Changeset 136064 in webkit


Ignore:
Timestamp:
Nov 28, 2012 2:57:17 PM (11 years ago)
Author:
kareng@chromium.org
Message:

Merge 135804 - Check for empty perContextData while creating NP V8 Object.
https://bugs.webkit.org/show_bug.cgi?id=98448

Patch by Istiaque Ahmed <lazyboy@chromium.org> on 2012-11-26
Reviewed by Adam Barth.

Fixes crash in npCreateV8ScriptObject(), if NP Invoke is called from a document
that is no longer displayed in frame (isCurrentlyDisplayedInFrame() ==
false), we have empty perContextData and this results in invalid memory access.

Source/WebCore:

Test: platform/chromium/plugins/empty-per-context-data.html

  • bindings/v8/NPV8Object.cpp:

(WebCore::npCreateV8ScriptObject):

LayoutTests:

  • platform/chromium/plugins/empty-per-context-data-expected.txt: Added.
  • platform/chromium/plugins/empty-per-context-data.html: Added.
  • platform/chromium/plugins/resources/script-container.html: Added.

TBR=commit-queue@webkit.org
Review URL: https://codereview.chromium.org/11411245

Location:
branches/chromium/1312
Files:
1 edited
3 copied

Legend:

Unmodified
Added
Removed

  • branches/chromium/1312/Source/WebCore/bindings/v8/NPV8Object.cpp

    r131167 r136064  
    144144    }
    145145
    146     int v8ObjectHash = object->GetIdentityHash();
    147     ASSERT(v8ObjectHash);
    148     V8NPObjectMap* v8NPObjectMap = V8PerContextData::from(object->CreationContext())->v8NPObjectMap();
    149     V8NPObjectMap::iterator iter = v8NPObjectMap->find(v8ObjectHash);
    150     if (iter != v8NPObjectMap->end()) {
    151         V8NPObjectVector& objects = iter->value;
    152         for (size_t index = 0; index < objects.size(); ++index) {
    153             V8NPObject* v8npObject = objects.at(index);
    154             if (v8npObject->rootObject == root) {
    155                 ASSERT(v8npObject->v8Object == object);
    156                 _NPN_RetainObject(&v8npObject->object);
    157                 return reinterpret_cast<NPObject*>(v8npObject);
     146    V8NPObjectVector* objectVector = 0;
     147    if (V8PerContextData* perContextData = V8PerContextData::from(object->CreationContext())) {
     148        int v8ObjectHash = object->GetIdentityHash();
     149        ASSERT(v8ObjectHash);
     150        V8NPObjectMap* v8NPObjectMap = perContextData->v8NPObjectMap();
     151        V8NPObjectMap::iterator iter = v8NPObjectMap->find(v8ObjectHash);
     152        if (iter != v8NPObjectMap->end()) {
     153            V8NPObjectVector& objects = iter->value;
     154            for (size_t index = 0; index < objects.size(); ++index) {
     155                V8NPObject* v8npObject = objects.at(index);
     156                if (v8npObject->rootObject == root) {
     157                    ASSERT(v8npObject->v8Object == object);
     158                    _NPN_RetainObject(&v8npObject->object);
     159                    return reinterpret_cast<NPObject*>(v8npObject);
     160                }
    158161            }
     162        } else {
     163            iter = v8NPObjectMap->set(v8ObjectHash, V8NPObjectVector()).iterator;
     164            objectVector = &iter->value;
    159165        }
    160     } else {
    161         iter = v8NPObjectMap->set(v8ObjectHash, V8NPObjectVector()).iterator;
    162     }
    163 
     166    }
    164167    V8NPObject* v8npObject = reinterpret_cast<V8NPObject*>(_NPN_CreateObject(npp, &V8NPObjectClass));
    165168    v8npObject->v8Object = v8::Persistent<v8::Object>::New(object);
    166169    v8npObject->rootObject = root;
    167170
    168     iter->value.append(v8npObject);
     171    if (objectVector)
     172        objectVector->append(v8npObject);
    169173
    170174    return reinterpret_cast<NPObject*>(v8npObject);
Note: See TracChangeset for help on using the changeset viewer.