Changeset 167819 in webkit

Timestamp:

Apr 25, 2014 1:34:47 PM (10 years ago)

Author:

msaboff@apple.com

Message:

Crash in platform/mac/accessibility/table-visible-rows.html
​https://bugs.webkit.org/show_bug.cgi?id=132146

Reviewed by Mark Lam.

Changed to use a local JSValueRef array temporary instead of a
std::make_unique<JSValueRef[]> when making an array of JSValues so that the temporary
JSValues are visited during garbage collection when the stack is scanned. Otherwise,
the temporary values could be collected.

• DumpRenderTree/AccessibilityUIElement.cpp:

(convertElementsToObjectArray):

• WebKitTestRunner/InjectedBundle/EventSendingController.cpp:

(WTR::EventSendingController::contextClick):

• WebKitTestRunner/InjectedBundle/mac/AccessibilityUIElementMac.mm:

(WTR::convertElementsToObjectArray):

Location:

trunk/Tools

Files:

• ChangeLog (modified) (1 diff)
• DumpRenderTree/AccessibilityUIElement.cpp (modified) (1 diff)
• WebKitTestRunner/InjectedBundle/EventSendingController.cpp (modified) (2 diffs)
• WebKitTestRunner/InjectedBundle/mac/AccessibilityUIElementMac.mm (modified) (1 diff)

trunk/Tools/ChangeLog

@@ +1 @@
+2014-04-25  Michael Saboff  <msaboff@apple.com>
+
+        Crash in platform/mac/accessibility/table-visible-rows.html
+        https://bugs.webkit.org/show_bug.cgi?id=132146
+
+        Reviewed by Mark Lam.
+
+        Changed to use a local JSValueRef array temporary instead of a
+        std::make_unique<JSValueRef[]> when making an array of JSValues so that the temporary
+        JSValues are visited during garbage collection when the stack is scanned.  Otherwise,
+        the temporary values could be collected.
+
+        * DumpRenderTree/AccessibilityUIElement.cpp:
+        (convertElementsToObjectArray):
+        * WebKitTestRunner/InjectedBundle/EventSendingController.cpp:
+        (WTR::EventSendingController::contextClick):
+        * WebKitTestRunner/InjectedBundle/mac/AccessibilityUIElementMac.mm:
+        (WTR::convertElementsToObjectArray):
+
 2014-04-24  Eduardo Lima Mitev  <elima@igalia.com>
 

trunk/Tools/DumpRenderTree/AccessibilityUIElement.cpp

@@ -520 +520 @@
 {
     size_t elementCount = elements.size();
-    auto valueElements = std::make_unique<JSValueRef[]>(elementCount);
+    JSValueRef valueElements[elementCount];
     for (size_t i = 0; i < elementCount; ++i)
         valueElements[i] = AccessibilityUIElement::makeJSAccessibilityUIElement(context, elements[i]);
     
-    return JSObjectMakeArray(context, elementCount, valueElements.get(), exception);
+    return JSObjectMakeArray(context, elementCount, valueElements, exception);
 }
 

trunk/Tools/WebKitTestRunner/InjectedBundle/EventSendingController.cpp

@@ -439 +439 @@
     WKRetainPtr<WKArrayRef> menuEntries = adoptWK(WKBundlePageCopyContextMenuItems(page));
     size_t entriesSize = WKArrayGetSize(menuEntries.get());
-    auto jsValuesArray = std::make_unique<JSValueRef[]>(entriesSize);
+    JSValueRef jsValuesArray[entriesSize];
     for (size_t i = 0; i < entriesSize; ++i) {
         ASSERT(WKGetTypeID(WKArrayGetItemAtIndex(menuEntries.get(), i)) == WKContextMenuItemGetTypeID());
@@ -448 +448 @@
     }
 
-    return JSObjectMakeArray(context, entriesSize, jsValuesArray.get(), 0);
+    return JSObjectMakeArray(context, entriesSize, jsValuesArray, 0);
 #else
     return JSValueMakeUndefined(context);

trunk/Tools/WebKitTestRunner/InjectedBundle/mac/AccessibilityUIElementMac.mm

@@ -180 +180 @@
 {
     size_t elementCount = elements.size();
-    auto valueElements = std::make_unique<JSValueRef[]>(elementCount);
+    JSValueRef valueElements[elementCount];
     for (size_t i = 0; i < elementCount; ++i)
         valueElements[i] = JSObjectMake(context, elements[i]->wrapperClass(), elements[i].get());
     
-    return JSObjectMakeArray(context, elementCount, valueElements.get(), nullptr);
+    return JSObjectMakeArray(context, elementCount, valueElements, nullptr);
 }