REGRESSION (r125592): Crash in Console::addMessage, under InjectedBun…

…dle::reportException https://bugs.webkit.org/show_bug.cgi?id=94220 Reviewed by Alexey Proskuryakov. Previously, this code was trying to detect whether a DOMWindow is currently displayed in a Frame by testing whether DOMWindow->scriptExecutionContext is zero. That used to work, but now that DOMWindow->scriptExecutionContext is non-zero for detached DOMWindow, this code doesn't work anymore. This patch replaces the code with the current idiom, which is to call DOMWindow::isCurrentDisplayedInFrame. Alexey and I couldn't figure out how to test this change. This bug causes a crash when some Safari extensions are installed, but it's not clear whether this bug can be triggered from the web platform. We're going to ask Jessie for ideas when she gets back from vacation. * bindings/js/JSDOMBinding.cpp: (WebCore::reportException): Canonical link: https://commits.webkit.org/112163@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@125912 268f45cc-cd09-0410-ab3c-d52691b4dbfc
WebKit · Aug 17, 2012 · 55dc0872527cd70ed7d2df42d6b6a5dff1c09b5c · 55dc087
1 parent 43c0f17
commit 55dc0872527cd70ed7d2df42d6b6a5dff1c09b5c
Showing 2 changed files with 26 additions and 7 deletions.
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
@@ -1,3 +1,26 @@
+2012-08-17  Adam Barth  <abarth@webkit.org>
+
+        REGRESSION (r125592): Crash in Console::addMessage, under InjectedBundle::reportException
+        https://bugs.webkit.org/show_bug.cgi?id=94220
+
+        Reviewed by Alexey Proskuryakov.
+
+        Previously, this code was trying to detect whether a DOMWindow is
+        currently displayed in a Frame by testing whether
+        DOMWindow->scriptExecutionContext is zero. That used to work, but now
+        that DOMWindow->scriptExecutionContext is non-zero for detached
+        DOMWindow, this code doesn't work anymore. This patch replaces the code
+        with the current idiom, which is to call
+        DOMWindow::isCurrentDisplayedInFrame.
+
+        Alexey and I couldn't figure out how to test this change. This bug
+        causes a crash when some Safari extensions are installed, but it's not
+        clear whether this bug can be triggered from the web platform. We're
+        going to ask Jessie for ideas when she gets back from vacation.
+
+        * bindings/js/JSDOMBinding.cpp:
+        (WebCore::reportException):
+
 2012-08-17  Sheriff Bot  <webkit.review.bot@gmail.com>
 
         Unreviewed, rolling out r125892.

diff --git a/Source/WebCore/bindings/js/JSDOMBinding.cpp b/Source/WebCore/bindings/js/JSDOMBinding.cpp
@@ -158,14 +158,10 @@ void reportException(ExecState* exec, JSValue exception)
     if (ExceptionBase* exceptionBase = toExceptionBase(exception))
         errorMessage = stringToUString(exceptionBase->message() + ": "  + exceptionBase->description());
 
-    ScriptExecutionContext* scriptExecutionContext = jsCast<JSDOMGlobalObject*>(exec->lexicalGlobalObject())->scriptExecutionContext();
-
-    // scriptExecutionContext can be null when the relevant global object is a stale inner window object.
-    // It's harmless to return here without reporting the exception to the log and the debugger in this case.
-    if (!scriptExecutionContext)
+    DOMWindow* activeWindow = activeDOMWindow(exec);
+    if (!activeWindow->isCurrentlyDisplayedInFrame())
         return;
-
-    scriptExecutionContext->reportException(ustringToString(errorMessage), lineNumber, ustringToString(exceptionSourceURL), 0);
+    activeWindow->scriptExecutionContext()->reportException(ustringToString(errorMessage), lineNumber, ustringToString(exceptionSourceURL), 0);
 }
 
 void reportCurrentException(ExecState* exec)