Changeset 141783 in webkit

Timestamp:

Feb 4, 2013 10:43:03 AM (11 years ago)

Author:

inferno@chromium.org

Message:

Add ASSERT_WITH_SECURITY_IMPLICATION to detect bad cast in DOM, CSS, etc.
​https://bugs.webkit.org/show_bug.cgi?id=108688

Reviewed by Eric Seidel.

Source/WebCore:

• Modules/notifications/Notification.cpp:

(WebCore::Notification::Notification):
(WebCore::Notification::permission):
(WebCore::Notification::requestPermission):

• Modules/speech/SpeechGrammar.cpp:

(WebCore::SpeechGrammar::setSrc):

• Modules/speech/SpeechGrammarList.cpp:

(WebCore::SpeechGrammarList::addFromUri):

• Modules/websockets/ThreadableWebSocketChannel.cpp:

(WebCore::ThreadableWebSocketChannel::create):

• accessibility/AccessibilityMenuListPopup.cpp:

(WebCore::AccessibilityMenuListPopup::menuListOptionAccessibilityObject):

• accessibility/AccessibilityTable.cpp:

(WebCore::AccessibilityTable::cellForColumnAndRow):

• css/CSSFontFaceRule.cpp:

(WebCore::CSSFontFaceRule::reattach):

• css/CSSImageSetValue.cpp:

(WebCore::CSSImageSetValue::fillImageSet):

• css/CSSPageRule.cpp:

(WebCore::CSSPageRule::reattach):

• css/CSSStyleRule.cpp:

(WebCore::CSSStyleRule::reattach):

• css/StyleBuilder.cpp:

(WebCore::ApplyPropertyFontVariantLigatures::applyValue):
(WebCore::ApplyPropertyTextDecoration::applyValue):
(WebCore::ApplyPropertyZoom::applyValue):

• css/StyleResolver.cpp:

(WebCore::createGridPosition):
(WebCore::StyleResolver::applyProperty):
(WebCore::StyleResolver::createCustomFilterOperationWithInlineSyntax):

• css/WebKitCSSFilterRule.cpp:

(WebCore::WebKitCSSFilterRule::reattach):

• css/WebKitCSSKeyframesRule.cpp:

(WebCore::WebKitCSSKeyframesRule::reattach):

• css/WebKitCSSViewportRule.cpp:

(WebCore::WebKitCSSViewportRule::reattach):

• editing/EditCommand.h:

(WebCore::toSimpleEditCommand):

• editing/visible_units.cpp:

(WebCore::startOfParagraph):
(WebCore::endOfParagraph):

• html/HTMLCollection.cpp:

(WebCore::LiveNodeListBase::setItemCache):

• loader/ThreadableLoader.cpp:

(WebCore::ThreadableLoader::create):
(WebCore::ThreadableLoader::loadResourceSynchronously):

• loader/WorkerThreadableLoader.cpp:

(WebCore::WorkerThreadableLoader::MainThreadBridge::mainThreadCreateLoader):

• page/Frame.cpp:

(WebCore::Frame::frameForWidget):

• platform/RefCountedSupplement.h:

(WebCore::RefCountedSupplement::from):

• rendering/RenderBlock.cpp:

(WebCore::RenderBlock::splitBlocks):
(WebCore::RenderBlock::firstLineBlock):

• rendering/RenderBlockLineLayout.cpp:

(WebCore::RenderBlock::createLineBoxes):

• rendering/RenderBox.cpp:

(WebCore::RenderBox::computeReplacedLogicalHeightUsing):

• rendering/svg/RenderSVGText.cpp:

(WebCore::RenderSVGText::positionForPoint):

• rendering/svg/SVGRootInlineBox.cpp:

(WebCore::SVGRootInlineBox::layoutCharactersInTextBoxes):
(WebCore::SVGRootInlineBox::layoutChildBoxes):

• testing/js/WebCoreTestSupport.cpp:

(WebCoreTestSupport::resetInternalsObject):

• testing/v8/WebCoreTestSupport.cpp:

(WebCoreTestSupport::resetInternalsObject):

• workers/DefaultSharedWorkerRepository.cpp:

(WebCore::SharedWorkerProxy::addToWorkerDocuments):
(WebCore::SharedWorkerConnectTask::performTask):

• workers/SharedWorker.cpp:

(WebCore::SharedWorker::create):

• workers/WorkerContext.cpp:

(WebCore::CloseWorkerContextTask::performTask):

• workers/WorkerMessagingProxy.cpp:

(WebCore::MessageWorkerContextTask::performTask):
(WebCore::connectToWorkerContextInspectorTask):
(WebCore::disconnectFromWorkerContextInspectorTask):
(WebCore::dispatchOnInspectorBackendTask):

• workers/WorkerScriptLoader.cpp:

(WebCore::WorkerScriptLoader::loadSynchronously):

• workers/WorkerThread.cpp:

(WebCore::WorkerThreadShutdownFinishTask::performTask):
(WebCore::WorkerThreadShutdownStartTask::performTask):

Source/WebKit/blackberry:

• Api/WebPage.cpp:

(BlackBerry::WebKit::WebPagePrivate::handleMouseEvent):

• WebKitSupport/FatFingers.cpp:

(BlackBerry::WebKit::FatFingers::setSuccessfulFatFingersResult):

Source/WebKit/chromium:

• src/IDBFactoryBackendProxy.cpp:

(WebKit::IDBFactoryBackendProxy::allowIndexedDB):
(WebKit::getWebFrame):

• src/LocalFileSystemChromium.cpp:

(WebCore::LocalFileSystem::deleteFileSystem):

• src/WebSharedWorkerImpl.cpp:

(WebKit::WebSharedWorkerImpl::connectTask):
(WebKit::resumeWorkerContextTask):
(WebKit::connectToWorkerContextInspectorTask):
(WebKit::reconnectToWorkerContextInspectorTask):
(WebKit::disconnectFromWorkerContextInspectorTask):
(WebKit::dispatchOnInspectorBackendTask):

Source/WebKit/qt:

• WebCoreSupport/FrameLoaderClientQt.cpp:

Location:

trunk/Source

Files:

• WebCore/ChangeLog (modified) (1 diff)
• WebCore/Modules/notifications/Notification.cpp (modified) (3 diffs)
• WebCore/Modules/speech/SpeechGrammar.cpp (modified) (1 diff)
• WebCore/Modules/speech/SpeechGrammarList.cpp (modified) (1 diff)
• WebCore/Modules/websockets/ThreadableWebSocketChannel.cpp (modified) (1 diff)
• WebCore/accessibility/AccessibilityMenuListPopup.cpp (modified) (1 diff)
• WebCore/accessibility/AccessibilityTable.cpp (modified) (1 diff)
• WebCore/css/CSSFontFaceRule.cpp (modified) (1 diff)
• WebCore/css/CSSImageSetValue.cpp (modified) (2 diffs)
• WebCore/css/CSSPageRule.cpp (modified) (1 diff)
• WebCore/css/CSSStyleRule.cpp (modified) (1 diff)
• WebCore/css/StyleBuilder.cpp (modified) (3 diffs)
• WebCore/css/StyleResolver.cpp (modified) (4 diffs)
• WebCore/css/WebKitCSSFilterRule.cpp (modified) (1 diff)
• WebCore/css/WebKitCSSKeyframesRule.cpp (modified) (1 diff)
• WebCore/css/WebKitCSSViewportRule.cpp (modified) (1 diff)
• WebCore/editing/EditCommand.h (modified) (1 diff)
• WebCore/editing/visible_units.cpp (modified) (2 diffs)
• WebCore/html/HTMLCollection.cpp (modified) (1 diff)
• WebCore/loader/ThreadableLoader.cpp (modified) (2 diffs)
• WebCore/loader/WorkerThreadableLoader.cpp (modified) (1 diff)
• WebCore/page/Frame.cpp (modified) (1 diff)
• WebCore/platform/RefCountedSupplement.h (modified) (1 diff)
• WebCore/rendering/RenderBlock.cpp (modified) (2 diffs)
• WebCore/rendering/RenderBlockLineLayout.cpp (modified) (2 diffs)
• WebCore/rendering/RenderBox.cpp (modified) (1 diff)
• WebCore/rendering/svg/RenderSVGText.cpp (modified) (1 diff)
• WebCore/rendering/svg/SVGRootInlineBox.cpp (modified) (2 diffs)
• WebCore/testing/js/WebCoreTestSupport.cpp (modified) (1 diff)
• WebCore/testing/v8/WebCoreTestSupport.cpp (modified) (1 diff)
• WebCore/workers/DefaultSharedWorkerRepository.cpp (modified) (2 diffs)
• WebCore/workers/SharedWorker.cpp (modified) (1 diff)
• WebCore/workers/WorkerContext.cpp (modified) (1 diff)
• WebCore/workers/WorkerMessagingProxy.cpp (modified) (4 diffs)
• WebCore/workers/WorkerScriptLoader.cpp (modified) (1 diff)
• WebCore/workers/WorkerThread.cpp (modified) (2 diffs)
• WebKit/blackberry/Api/WebPage.cpp (modified) (1 diff)
• WebKit/blackberry/ChangeLog (modified) (1 diff)
• WebKit/blackberry/WebKitSupport/FatFingers.cpp (modified) (1 diff)
• WebKit/chromium/ChangeLog (modified) (1 diff)
• WebKit/chromium/src/IDBFactoryBackendProxy.cpp (modified) (2 diffs)
• WebKit/chromium/src/LocalFileSystemChromium.cpp (modified) (1 diff)
• WebKit/chromium/src/WebSharedWorkerImpl.cpp (modified) (6 diffs)
• WebKit/qt/ChangeLog (modified) (1 diff)
• WebKit/qt/WebCoreSupport/FrameLoaderClientQt.cpp (modified) (1 diff)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2013-02-04  Abhishek Arya  <inferno@chromium.org>
+
+        Add ASSERT_WITH_SECURITY_IMPLICATION to detect bad cast in DOM, CSS, etc.
+        https://bugs.webkit.org/show_bug.cgi?id=108688
+
+        Reviewed by Eric Seidel.
+
+        * Modules/notifications/Notification.cpp:
+        (WebCore::Notification::Notification):
+        (WebCore::Notification::permission):
+        (WebCore::Notification::requestPermission):
+        * Modules/speech/SpeechGrammar.cpp:
+        (WebCore::SpeechGrammar::setSrc):
+        * Modules/speech/SpeechGrammarList.cpp:
+        (WebCore::SpeechGrammarList::addFromUri):
+        * Modules/websockets/ThreadableWebSocketChannel.cpp:
+        (WebCore::ThreadableWebSocketChannel::create):
+        * accessibility/AccessibilityMenuListPopup.cpp:
+        (WebCore::AccessibilityMenuListPopup::menuListOptionAccessibilityObject):
+        * accessibility/AccessibilityTable.cpp:
+        (WebCore::AccessibilityTable::cellForColumnAndRow):
+        * css/CSSFontFaceRule.cpp:
+        (WebCore::CSSFontFaceRule::reattach):
+        * css/CSSImageSetValue.cpp:
+        (WebCore::CSSImageSetValue::fillImageSet):
+        * css/CSSPageRule.cpp:
+        (WebCore::CSSPageRule::reattach):
+        * css/CSSStyleRule.cpp:
+        (WebCore::CSSStyleRule::reattach):
+        * css/StyleBuilder.cpp:
+        (WebCore::ApplyPropertyFontVariantLigatures::applyValue):
+        (WebCore::ApplyPropertyTextDecoration::applyValue):
+        (WebCore::ApplyPropertyZoom::applyValue):
+        * css/StyleResolver.cpp:
+        (WebCore::createGridPosition):
+        (WebCore::StyleResolver::applyProperty):
+        (WebCore::StyleResolver::createCustomFilterOperationWithInlineSyntax):
+        * css/WebKitCSSFilterRule.cpp:
+        (WebCore::WebKitCSSFilterRule::reattach):
+        * css/WebKitCSSKeyframesRule.cpp:
+        (WebCore::WebKitCSSKeyframesRule::reattach):
+        * css/WebKitCSSViewportRule.cpp:
+        (WebCore::WebKitCSSViewportRule::reattach):
+        * editing/EditCommand.h:
+        (WebCore::toSimpleEditCommand):
+        * editing/visible_units.cpp:
+        (WebCore::startOfParagraph):
+        (WebCore::endOfParagraph):
+        * html/HTMLCollection.cpp:
+        (WebCore::LiveNodeListBase::setItemCache):
+        * loader/ThreadableLoader.cpp:
+        (WebCore::ThreadableLoader::create):
+        (WebCore::ThreadableLoader::loadResourceSynchronously):
+        * loader/WorkerThreadableLoader.cpp:
+        (WebCore::WorkerThreadableLoader::MainThreadBridge::mainThreadCreateLoader):
+        * page/Frame.cpp:
+        (WebCore::Frame::frameForWidget):
+        * platform/RefCountedSupplement.h:
+        (WebCore::RefCountedSupplement::from):
+        * rendering/RenderBlock.cpp:
+        (WebCore::RenderBlock::splitBlocks):
+        (WebCore::RenderBlock::firstLineBlock):
+        * rendering/RenderBlockLineLayout.cpp:
+        (WebCore::RenderBlock::createLineBoxes):
+        * rendering/RenderBox.cpp:
+        (WebCore::RenderBox::computeReplacedLogicalHeightUsing):
+        * rendering/svg/RenderSVGText.cpp:
+        (WebCore::RenderSVGText::positionForPoint):
+        * rendering/svg/SVGRootInlineBox.cpp:
+        (WebCore::SVGRootInlineBox::layoutCharactersInTextBoxes):
+        (WebCore::SVGRootInlineBox::layoutChildBoxes):
+        * testing/js/WebCoreTestSupport.cpp:
+        (WebCoreTestSupport::resetInternalsObject):
+        * testing/v8/WebCoreTestSupport.cpp:
+        (WebCoreTestSupport::resetInternalsObject):
+        * workers/DefaultSharedWorkerRepository.cpp:
+        (WebCore::SharedWorkerProxy::addToWorkerDocuments):
+        (WebCore::SharedWorkerConnectTask::performTask):
+        * workers/SharedWorker.cpp:
+        (WebCore::SharedWorker::create):
+        * workers/WorkerContext.cpp:
+        (WebCore::CloseWorkerContextTask::performTask):
+        * workers/WorkerMessagingProxy.cpp:
+        (WebCore::MessageWorkerContextTask::performTask):
+        (WebCore::connectToWorkerContextInspectorTask):
+        (WebCore::disconnectFromWorkerContextInspectorTask):
+        (WebCore::dispatchOnInspectorBackendTask):
+        * workers/WorkerScriptLoader.cpp:
+        (WebCore::WorkerScriptLoader::loadSynchronously):
+        * workers/WorkerThread.cpp:
+        (WebCore::WorkerThreadShutdownFinishTask::performTask):
+        (WebCore::WorkerThreadShutdownStartTask::performTask):
+
 2013-02-04  Dominik Röttsches  <dominik.rottsches@intel.com>
 

trunk/Source/WebCore/Modules/notifications/Notification.cpp

@@ -110 +110 @@
     , m_taskTimer(adoptPtr(new Timer<Notification>(this, &Notification::taskTimerFired)))
 {
-    ASSERT(context->isDocument());
+    ASSERT_WITH_SECURITY_IMPLICATION(context->isDocument());
     m_notificationCenter = DOMWindowNotifications::webkitNotifications(static_cast<Document*>(context)->domWindow());
     
@@ -260 +260 @@
 const String& Notification::permission(ScriptExecutionContext* context)
 {
-    ASSERT(context->isDocument());
+    ASSERT_WITH_SECURITY_IMPLICATION(context->isDocument());
     ASSERT(static_cast<Document*>(context)->page());
     return permissionString(NotificationController::from(static_cast<Document*>(context)->page())->client()->checkPermission(context));
@@ -286 +286 @@
 void Notification::requestPermission(ScriptExecutionContext* context, PassRefPtr<NotificationPermissionCallback> callback)
 {
-    ASSERT(context->isDocument());
+    ASSERT_WITH_SECURITY_IMPLICATION(context->isDocument());
     ASSERT(static_cast<Document*>(context)->page());
     NotificationController::from(static_cast<Document*>(context)->page())->client()->requestPermission(context, callback);

trunk/Source/WebCore/Modules/speech/SpeechGrammar.cpp

@@ -46 +46 @@
 void SpeechGrammar::setSrc(ScriptExecutionContext* scriptExecutionContext, const String& src)
 {
-    ASSERT(scriptExecutionContext->isDocument());
+    ASSERT_WITH_SECURITY_IMPLICATION(scriptExecutionContext->isDocument());
     Document* document = static_cast<Document*>(scriptExecutionContext);
     m_src = document->completeURL(src);

trunk/Source/WebCore/Modules/speech/SpeechGrammarList.cpp

@@ -49 +49 @@
 void SpeechGrammarList::addFromUri(ScriptExecutionContext* scriptExecutionContext, const String& src, double weight)
 {
-    ASSERT(scriptExecutionContext->isDocument());
+    ASSERT_WITH_SECURITY_IMPLICATION(scriptExecutionContext->isDocument());
     Document* document = static_cast<Document*>(scriptExecutionContext);
     m_grammars.append(SpeechGrammar::create(document->completeURL(src), weight));

trunk/Source/WebCore/Modules/websockets/ThreadableWebSocketChannel.cpp

@@ -66 +66 @@
 #endif // ENABLE(WORKERS)
 
-    ASSERT(context->isDocument());
+    ASSERT_WITH_SECURITY_IMPLICATION(context->isDocument());
     return WebSocketChannel::create(static_cast<Document*>(context), client);
 }

trunk/Source/WebCore/accessibility/AccessibilityMenuListPopup.cpp

@@ -74 +74 @@
 
     AccessibilityObject* object = document()->axObjectCache()->getOrCreate(MenuListOptionRole);
-    ASSERT(object->isMenuListOption());
+    ASSERT_WITH_SECURITY_IMPLICATION(object->isMenuListOption());
 
     AccessibilityMenuListOption* option = static_cast<AccessibilityMenuListOption*>(object);

trunk/Source/WebCore/accessibility/AccessibilityTable.cpp

@@ -580 +580 @@
     
     AccessibilityObject* cellObject = axObjectCache()->getOrCreate(cell);
-    ASSERT(cellObject->isTableCell());
+    ASSERT_WITH_SECURITY_IMPLICATION(cellObject->isTableCell());
     
     return static_cast<AccessibilityTableCell*>(cellObject);

trunk/Source/WebCore/css/CSSFontFaceRule.cpp

@@ -65 +65 @@
 {
     ASSERT(rule);
-    ASSERT(rule->isFontFaceRule());
+    ASSERT_WITH_SECURITY_IMPLICATION(rule->isFontFaceRule());
     m_fontFaceRule = static_cast<StyleRuleFontFace*>(rule);
     if (m_propertiesCSSOMWrapper)

trunk/Source/WebCore/css/CSSImageSetValue.cpp

@@ -63 +63 @@
     while (i < length) {
         CSSValue* imageValue = item(i);
-        ASSERT(imageValue->isImageValue());
+        ASSERT_WITH_SECURITY_IMPLICATION(imageValue->isImageValue());
         String imageURL = static_cast<CSSImageValue*>(imageValue)->url();
 
@@ -69 +69 @@
         ASSERT(i < length);
         CSSValue* scaleFactorValue = item(i);
-        ASSERT(scaleFactorValue->isPrimitiveValue());
+        ASSERT_WITH_SECURITY_IMPLICATION(scaleFactorValue->isPrimitiveValue());
         float scaleFactor = static_cast<CSSPrimitiveValue*>(scaleFactorValue)->getFloatValue();
 

trunk/Source/WebCore/css/CSSPageRule.cpp

@@ -98 +98 @@
 {
     ASSERT(rule);
-    ASSERT(rule->isPageRule());
+    ASSERT_WITH_SECURITY_IMPLICATION(rule->isPageRule());
     m_pageRule = static_cast<StyleRulePage*>(rule);
     if (m_propertiesCSSOMWrapper)

trunk/Source/WebCore/css/CSSStyleRule.cpp

@@ -126 +126 @@
 {
     ASSERT(rule);
-    ASSERT(rule->isStyleRule());
+    ASSERT_WITH_SECURITY_IMPLICATION(rule->isStyleRule());
     m_styleRule = static_cast<StyleRule*>(rule);
     if (m_propertiesCSSOMWrapper)

trunk/Source/WebCore/css/StyleBuilder.cpp

@@ -874 +874 @@
 #if !ASSERT_DISABLED
         else {
-            ASSERT(value->isPrimitiveValue());
+            ASSERT_WITH_SECURITY_IMPLICATION(value->isPrimitiveValue());
             ASSERT(static_cast<CSSPrimitiveValue*>(value)->getIdent() == CSSValueNormal);
         }
@@ -1138 +1138 @@
         for (CSSValueListIterator i(value); i.hasMore(); i.advance()) {
             CSSValue* item = i.value();
-            ASSERT(item->isPrimitiveValue());
+            ASSERT_WITH_SECURITY_IMPLICATION(item->isPrimitiveValue());
             t |= *static_cast<CSSPrimitiveValue*>(item);
         }
@@ -1610 +1610 @@
     static void applyValue(CSSPropertyID, StyleResolver* styleResolver, CSSValue* value)
     {
-        ASSERT(value->isPrimitiveValue());
+        ASSERT_WITH_SECURITY_IMPLICATION(value->isPrimitiveValue());
         CSSPrimitiveValue* primitiveValue = static_cast<CSSPrimitiveValue*>(value);
 

trunk/Source/WebCore/css/StyleResolver.cpp

@@ -2714 +2714 @@
         return true;
 
-    ASSERT(primitiveValue->isNumber());
+    ASSERT_WITH_SECURITY_IMPLICATION(primitiveValue->isNumber());
     position.setIntegerPosition(primitiveValue->getIntValue());
     return true;
@@ -2797 +2797 @@
 #if ENABLE(CSS_VARIABLES)
     if (id == CSSPropertyVariable) {
-        ASSERT(value->isVariableValue());
+        ASSERT_WITH_SECURITY_IMPLICATION(value->isVariableValue());
         CSSVariableValue* variable = static_cast<CSSVariableValue*>(value);
         ASSERT(!variable->name().isEmpty());
@@ -2938 +2938 @@
                 if (!second)
                     continue;
-                ASSERT(first->isPrimitiveValue());
-                ASSERT(second->isPrimitiveValue());
+                ASSERT_WITH_SECURITY_IMPLICATION(first->isPrimitiveValue());
+                ASSERT_WITH_SECURITY_IMPLICATION(second->isPrimitiveValue());
                 String startQuote = static_cast<CSSPrimitiveValue*>(first)->getStringValue();
                 String endQuote = static_cast<CSSPrimitiveValue*>(second)->getStringValue();
@@ -4771 +4771 @@
 {
     CSSValue* shadersValue = filterValue->itemWithoutBoundsCheck(0);
-    ASSERT(shadersValue->isValueList());
+    ASSERT_WITH_SECURITY_IMPLICATION(shadersValue->isValueList());
     CSSValueList* shadersList = static_cast<CSSValueList*>(shadersValue);
 

trunk/Source/WebCore/css/WebKitCSSFilterRule.cpp

@@ -81 +81 @@
 {
     ASSERT(rule);
-    ASSERT(rule->isFilterRule());
+    ASSERT_WITH_SECURITY_IMPLICATION(rule->isFilterRule());
     m_filterRule = static_cast<StyleRuleFilter*>(rule);
     if (m_propertiesCSSOMWrapper)

trunk/Source/WebCore/css/WebKitCSSKeyframesRule.cpp

@@ -204 +204 @@
 {
     ASSERT(rule);
-    ASSERT(rule->isKeyframesRule());
+    ASSERT_WITH_SECURITY_IMPLICATION(rule->isKeyframesRule());
     m_keyframesRule = static_cast<StyleRuleKeyframes*>(rule);
 }

trunk/Source/WebCore/css/WebKitCSSViewportRule.cpp

@@ -80 +80 @@
 {
     ASSERT(rule);
-    ASSERT(rule->isViewportRule());
+    ASSERT_WITH_SECURITY_IMPLICATION(rule->isViewportRule());
     m_viewportRule = static_cast<StyleRuleViewport*>(rule);
 

trunk/Source/WebCore/editing/EditCommand.h

@@ -102 +102 @@
 {
     ASSERT(command);
-    ASSERT(command->isSimpleEditCommand());
+    ASSERT_WITH_SECURITY_IMPLICATION(command->isSimpleEditCommand());
     return static_cast<SimpleEditCommand*>(command);
 }

trunk/Source/WebCore/editing/visible_units.cpp

@@ -1137 +1137 @@
 
         if (r->isText() && toRenderText(r)->renderedTextLength()) {
-            ASSERT(n->isTextNode());
+            ASSERT_WITH_SECURITY_IMPLICATION(n->isTextNode());
             type = Position::PositionIsOffsetInAnchor;
             if (style->preserveNewline()) {
@@ -1219 +1219 @@
         // FIXME: We avoid returning a position where the renderer can't accept the caret.
         if (r->isText() && toRenderText(r)->renderedTextLength()) {
-            ASSERT(n->isTextNode());
+            ASSERT_WITH_SECURITY_IMPLICATION(n->isTextNode());
             int length = toRenderText(r)->textLength();
             type = Position::PositionIsOffsetInAnchor;

trunk/Source/WebCore/html/HTMLCollection.cpp

@@ -419 +419 @@
     setItemCache(item, offset);
     if (overridesItemAfter()) {
-        ASSERT(item->isElementNode());
+        ASSERT_WITH_SECURITY_IMPLICATION(item->isElementNode());
         static_cast<const HTMLCollection*>(this)->m_cachedElementsArrayOffset = elementsArrayOffset;
     } else

trunk/Source/WebCore/loader/ThreadableLoader.cpp

@@ -51 +51 @@
 #endif // ENABLE(WORKERS)
 
-    ASSERT(context->isDocument());
+    ASSERT_WITH_SECURITY_IMPLICATION(context->isDocument());
     return DocumentThreadableLoader::create(static_cast<Document*>(context), client, request, options);
 }
@@ -66 +66 @@
 #endif // ENABLE(WORKERS)
 
-    ASSERT(context->isDocument());
+    ASSERT_WITH_SECURITY_IMPLICATION(context->isDocument());
     DocumentThreadableLoader::loadResourceSynchronously(static_cast<Document*>(context), request, client, options);
 }

trunk/Source/WebCore/loader/WorkerThreadableLoader.cpp

@@ -108 +108 @@
 {
     ASSERT(isMainThread());
-    ASSERT(context->isDocument());
+    ASSERT_WITH_SECURITY_IMPLICATION(context->isDocument());
     Document* document = static_cast<Document*>(context);
 

trunk/Source/WebCore/page/Frame.cpp

@@ -631 +631 @@
     // Assume all widgets are either a FrameView or owned by a RenderWidget.
     // FIXME: That assumption is not right for scroll bars!
-    ASSERT(widget->isFrameView());
+    ASSERT_WITH_SECURITY_IMPLICATION(widget->isFrameView());
     return static_cast<const FrameView*>(widget)->frame();
 }

trunk/Source/WebCore/platform/RefCountedSupplement.h

@@ -64 +64 @@
         if (!found)
             return 0;
-        ASSERT(found->isRefCountedWrapper());
+        ASSERT_WITH_SECURITY_IMPLICATION(found->isRefCountedWrapper());
         return static_cast<Wrapper*>(found)->wrapped();
     }

trunk/Source/WebCore/rendering/RenderBlock.cpp

@@ -606 +606 @@
 
     while (curr && curr != fromBlock) {
-        ASSERT(curr->isRenderBlock());
+        ASSERT_WITH_SECURITY_IMPLICATION(curr->isRenderBlock());
         
         RenderBlock* blockCurr = toRenderBlock(curr);
@@ -6397 +6397 @@
             !parentBlock || parentBlock->firstChild() != firstLineBlock || !parentBlock->isBlockFlow())
             break;
-        ASSERT(parentBlock->isRenderBlock());
+        ASSERT_WITH_SECURITY_IMPLICATION(parentBlock->isRenderBlock());
         firstLineBlock = toRenderBlock(parentBlock);
     } 

trunk/Source/WebCore/rendering/RenderBlockLineLayout.cpp

@@ -456 +456 @@
     bool hasDefaultLineBoxContain = style()->lineBoxContain() == RenderStyle::initialLineBoxContain();
     do {
-        ASSERT(obj->isRenderInline() || obj == this);
+        ASSERT_WITH_SECURITY_IMPLICATION(obj->isRenderInline() || obj == this);
 
         RenderInline* inlineFlow = (obj != this) ? toRenderInline(obj) : 0;
@@ -476 +476 @@
             // made, we need to place it at the end of the current line.
             InlineBox* newBox = createInlineBoxForRenderer(obj, obj == this);
-            ASSERT(newBox->isInlineFlowBox());
+            ASSERT_WITH_SECURITY_IMPLICATION(newBox->isInlineFlowBox());
             parentBox = toInlineFlowBox(newBox);
             parentBox->setFirstLineStyleBit(lineInfo.isFirstLine());

trunk/Source/WebCore/rendering/RenderBox.cpp

@@ -2648 +2648 @@
             // https://bugs.webkit.org/show_bug.cgi?id=46500
             if (cb->isOutOfFlowPositioned() && cb->style()->height().isAuto() && !(cb->style()->top().isAuto() || cb->style()->bottom().isAuto())) {
-                ASSERT(cb->isRenderBlock());
+                ASSERT_WITH_SECURITY_IMPLICATION(cb->isRenderBlock());
                 RenderBlock* block = toRenderBlock(cb);
                 LogicalExtentComputedValues computedValues;

trunk/Source/WebCore/rendering/svg/RenderSVGText.cpp

@@ -473 +473 @@
         return createVisiblePosition(0, DOWNSTREAM);
 
-    ASSERT(rootBox->isSVGRootInlineBox());
+    ASSERT_WITH_SECURITY_IMPLICATION(rootBox->isSVGRootInlineBox());
     ASSERT(!rootBox->nextRootBox());
     ASSERT(childrenInline());

trunk/Source/WebCore/rendering/svg/SVGRootInlineBox.cpp

@@ -110 +110 @@
                 continue;
 
-            ASSERT(child->isInlineFlowBox());
+            ASSERT_WITH_SECURITY_IMPLICATION(child->isInlineFlowBox());
 
             SVGInlineFlowBox* flowBox = static_cast<SVGInlineFlowBox*>(child);
@@ -150 +150 @@
                 continue;
 
-            ASSERT(child->isInlineFlowBox());
+            ASSERT_WITH_SECURITY_IMPLICATION(child->isInlineFlowBox());
 
             SVGInlineFlowBox* flowBox = static_cast<SVGInlineFlowBox*>(child);

trunk/Source/WebCore/testing/js/WebCoreTestSupport.cpp

@@ -56 +56 @@
     JSDOMGlobalObject* globalObject = jsCast<JSDOMGlobalObject*>(exec->lexicalGlobalObject());
     ScriptExecutionContext* scriptContext = globalObject->scriptExecutionContext();
-    ASSERT(scriptContext->isDocument());
+    ASSERT_WITH_SECURITY_IMPLICATION(scriptContext->isDocument());
     Page* page = static_cast<Document*>(scriptContext)->frame()->page();
     Internals::resetToConsistentState(page);

trunk/Source/WebCore/testing/v8/WebCoreTestSupport.cpp

@@ -60 +60 @@
 
     ScriptExecutionContext* scriptContext = getScriptExecutionContext();
-    ASSERT(scriptContext->isDocument());
+    ASSERT_WITH_SECURITY_IMPLICATION(scriptContext->isDocument());
     Page* page = static_cast<Document*>(scriptContext)->frame()->page();
     Internals::resetToConsistentState(page);

trunk/Source/WebCore/workers/DefaultSharedWorkerRepository.cpp

@@ -229 +229 @@
 {
     // Nested workers are not yet supported, so passed-in context should always be a Document.
-    ASSERT(context->isDocument());
+    ASSERT_WITH_SECURITY_IMPLICATION(context->isDocument());
     ASSERT(!isClosing());
     MutexLocker lock(m_workerDocumentsLock);
@@ -273 +273 @@
         RefPtr<MessagePort> port = MessagePort::create(*scriptContext);
         port->entangle(m_channel.release());
-        ASSERT(scriptContext->isWorkerContext());
+        ASSERT_WITH_SECURITY_IMPLICATION(scriptContext->isWorkerContext());
         WorkerContext* workerContext = static_cast<WorkerContext*>(scriptContext);
         // Since close() stops the thread event loop, this should not ever get called while closing.
         ASSERT(!workerContext->isClosing());
-        ASSERT(workerContext->isSharedWorkerContext());
+        ASSERT_WITH_SECURITY_IMPLICATION(workerContext->isSharedWorkerContext());
         workerContext->dispatchEvent(createConnectEvent(port));
     }

trunk/Source/WebCore/workers/SharedWorker.cpp

@@ -71 +71 @@
 
     // We don't currently support nested workers, so workers can only be created from documents.
-    ASSERT(context->isDocument());
+    ASSERT_WITH_SECURITY_IMPLICATION(context->isDocument());
     Document* document = static_cast<Document*>(context);
     if (!document->securityOrigin()->canAccessSharedWorkers(document->topOrigin())) {

trunk/Source/WebCore/workers/WorkerContext.cpp

@@ -77 +77 @@
     virtual void performTask(ScriptExecutionContext *context)
     {
-        ASSERT(context->isWorkerContext());
+        ASSERT_WITH_SECURITY_IMPLICATION(context->isWorkerContext());
         WorkerContext* workerContext = static_cast<WorkerContext*>(context);
         // Notify parent that this context is closed. Parent is responsible for calling WorkerThread::stop().

trunk/Source/WebCore/workers/WorkerMessagingProxy.cpp

@@ -69 +69 @@
     virtual void performTask(ScriptExecutionContext* scriptContext)
     {
-        ASSERT(scriptContext->isWorkerContext());
+        ASSERT_WITH_SECURITY_IMPLICATION(scriptContext->isWorkerContext());
         DedicatedWorkerContext* context = static_cast<DedicatedWorkerContext*>(scriptContext);
         OwnPtr<MessagePortArray> ports = MessagePort::entanglePorts(*scriptContext, m_channels.release());
@@ -375 +375 @@
 static void connectToWorkerContextInspectorTask(ScriptExecutionContext* context, bool)
 {
-    ASSERT(context->isWorkerContext());
+    ASSERT_WITH_SECURITY_IMPLICATION(context->isWorkerContext());
     static_cast<WorkerContext*>(context)->workerInspectorController()->connectFrontend();
 }
@@ -394 +394 @@
 static void disconnectFromWorkerContextInspectorTask(ScriptExecutionContext* context, bool)
 {
-    ASSERT(context->isWorkerContext());
+    ASSERT_WITH_SECURITY_IMPLICATION(context->isWorkerContext());
     static_cast<WorkerContext*>(context)->workerInspectorController()->disconnectFrontend();
 }
@@ -412 +412 @@
 static void dispatchOnInspectorBackendTask(ScriptExecutionContext* context, const String& message)
 {
-    ASSERT(context->isWorkerContext());
+    ASSERT_WITH_SECURITY_IMPLICATION(context->isWorkerContext());
     static_cast<WorkerContext*>(context)->workerInspectorController()->dispatchMessageFromFrontend(message);
 }

trunk/Source/WebCore/workers/WorkerScriptLoader.cpp

@@ -70 +70 @@
         return;
 
-    ASSERT(scriptExecutionContext->isWorkerContext());
+    ASSERT_WITH_SECURITY_IMPLICATION(scriptExecutionContext->isWorkerContext());
 
     ThreadableLoaderOptions options;

trunk/Source/WebCore/workers/WorkerThread.cpp

@@ -208 +208 @@
     virtual void performTask(ScriptExecutionContext *context)
     {
-        ASSERT(context->isWorkerContext());
+        ASSERT_WITH_SECURITY_IMPLICATION(context->isWorkerContext());
         WorkerContext* workerContext = static_cast<WorkerContext*>(context);
 #if ENABLE(INSPECTOR)
@@ -229 +229 @@
     virtual void performTask(ScriptExecutionContext *context)
     {
-        ASSERT(context->isWorkerContext());
+        ASSERT_WITH_SECURITY_IMPLICATION(context->isWorkerContext());
         WorkerContext* workerContext = static_cast<WorkerContext*>(context);
 

trunk/Source/WebKit/blackberry/Api/WebPage.cpp

@@ -4026 +4026 @@
             // We do focus <select>/<option> on mouse down so that a Focus event is fired and have the
             // element painted in its focus state on repaint.
-            ASSERT(node->isElementNode());
+            ASSERT_WITH_SECURITY_IMPLICATION(node->isElementNode());
             if (node->isElementNode()) {
                 Element* element = static_cast<Element*>(node);

trunk/Source/WebKit/blackberry/ChangeLog

@@ +1 @@
+2013-02-04  Abhishek Arya  <inferno@chromium.org>
+
+        Add ASSERT_WITH_SECURITY_IMPLICATION to detect bad cast in DOM, CSS, etc.
+        https://bugs.webkit.org/show_bug.cgi?id=108688
+
+        Reviewed by Eric Seidel.
+
+        * Api/WebPage.cpp:
+        (BlackBerry::WebKit::WebPagePrivate::handleMouseEvent):
+        * WebKitSupport/FatFingers.cpp:
+        (BlackBerry::WebKit::FatFingers::setSuccessfulFatFingersResult):
+
 2013-02-04  Andrew Lo  <anlo@rim.com>
 

trunk/Source/WebKit/blackberry/WebKitSupport/FatFingers.cpp

@@ -479 +479 @@
     bool isTextInputElement = false;
     if (m_targetType == ClickableElement) {
-        ASSERT(bestNode->isElementNode());
+        ASSERT_WITH_SECURITY_IMPLICATION(bestNode->isElementNode());
         Element* bestElement = static_cast<Element*>(bestNode);
         isTextInputElement = DOMSupport::isTextInputElement(bestElement);

trunk/Source/WebKit/chromium/ChangeLog

@@ +1 @@
+2013-02-04  Abhishek Arya  <inferno@chromium.org>
+
+        Add ASSERT_WITH_SECURITY_IMPLICATION to detect bad cast in DOM, CSS, etc.
+        https://bugs.webkit.org/show_bug.cgi?id=108688
+
+        Reviewed by Eric Seidel.
+
+        * src/IDBFactoryBackendProxy.cpp:
+        (WebKit::IDBFactoryBackendProxy::allowIndexedDB):
+        (WebKit::getWebFrame):
+        * src/LocalFileSystemChromium.cpp:
+        (WebCore::LocalFileSystem::deleteFileSystem):
+        * src/WebSharedWorkerImpl.cpp:
+        (WebKit::WebSharedWorkerImpl::connectTask):
+        (WebKit::resumeWorkerContextTask):
+        (WebKit::connectToWorkerContextInspectorTask):
+        (WebKit::reconnectToWorkerContextInspectorTask):
+        (WebKit::disconnectFromWorkerContextInspectorTask):
+        (WebKit::dispatchOnInspectorBackendTask):
+
 2013-02-04  Sami Kyostila  <skyostil@chromium.org>
 

trunk/Source/WebKit/chromium/src/IDBFactoryBackendProxy.cpp

@@ -164 +164 @@
 {
     bool allowed;
-    ASSERT(context->isDocument() || context->isWorkerContext());
+    ASSERT_WITH_SECURITY_IMPLICATION(context->isDocument() || context->isWorkerContext());
     if (context->isDocument()) {
         Document* document = static_cast<Document*>(context);
@@ -196 +196 @@
 static WebFrameImpl* getWebFrame(ScriptExecutionContext* context)
 {
-    ASSERT(context->isDocument() || context->isWorkerContext());
+    ASSERT_WITH_SECURITY_IMPLICATION(context->isDocument() || context->isWorkerContext());
     if (context->isDocument()) {
         Document* document = static_cast<Document*>(context);

trunk/Source/WebKit/chromium/src/LocalFileSystemChromium.cpp

@@ -234 +234 @@
 {
     ASSERT(context);
-    ASSERT(context->isDocument());
+    ASSERT_WITH_SECURITY_IMPLICATION(context->isDocument());
 
     Document* document = static_cast<Document*>(context);

trunk/Source/WebKit/chromium/src/WebSharedWorkerImpl.cpp

@@ -358 +358 @@
     RefPtr<MessagePort> port = MessagePort::create(*context);
     port->entangle(channel);
-    ASSERT(context->isWorkerContext());
+    ASSERT_WITH_SECURITY_IMPLICATION(context->isWorkerContext());
     WorkerContext* workerContext = static_cast<WorkerContext*>(context);
-    ASSERT(workerContext->isSharedWorkerContext());
+    ASSERT_WITH_SECURITY_IMPLICATION(workerContext->isSharedWorkerContext());
     workerContext->dispatchEvent(createConnectEvent(port));
 }
@@ -397 +397 @@
 static void resumeWorkerContextTask(ScriptExecutionContext* context, bool)
 {
-    ASSERT(context->isWorkerContext());
+    ASSERT_WITH_SECURITY_IMPLICATION(context->isWorkerContext());
     static_cast<WorkerContext*>(context)->workerInspectorController()->resume();
 }
@@ -410 +410 @@
 static void connectToWorkerContextInspectorTask(ScriptExecutionContext* context, bool)
 {
-    ASSERT(context->isWorkerContext());
+    ASSERT_WITH_SECURITY_IMPLICATION(context->isWorkerContext());
     static_cast<WorkerContext*>(context)->workerInspectorController()->connectFrontend();
 }
@@ -421 +421 @@
 static void reconnectToWorkerContextInspectorTask(ScriptExecutionContext* context, const String& savedState)
 {
-    ASSERT(context->isWorkerContext());
+    ASSERT_WITH_SECURITY_IMPLICATION(context->isWorkerContext());
     WorkerInspectorController* ic = static_cast<WorkerContext*>(context)->workerInspectorController();
     ic->restoreInspectorStateFromCookie(savedState);
@@ -434 +434 @@
 static void disconnectFromWorkerContextInspectorTask(ScriptExecutionContext* context, bool)
 {
-    ASSERT(context->isWorkerContext());
+    ASSERT_WITH_SECURITY_IMPLICATION(context->isWorkerContext());
     static_cast<WorkerContext*>(context)->workerInspectorController()->disconnectFrontend();
 }
@@ -445 +445 @@
 static void dispatchOnInspectorBackendTask(ScriptExecutionContext* context, const String& message)
 {
-    ASSERT(context->isWorkerContext());
+    ASSERT_WITH_SECURITY_IMPLICATION(context->isWorkerContext());
     static_cast<WorkerContext*>(context)->workerInspectorController()->dispatchMessageFromFrontend(message);
 }

trunk/Source/WebKit/qt/ChangeLog

@@ +1 @@
+2013-02-04  Abhishek Arya  <inferno@chromium.org>
+
+        Add ASSERT_WITH_SECURITY_IMPLICATION to detect bad cast in DOM, CSS, etc.
+        https://bugs.webkit.org/show_bug.cgi?id=108688
+
+        Reviewed by Eric Seidel.
+
+        * WebCoreSupport/FrameLoaderClientQt.cpp:
+
 2013-02-03  KwangYong Choi  <ky0.choi@samsung.com>
 

trunk/Source/WebKit/qt/WebCoreSupport/FrameLoaderClientQt.cpp

@@ -1423 +1423 @@
         QRect clipRect;
         if (parentScrollView) {
-            ASSERT(parentScrollView->isFrameView());
+            ASSERT_WITH_SECURITY_IMPLICATION(parentScrollView->isFrameView());
             clipRect = static_cast<FrameView*>(parentScrollView)->windowClipRect();
             clipRect.translate(-windowRect.x(), -windowRect.y());