
+        https://bugs.webkit.org/show_bug.cgi?id=30774
+
+        Test case for toString conversion failure on an error object in
+        stack overflow situations.  Test passes if it doesn't crash.
+        
+        * fast/dom/error-to-string-stack-overflow-expected.txt: Added.
+        * fast/dom/error-to-string-stack-overflow.html: Added.
+
 2009-10-27  Brady Eidson  <beidson at apple.com>
 
         Rubberstamped by Sam Weinig.
diff --git a/LayoutTests/fast/dom/error-to-string-stack-overflow-expected.txt b/LayoutTests/fast/dom/error-to-string-stack-overflow-expected.txt
new file mode 100644
index 0000000..93083b7
--- /dev/null
+++ b/LayoutTests/fast/dom/error-to-string-stack-overflow-expected.txt
@@ -0,0 +1,10 @@
+CONSOLE MESSAGE: line 17: 
+Regression test for https://bugs.webkit.org/show_bug.cgi?id=30774. This test passes if it doesn't crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/fast/dom/error-to-string-stack-overflow.html b/LayoutTests/fast/dom/error-to-string-stack-overflow.html
new file mode 100644
index 0000000..2fbcdb0
--- /dev/null
+++ b/LayoutTests/fast/dom/error-to-string-stack-overflow.html
@@ -0,0 +1,23 @@
+<html>
+<head>
+<link rel="stylesheet" href="../js/resources/js-test-style.css">
+<script src="../js/resources/js-test-pre.js"></script>
+</head>
+<body onload='load()'>
+<p id="description"></p>
+<div id="console"></div>
+
+<script>
+description("Regression test for https://bugs.webkit.org/show_bug.cgi?id=30774.  This test passes if it doesn't crash.");
+
+// Force string conversion of error objects to throw exceptions.
+Error.prototype.toString = function() { throw 0; }
+
+// Force a stack-overflow in the onload handler.
+function load() { load(); }
+
+var successfullyParsed = true;
+</script>
+<script src="../js/resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 895448f..70ccf77 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,19 @@
+2009-10-27  Mads Ager  <ager at chromium.org>
+
+        Reviewed by Adam Barth.
+
+        [V8] Missing null check after string conversion in error reporting
+        https://bugs.webkit.org/show_bug.cgi?id=30774
+
+        Add null check after string conversion in error reporting code.
+        ToString conversion can fail for instance when an exception is
+        thrown during conversion.
+
+        Test: fast/dom/error-to-string-stack-overflow.html
+
+        * bindings/v8/V8Utilities.cpp:
+        (WebCore::reportException):
+
 2009-10-27  Steve Block  <steveblock at google.com>
 
         Reviewed by Darin Adler.
diff --git a/WebCore/bindings/v8/V8Utilities.cpp b/WebCore/bindings/v8/V8Utilities.cpp
index a66f435..ecac358 100644
--- a/WebCore/bindings/v8/V8Utilities.cpp
+++ b/WebCore/bindings/v8/V8Utilities.cpp
@@ -135,9 +135,13 @@ void reportException(ScriptState* scriptState, v8::TryCatch& exceptionCatcher)
 
     // There can be a situation that an exception is thrown without setting a message.
     v8::Local<v8::Message> message = exceptionCatcher.Message();
-    if (message.IsEmpty())
-        errorMessage = toWebCoreString(exceptionCatcher.Exception()->ToString());
-    else {
+    if (message.IsEmpty()) {
+        v8::Local<v8::String> exceptionString = exceptionCatcher.Exception()->ToString();
+        // Conversion of the exception object to string can fail if an
+        // exception is thrown during conversion.
+        if (!exceptionString.IsEmpty())
+            errorMessage = toWebCoreString(exceptionString);
+    } else {
         errorMessage = toWebCoreString(message->Get());
         lineNumber = message->GetLineNumber();
         sourceURL = toWebCoreString(message->GetScriptResourceName());

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list