Changeset 194625 in webkit

Timestamp:

Jan 5, 2016 6:08:23 PM (8 years ago)

Author:

beidson@apple.com

Message:

Modern IDB: storage/indexeddb/structured-clone.html crashes.
​https://bugs.webkit.org/show_bug.cgi?id=152763

Reviewed by Alex Christensen.

Source/WebCore:

No new tests (At least one failing test now passes).

A lot of SerializedScriptValue code incorrectly assumed the global object is a JSDOMGlobalObject,
which doesn't have to be true for native Javascript types like typed arrays.

Fixing that fixes the test.

• Modules/indexeddb/client/IDBObjectStoreImpl.cpp:

(WebCore::IDBClient::IDBObjectStore::putOrAdd): If serializing the script value caused an exception,

clear that exception and return a better IDB specific exception.

• bindings/js/JSDOMBinding.h:

(WebCore::toJS): Add a ArrayBufferView specialization for toJS that skips the need for a JSDOMGlobalObject.

• bindings/js/SerializedScriptValue.cpp:

(WebCore::CloneDeserializer::readArrayBufferView): Call toJS directly instead of getJSValue, which

incorrectly assumes the existence of a JSDOMGlobalObject (vs a JSGlobalObject)

(WebCore::CloneDeserializer::readTerminal): Instead of getJSValue, call JSArrayBuffer::create directly.

LayoutTests:

• platform/mac-wk1/TestExpectations:
• storage/indexeddb/clone-exception-expected.txt:
• storage/indexeddb/exceptions-expected.txt:
• storage/indexeddb/objectstore-basics-expected.txt:
• storage/indexeddb/structured-clone-expected.txt:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/platform/mac-wk1/TestExpectations (modified) (1 diff)
• LayoutTests/storage/indexeddb/clone-exception-expected.txt (modified) (3 diffs)
• LayoutTests/storage/indexeddb/exceptions-expected.txt (modified) (3 diffs)
• LayoutTests/storage/indexeddb/objectstore-basics-expected.txt (modified) (1 diff)
• LayoutTests/storage/indexeddb/structured-clone-expected.txt (modified) (2 diffs)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/Modules/indexeddb/client/IDBObjectStoreImpl.cpp (modified) (1 diff)
• Source/WebCore/bindings/js/JSDOMBinding.h (modified) (1 diff)
• Source/WebCore/bindings/js/SerializedScriptValue.cpp (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2016-01-05  Brady Eidson  <beidson@apple.com>
+
+        Modern IDB: storage/indexeddb/structured-clone.html crashes.
+        https://bugs.webkit.org/show_bug.cgi?id=152763
+
+        Reviewed by Alex Christensen.
+
+        * platform/mac-wk1/TestExpectations:
+        * storage/indexeddb/clone-exception-expected.txt:
+        * storage/indexeddb/exceptions-expected.txt:
+        * storage/indexeddb/objectstore-basics-expected.txt:
+        * storage/indexeddb/structured-clone-expected.txt:
+
 2016-01-05  Pranjal Jumde  <pjumde@apple.com>
 

trunk/LayoutTests/platform/mac-wk1/TestExpectations

@@ -72 +72 @@
 storage/indexeddb/key-generator.html [ Skip ]
 storage/indexeddb/lazy-index-population.html [ Skip ]
-
-# IDB tests that crash/assert in CloneDeserializer
-storage/indexeddb/structured-clone.html [ Skip ]
 
 # IDB tests that crash with GuardMalloc or ASan

trunk/LayoutTests/storage/indexeddb/clone-exception-expected.txt

@@ -14 +14 @@
 PASS code is 25
 PASS ename is 'DataCloneError'
-Exception message: DataCloneError: DOM Exception 25
+Exception message: Failed to store record in an IDBObjectStore: An object could not be cloned.
 
 doSecondOpen():
@@ -24 +24 @@
 PASS code is 25
 PASS ename is 'DataCloneError'
-Exception message: DataCloneError: DOM Exception 25
+Exception message: Failed to store record in an IDBObjectStore: An object could not be cloned.
 
 doThirdOpen():
@@ -34 +34 @@
 PASS code is 25
 PASS ename is 'DataCloneError'
-Exception message: DataCloneError: DOM Exception 25
+Exception message: Failed to store record in an IDBObjectStore: An object could not be cloned.
 PASS successfullyParsed is true
 

trunk/LayoutTests/storage/indexeddb/exceptions-expected.txt

@@ -161 +161 @@
 PASS Exception was thrown.
 PASS code is DOMException.DATA_CLONE_ERR
-Exception message: DataCloneError: DOM Exception 25
+Exception message: Failed to store record in an IDBObjectStore: An object could not be cloned.
 
 IDBObjectStore.clear()
@@ -274 +274 @@
 PASS Exception was thrown.
 PASS code is DOMException.DATA_CLONE_ERR
-Exception message: DataCloneError: DOM Exception 25
+Exception message: Failed to store record in an IDBObjectStore: An object could not be cloned.
 db.close()
 ro_transaction.oncomplete = transactionComplete
@@ -506 +506 @@
 PASS Exception was thrown.
 PASS code is DOMException.DATA_CLONE_ERR
-Exception message: DataCloneError: DOM Exception 25
+Exception message: Failed to store record in an IDBObjectStore: An object could not be cloned.
 The transaction this IDBCursor belongs to is not active.
 Expecting exception from cursorFromInactiveTransaction.update({})

trunk/LayoutTests/storage/indexeddb/objectstore-basics-expected.txt

@@ -96 +96 @@
 PASS Exception was thrown.
 PASS code is DOMException.DATA_CLONE_ERR
-Exception message: DataCloneError: DOM Exception 25
+Exception message: Failed to store record in an IDBObjectStore: An object could not be cloned.
 Try to insert data where key path yields a Date key:
 store.add({x: testDateB, y: 'value'}, 'key')

trunk/LayoutTests/storage/indexeddb/structured-clone-expected.txt

@@ -784 +784 @@
 PASS Exception was thrown.
 PASS code is DOMException.DATA_CLONE_ERR
-Exception message: Failed to execute 'put' on 'IDBObjectStore': An object could not be cloned.
+Exception message: Failed to store record in an IDBObjectStore: An object could not be cloned.
 Expecting exception from store.put(new Function, 'key')
 PASS Exception was thrown.
 PASS code is DOMException.DATA_CLONE_ERR
-Exception message: Failed to execute 'put' on 'IDBObjectStore': An object could not be cloned.
+Exception message: Failed to store record in an IDBObjectStore: An object could not be cloned.
 
 Other host object types:
@@ -794 +794 @@
 PASS Exception was thrown.
 PASS code is DOMException.DATA_CLONE_ERR
-Exception message: Failed to execute 'put' on 'IDBObjectStore': An object could not be cloned.
+Exception message: Failed to store record in an IDBObjectStore: An object could not be cloned.
 Expecting exception from store.put(document, 'key')
 PASS Exception was thrown.
 PASS code is DOMException.DATA_CLONE_ERR
-Exception message: Failed to execute 'put' on 'IDBObjectStore': An object could not be cloned.
+Exception message: Failed to store record in an IDBObjectStore: An object could not be cloned.
 Expecting exception from store.put(document.body, 'key')
 PASS Exception was thrown.
 PASS code is DOMException.DATA_CLONE_ERR
-Exception message: Failed to execute 'put' on 'IDBObjectStore': An object could not be cloned.
+Exception message: Failed to store record in an IDBObjectStore: An object could not be cloned.
 PASS successfullyParsed is true
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2016-01-05  Brady Eidson  <beidson@apple.com>
+
+        Modern IDB: storage/indexeddb/structured-clone.html crashes.
+        https://bugs.webkit.org/show_bug.cgi?id=152763
+
+        Reviewed by Alex Christensen.
+
+        No new tests (At least one failing test now passes).
+        
+        A lot of SerializedScriptValue code incorrectly assumed the global object is a JSDOMGlobalObject,
+        which doesn't have to be true for native Javascript types like typed arrays.
+        
+        Fixing that fixes the test.
+
+        * Modules/indexeddb/client/IDBObjectStoreImpl.cpp:
+        (WebCore::IDBClient::IDBObjectStore::putOrAdd): If serializing the script value caused an exception,
+          clear that exception and return a better IDB specific exception.
+
+        * bindings/js/JSDOMBinding.h:
+        (WebCore::toJS): Add a ArrayBufferView specialization for toJS that skips the need for a JSDOMGlobalObject.
+        
+        * bindings/js/SerializedScriptValue.cpp:
+        (WebCore::CloneDeserializer::readArrayBufferView): Call toJS directly instead of getJSValue, which 
+          incorrectly assumes the existence of a JSDOMGlobalObject (vs a JSGlobalObject)
+        (WebCore::CloneDeserializer::readTerminal): Instead of getJSValue, call JSArrayBuffer::create directly.
+
 2016-01-05  Pranjal Jumde  <pjumde@apple.com>
 

trunk/Source/WebCore/Modules/indexeddb/client/IDBObjectStoreImpl.cpp

@@ -266 +266 @@
     RefPtr<SerializedScriptValue> serializedValue = SerializedScriptValue::create(&state, value, nullptr, nullptr);
     if (state.hadException()) {
+        // Clear the DOM exception from the serializer so we can give a more targeted exception.
+        state.clearException();
+
         ec.code = IDBDatabaseException::DataCloneError;
         ec.message = ASCIILiteral("Failed to store record in an IDBObjectStore: An object could not be cloned.");

trunk/Source/WebCore/bindings/js/JSDOMBinding.h

@@ -412 +412 @@
 }
 
+inline JSC::JSValue toJS(JSC::ExecState* exec, JSC::JSGlobalObject* globalObject, JSC::ArrayBufferView* view)
+{
+    if (!view)
+        return JSC::jsNull();
+    return view->wrap(exec, globalObject);
+}
+
 template<typename T> inline JSC::JSValue toJS(JSC::ExecState* exec, JSDOMGlobalObject* globalObject, RefPtr<T> ptr)
 {

trunk/Source/WebCore/bindings/js/SerializedScriptValue.cpp

@@ -1816 +1816 @@
             return true;
         case Int8ArrayTag:
-            arrayBufferView = getJSValue(Int8Array::create(arrayBuffer, byteOffset, length).get());
+            arrayBufferView = toJS(m_exec, m_globalObject, Int8Array::create(arrayBuffer, byteOffset, length).get());
             return true;
         case Uint8ArrayTag:
-            arrayBufferView = getJSValue(Uint8Array::create(arrayBuffer, byteOffset, length).get());
+            arrayBufferView = toJS(m_exec, m_globalObject, Uint8Array::create(arrayBuffer, byteOffset, length).get());
             return true;
         case Uint8ClampedArrayTag:
-            arrayBufferView = getJSValue(Uint8ClampedArray::create(arrayBuffer, byteOffset, length).get());
+            arrayBufferView = toJS(m_exec, m_globalObject, Uint8ClampedArray::create(arrayBuffer, byteOffset, length).get());
             return true;
         case Int16ArrayTag:
-            arrayBufferView = getJSValue(Int16Array::create(arrayBuffer, byteOffset, length).get());
+            arrayBufferView = toJS(m_exec, m_globalObject, Int16Array::create(arrayBuffer, byteOffset, length).get());
             return true;
         case Uint16ArrayTag:
-            arrayBufferView = getJSValue(Uint16Array::create(arrayBuffer, byteOffset, length).get());
+            arrayBufferView = toJS(m_exec, m_globalObject, Uint16Array::create(arrayBuffer, byteOffset, length).get());
             return true;
         case Int32ArrayTag:
-            arrayBufferView = getJSValue(Int32Array::create(arrayBuffer, byteOffset, length).get());
+            arrayBufferView = toJS(m_exec, m_globalObject, Int32Array::create(arrayBuffer, byteOffset, length).get());
             return true;
         case Uint32ArrayTag:
-            arrayBufferView = getJSValue(Uint32Array::create(arrayBuffer, byteOffset, length).get());
+            arrayBufferView = toJS(m_exec, m_globalObject, Uint32Array::create(arrayBuffer, byteOffset, length).get());
             return true;
         case Float32ArrayTag:
-            arrayBufferView = getJSValue(Float32Array::create(arrayBuffer, byteOffset, length).get());
+            arrayBufferView = toJS(m_exec, m_globalObject, Float32Array::create(arrayBuffer, byteOffset, length).get());
             return true;
         case Float64ArrayTag:
-            arrayBufferView = getJSValue(Float64Array::create(arrayBuffer, byteOffset, length).get());
+            arrayBufferView = toJS(m_exec, m_globalObject, Float64Array::create(arrayBuffer, byteOffset, length).get());
             return true;
         default:
@@ -2331 +2331 @@
                 return JSValue();
             }
-            JSValue result = getJSValue(arrayBuffer.get());
+            JSValue result = JSArrayBuffer::create(m_exec->vm(), m_globalObject->arrayBufferStructure(), arrayBuffer.release());
             m_gcBuffer.append(result);
             return result;