Changeset 241300 in webkit
- Timestamp:
- Feb 12, 2019, 10:21:45 AM (6 years ago)
- Location:
- trunk/Source/WebCore
- Files:
-
- 4 edited
-
ChangeLog (modified) (1 diff)
-
bindings/js/JSNodeCustom.h (modified) (2 diffs)
-
bindings/scripts/CodeGeneratorJS.pm (modified) (2 diffs)
-
bindings/scripts/test/JS/JSTestGenerateIsReachable.cpp (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebCore/ChangeLog
r241299 r241300 1 2019-02-12 Mark Lam <mark.lam@apple.com> 2 3 Add some null checks in JSNodeCustom.h's root() and generated isReachableFromOpaqueRoots() functions. 4 https://bugs.webkit.org/show_bug.cgi?id=194530 5 <rdar://problem/47973274> 6 7 Reviewed by Chris Dumez. 8 9 This is needed to fix a null pointer dereference that arises from the following scenario: 10 1. a Document detaches from its StyleSheetList. 11 2. the JSStyleSheetList that is associated with the detached StyleSheetList has yet 12 to be scanned and collected by the GC. 13 3. the GC eventually looks for the opaque root of the StyleSheetList's owner, and 14 discovers a null owner pointer. 15 16 This patch fixes this issue by applying the following null checks: 17 18 1. Add a null check in JSNodeCustom.h's root(). 19 20 root() is called from a isReachableFromOpaqueRoots() generated by CodeGeneratorJS.pm. 21 isReachableFromOpaqueRoots() calls a ownerNode() method and passes its result 22 to root(). However, depending on which class the ownerNode() method belongs to, 23 it can either return a pointer or a reference. The null check only makes sense 24 in the pointer case. 25 26 To accommodate the 2 forms, root() itself is has an overload that takes a 27 reference instead of a pointer. 28 29 Since CodeGeneratorJS.pm can't tell what the generated class' ownerNode() 30 returns, it can't discern when the result is a pointer and apply the null check. 31 Instead, we just add the null check to the version of root() that takes a 32 pointer. If the node pointer is null, we'll return a null opaque root. 33 34 2. Fix CodeGeneratorJS.pm to null check the opaque root before using it. 35 36 * bindings/js/JSNodeCustom.h: 37 (WebCore::root): 38 * bindings/scripts/CodeGeneratorJS.pm: 39 (GenerateImplementation): 40 * bindings/scripts/test/JS/JSTestGenerateIsReachable.cpp: 41 (WebCore::JSTestGenerateIsReachableOwner::isReachableFromOpaqueRoots): 42 1 43 2019-02-12 Andy Estes <aestes@apple.com> 2 44 -
trunk/Source/WebCore/bindings/js/JSNodeCustom.h
r229416 r241300 1 1 /* 2 * Copyright (C) 2007 , 2009, 2010Apple Inc. All rights reserved.2 * Copyright (C) 2007-2019 Apple Inc. All rights reserved. 3 3 * Copyright (C) 2018 Yusuke Suzuki <utatane.tea@gmail.com>. 4 4 * … … 81 81 inline void* root(Node* node) 82 82 { 83 return node ->opaqueRoot();83 return node ? node->opaqueRoot() : nullptr; 84 84 } 85 85 -
trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm
r240965 r241300 4 4 # Copyright (C) 2006, 2007 Samuel Weinig <sam@webkit.org> 5 5 # Copyright (C) 2006 Alexey Proskuryakov <ap@webkit.org> 6 # Copyright (C) 2006-201 8Apple Inc. All rights reserved.6 # Copyright (C) 2006-2019 Apple Inc. All rights reserved. 7 7 # Copyright (C) 2009 Cameron McCormack <cam@mcc.id.au> 8 8 # Copyright (C) Research In Motion Limited 2010. All rights reserved. … … 4680 4680 4681 4681 push(@implContent, $rootString); 4682 push(@implContent, " return visitor.containsOpaqueRoot(root);\n");4682 push(@implContent, " return root && visitor.containsOpaqueRoot(root);\n"); 4683 4683 } else { 4684 4684 if (!$emittedJSCast) { -
trunk/Source/WebCore/bindings/scripts/test/JS/JSTestGenerateIsReachable.cpp
r240557 r241300 205 205 if (UNLIKELY(reason)) 206 206 *reason = "Reachable from TestGenerateIsReachable"; 207 return visitor.containsOpaqueRoot(root);207 return root && visitor.containsOpaqueRoot(root); 208 208 } 209 209
Note:
See TracChangeset
for help on using the changeset viewer.
