Changeset 140892 in webkit
- Timestamp:
- Jan 25, 2013 5:38:05 PM (11 years ago)
- Location:
- trunk/Source/WebCore
- Files:
-
- 9 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebCore/ChangeLog
r140891 r140892 1 2013-01-25 Kentaro Hara <haraken@chromium.org> 2 3 Keep a RefPtr<SerializedScriptValue*> when we call serialize()/deserialize() in code generators 4 https://bugs.webkit.org/show_bug.cgi?id=107902 5 6 Reviewed by Abhishek Arya. 7 8 If you use a raw SerializedScriptValue* for serialize()/deserialize(), 9 it can potentially cause a use-after-free. This is because serialize()/ 10 deserialize() can destruct a RefPtr of the SerializedScriptValue*, 11 depending on data that is serialized/deserialized. So we should keep a 12 RefPtr<SerializedScriptValue*> when we call serialize()/deserialize(). 13 (See https://bugs.webkit.org/show_bug.cgi?id=107792 for more details.) 14 15 No tests. This is just a just-in-case fix. 16 17 * Modules/intents/Intent.h: 18 (WebCore::Intent::data): 19 * Modules/intents/IntentRequest.cpp: 20 (WebCore::IntentRequest::postResult): 21 (WebCore::IntentRequest::postFailure): 22 * Modules/intents/IntentRequest.h: 23 (IntentRequest): 24 * Modules/intents/IntentResultCallback.h: 25 (IntentResultCallback): 26 * bindings/scripts/CodeGeneratorJS.pm: 27 (GetNativeTypeForCallbacks): 28 * bindings/scripts/CodeGeneratorV8.pm: 29 (GenerateNormalAttrGetter): 30 (GetNativeTypeForCallbacks): 31 * bindings/scripts/test/V8/V8TestSerializedScriptValueInterface.cpp: 32 (WebCore::TestSerializedScriptValueInterfaceV8Internal::cachedValueAttrGetter): 33 (WebCore::TestSerializedScriptValueInterfaceV8Internal::cachedReadonlyValueAttrGetter): 34 * dom/MessagePortChannel.h: 35 (WebCore::MessagePortChannel::EventData::message): 36 1 37 2013-01-25 Kentaro Hara <haraken@chromium.org> 2 38 -
trunk/Source/WebCore/Modules/intents/Intent.h
r119508 r140892 37 37 #include "MessagePortChannel.h" 38 38 #include "ScriptState.h" 39 #include "SerializedScriptValue.h" 39 40 #include <wtf/Forward.h> 40 41 #include <wtf/PassRefPtr.h> … … 45 46 46 47 namespace WebCore { 47 48 class SerializedScriptValue;49 48 50 49 typedef int ExceptionCode; … … 59 58 const String& action() const { return m_action; } 60 59 const String& type() const { return m_type; } 61 SerializedScriptValue* data() const { return m_data.get(); }60 PassRefPtr<SerializedScriptValue> data() const { return m_data; } 62 61 63 62 MessagePortChannelArray* messagePorts() const { return m_ports.get(); } -
trunk/Source/WebCore/Modules/intents/IntentRequest.cpp
r108724 r140892 70 70 } 71 71 72 void IntentRequest::postResult( SerializedScriptValue*data)72 void IntentRequest::postResult(PassRefPtr<SerializedScriptValue> data) 73 73 { 74 74 if (m_stopped) … … 87 87 } 88 88 89 void IntentRequest::postFailure( SerializedScriptValue*data)89 void IntentRequest::postFailure(PassRefPtr<SerializedScriptValue> data) 90 90 { 91 91 if (m_stopped) -
trunk/Source/WebCore/Modules/intents/IntentRequest.h
r108724 r140892 48 48 Intent* intent() { return m_intent.get(); } 49 49 50 void postResult( SerializedScriptValue*);51 void postFailure( SerializedScriptValue*);50 void postResult(PassRefPtr<SerializedScriptValue>); 51 void postFailure(PassRefPtr<SerializedScriptValue>); 52 52 53 53 virtual void contextDestroyed() OVERRIDE; -
trunk/Source/WebCore/Modules/intents/IntentResultCallback.h
r104531 r140892 42 42 public: 43 43 virtual ~IntentResultCallback() { } 44 virtual bool handleEvent( SerializedScriptValue*result) = 0;44 virtual bool handleEvent(PassRefPtr<SerializedScriptValue> result) = 0; 45 45 }; 46 46 -
trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm
r140884 r140892 3093 3093 { 3094 3094 my $type = shift; 3095 return " SerializedScriptValue*" if $type eq "SerializedScriptValue";3095 return "PassRefPtr<SerializedScriptValue>" if $type eq "SerializedScriptValue"; 3096 3096 return "PassRefPtr<DOMStringList>" if $type eq "DOMStringList"; 3097 3097 -
trunk/Source/WebCore/bindings/scripts/CodeGeneratorV8.pm
r140884 r140892 1112 1112 my $getterFunc = $codeGenerator->WK_lcfirst($attribute->signature->name); 1113 1113 push(@implContentDecls, <<END); 1114 SerializedScriptValue*serialized = imp->${getterFunc}();1114 RefPtr<SerializedScriptValue> serialized = imp->${getterFunc}(); 1115 1115 value = serialized ? serialized->deserialize() : v8::Handle<v8::Value>(v8Null(info.GetIsolate())); 1116 1116 info.Holder()->SetHiddenValue(propertyName, value); … … 3749 3749 my $type = shift; 3750 3750 return "const String&" if $type eq "DOMString"; 3751 return " SerializedScriptValue*" if $type eq "SerializedScriptValue";3751 return "PassRefPtr<SerializedScriptValue>" if $type eq "SerializedScriptValue"; 3752 3752 3753 3753 # Callbacks use raw pointers, so pass isParameter = 1 -
trunk/Source/WebCore/bindings/scripts/test/V8/V8TestSerializedScriptValueInterface.cpp
r140883 r140892 72 72 return value; 73 73 TestSerializedScriptValueInterface* imp = V8TestSerializedScriptValueInterface::toNative(info.Holder()); 74 SerializedScriptValue*serialized = imp->cachedValue();74 RefPtr<SerializedScriptValue> serialized = imp->cachedValue(); 75 75 value = serialized ? serialized->deserialize() : v8::Handle<v8::Value>(v8Null(info.GetIsolate())); 76 76 info.Holder()->SetHiddenValue(propertyName, value); … … 107 107 return value; 108 108 TestSerializedScriptValueInterface* imp = V8TestSerializedScriptValueInterface::toNative(info.Holder()); 109 SerializedScriptValue*serialized = imp->cachedReadonlyValue();109 RefPtr<SerializedScriptValue> serialized = imp->cachedReadonlyValue(); 110 110 value = serialized ? serialized->deserialize() : v8::Handle<v8::Value>(v8Null(info.GetIsolate())); 111 111 info.Holder()->SetHiddenValue(propertyName, value); -
trunk/Source/WebCore/dom/MessagePortChannel.h
r127757 r140892 83 83 static PassOwnPtr<EventData> create(PassRefPtr<SerializedScriptValue>, PassOwnPtr<MessagePortChannelArray>); 84 84 85 SerializedScriptValue* message() { return m_message.get(); }85 PassRefPtr<SerializedScriptValue> message() { return m_message; } 86 86 PassOwnPtr<MessagePortChannelArray> channels() { return m_channels.release(); } 87 87
Note: See TracChangeset
for help on using the changeset viewer.