Changeset 140892 in webkit

Timestamp:

Jan 25, 2013 5:38:05 PM (11 years ago)

Author:

haraken@chromium.org

Message:

Keep a RefPtr<SerializedScriptValue*> when we call serialize()/deserialize() in code generators
​https://bugs.webkit.org/show_bug.cgi?id=107902

Reviewed by Abhishek Arya.

If you use a raw SerializedScriptValue* for serialize()/deserialize(),
it can potentially cause a use-after-free. This is because serialize()/
deserialize() can destruct a RefPtr of the SerializedScriptValue*,
depending on data that is serialized/deserialized. So we should keep a
RefPtr<SerializedScriptValue*> when we call serialize()/deserialize().
(See ​https://bugs.webkit.org/show_bug.cgi?id=107792 for more details.)

No tests. This is just a just-in-case fix.

• Modules/intents/Intent.h:

(WebCore::Intent::data):

• Modules/intents/IntentRequest.cpp:

(WebCore::IntentRequest::postResult):
(WebCore::IntentRequest::postFailure):

• Modules/intents/IntentRequest.h:

(IntentRequest):

• Modules/intents/IntentResultCallback.h:

(IntentResultCallback):

• bindings/scripts/CodeGeneratorJS.pm:

(GetNativeTypeForCallbacks):

• bindings/scripts/CodeGeneratorV8.pm:

(GenerateNormalAttrGetter):
(GetNativeTypeForCallbacks):

• bindings/scripts/test/V8/V8TestSerializedScriptValueInterface.cpp:

(WebCore::TestSerializedScriptValueInterfaceV8Internal::cachedValueAttrGetter):
(WebCore::TestSerializedScriptValueInterfaceV8Internal::cachedReadonlyValueAttrGetter):

• dom/MessagePortChannel.h:

(WebCore::MessagePortChannel::EventData::message):

Location:

trunk/Source/WebCore

Files:

• ChangeLog (modified) (1 diff)
• Modules/intents/Intent.h (modified) (3 diffs)
• Modules/intents/IntentRequest.cpp (modified) (2 diffs)
• Modules/intents/IntentRequest.h (modified) (1 diff)
• Modules/intents/IntentResultCallback.h (modified) (1 diff)
• bindings/scripts/CodeGeneratorJS.pm (modified) (1 diff)
• bindings/scripts/CodeGeneratorV8.pm (modified) (2 diffs)
• bindings/scripts/test/V8/V8TestSerializedScriptValueInterface.cpp (modified) (2 diffs)
• dom/MessagePortChannel.h (modified) (1 diff)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2013-01-25  Kentaro Hara  <haraken@chromium.org>
+
+        Keep a RefPtr<SerializedScriptValue*> when we call serialize()/deserialize() in code generators
+        https://bugs.webkit.org/show_bug.cgi?id=107902
+
+        Reviewed by Abhishek Arya.
+
+        If you use a raw SerializedScriptValue* for serialize()/deserialize(),
+        it can potentially cause a use-after-free. This is because serialize()/
+        deserialize() can destruct a RefPtr of the SerializedScriptValue*,
+        depending on data that is serialized/deserialized. So we should keep a
+        RefPtr<SerializedScriptValue*> when we call serialize()/deserialize().
+        (See https://bugs.webkit.org/show_bug.cgi?id=107792 for more details.)
+
+        No tests. This is just a just-in-case fix.
+
+        * Modules/intents/Intent.h:
+        (WebCore::Intent::data):
+        * Modules/intents/IntentRequest.cpp:
+        (WebCore::IntentRequest::postResult):
+        (WebCore::IntentRequest::postFailure):
+        * Modules/intents/IntentRequest.h:
+        (IntentRequest):
+        * Modules/intents/IntentResultCallback.h:
+        (IntentResultCallback):
+        * bindings/scripts/CodeGeneratorJS.pm:
+        (GetNativeTypeForCallbacks):
+        * bindings/scripts/CodeGeneratorV8.pm:
+        (GenerateNormalAttrGetter):
+        (GetNativeTypeForCallbacks):
+        * bindings/scripts/test/V8/V8TestSerializedScriptValueInterface.cpp:
+        (WebCore::TestSerializedScriptValueInterfaceV8Internal::cachedValueAttrGetter):
+        (WebCore::TestSerializedScriptValueInterfaceV8Internal::cachedReadonlyValueAttrGetter):
+        * dom/MessagePortChannel.h:
+        (WebCore::MessagePortChannel::EventData::message):
+
 2013-01-25  Kentaro Hara  <haraken@chromium.org>
 

trunk/Source/WebCore/Modules/intents/Intent.h

@@ -37 +37 @@
 #include "MessagePortChannel.h"
 #include "ScriptState.h"
+#include "SerializedScriptValue.h"
 #include <wtf/Forward.h>
 #include <wtf/PassRefPtr.h>
@@ -45 +46 @@
 
 namespace WebCore {
-
-class SerializedScriptValue;
 
 typedef int ExceptionCode;
@@ -59 +58 @@
     const String& action() const { return m_action; }
     const String& type() const { return m_type; }
-    SerializedScriptValue* data() const { return m_data.get(); }
+    PassRefPtr<SerializedScriptValue> data() const { return m_data; }
 
     MessagePortChannelArray* messagePorts() const { return m_ports.get(); }

trunk/Source/WebCore/Modules/intents/IntentRequest.cpp

@@ -70 +70 @@
 }
 
-void IntentRequest::postResult(SerializedScriptValue* data)
+void IntentRequest::postResult(PassRefPtr<SerializedScriptValue> data)
 {
     if (m_stopped)
@@ -87 +87 @@
 }
 
-void IntentRequest::postFailure(SerializedScriptValue* data)
+void IntentRequest::postFailure(PassRefPtr<SerializedScriptValue> data)
 {
     if (m_stopped)

trunk/Source/WebCore/Modules/intents/IntentRequest.h

@@ -48 +48 @@
     Intent* intent() { return m_intent.get(); }
 
-    void postResult(SerializedScriptValue*);
-    void postFailure(SerializedScriptValue*);
+    void postResult(PassRefPtr<SerializedScriptValue>);
+    void postFailure(PassRefPtr<SerializedScriptValue>);
 
     virtual void contextDestroyed() OVERRIDE;

trunk/Source/WebCore/Modules/intents/IntentResultCallback.h

@@ -42 +42 @@
 public:
     virtual ~IntentResultCallback() { }
-    virtual bool handleEvent(SerializedScriptValue* result) = 0;
+    virtual bool handleEvent(PassRefPtr<SerializedScriptValue> result) = 0;
 };
 

trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm

@@ -3093 +3093 @@
 {
     my $type = shift;
-    return "SerializedScriptValue*" if $type eq "SerializedScriptValue";
+    return "PassRefPtr<SerializedScriptValue>" if $type eq "SerializedScriptValue";
     return "PassRefPtr<DOMStringList>" if $type eq "DOMStringList";
 

trunk/Source/WebCore/bindings/scripts/CodeGeneratorV8.pm

@@ -1112 +1112 @@
         my $getterFunc = $codeGenerator->WK_lcfirst($attribute->signature->name);
         push(@implContentDecls, <<END);
-    SerializedScriptValue* serialized = imp->${getterFunc}();
+    RefPtr<SerializedScriptValue> serialized = imp->${getterFunc}();
     value = serialized ? serialized->deserialize() : v8::Handle<v8::Value>(v8Null(info.GetIsolate()));
     info.Holder()->SetHiddenValue(propertyName, value);
@@ -3749 +3749 @@
     my $type = shift;
     return "const String&" if $type eq "DOMString";
-    return "SerializedScriptValue*" if $type eq "SerializedScriptValue";
+    return "PassRefPtr<SerializedScriptValue>" if $type eq "SerializedScriptValue";
 
     # Callbacks use raw pointers, so pass isParameter = 1

trunk/Source/WebCore/bindings/scripts/test/V8/V8TestSerializedScriptValueInterface.cpp

@@ -72 +72 @@
         return value;
     TestSerializedScriptValueInterface* imp = V8TestSerializedScriptValueInterface::toNative(info.Holder());
-    SerializedScriptValue* serialized = imp->cachedValue();
+    RefPtr<SerializedScriptValue> serialized = imp->cachedValue();
     value = serialized ? serialized->deserialize() : v8::Handle<v8::Value>(v8Null(info.GetIsolate()));
     info.Holder()->SetHiddenValue(propertyName, value);
@@ -107 +107 @@
         return value;
     TestSerializedScriptValueInterface* imp = V8TestSerializedScriptValueInterface::toNative(info.Holder());
-    SerializedScriptValue* serialized = imp->cachedReadonlyValue();
+    RefPtr<SerializedScriptValue> serialized = imp->cachedReadonlyValue();
     value = serialized ? serialized->deserialize() : v8::Handle<v8::Value>(v8Null(info.GetIsolate()));
     info.Holder()->SetHiddenValue(propertyName, value);

trunk/Source/WebCore/dom/MessagePortChannel.h

@@ -83 +83 @@
             static PassOwnPtr<EventData> create(PassRefPtr<SerializedScriptValue>, PassOwnPtr<MessagePortChannelArray>);
 
-            SerializedScriptValue* message() { return m_message.get(); }
+            PassRefPtr<SerializedScriptValue> message() { return m_message; }
             PassOwnPtr<MessagePortChannelArray> channels() { return m_channels.release(); }