Changeset 51510 in webkit


Ignore:
Timestamp:
Nov 30, 2009 1:41:03 PM (14 years ago)
Author:
Adam Roben
Message:

Fix double-free of BSTRs passed to WebNavigationData::createInstance

WebFrameLoaderClient::updateGlobalHistory was converting
WebCore::Strings to WebCore::BStrings, then passing them to
WebNavigationData::createInstance. But the latter function takes BSTR
parameters and adopts them into WebCore::BStrings. So the end result
was that two WebCore::BStrings would end up freeing each underlying
BSTR.

The fix is to only convert to WebCore::BString inside
WebNavigationData.

Fixes <http://webkit.org/b/31998> <rdar://problem/7383452> REGRESSION
(r49564): Crash in updateGlobalHistory when running Javascript iBench
test

I couldn't find a way to reproduce this in DumpRenderTree.

Reviewed by Steve Falkenburg.

  • WebCoreSupport/WebFrameLoaderClient.cpp:

(WebFrameLoaderClient::updateGlobalHistory): Pass WebCore::Strings to
WebNavigationData::createInstance.

  • WebNavigationData.cpp:

(WebNavigationData::WebNavigationData):
(WebNavigationData::createInstance):

  • WebNavigationData.h:

Changed to take const WebCore::String&s instead of BSTRs and to
convert the Strings to BStrings at this level.

Location:
trunk/WebKit/win
Files:
4 edited

Legend:

Unmodified
Added
Removed

  • trunk/WebKit/win/ChangeLog

    r51500 r51510  
     12009-11-30  Adam Roben  <aroben@apple.com>
     2
     3        Fix double-free of BSTRs passed to WebNavigationData::createInstance
     4
     5        WebFrameLoaderClient::updateGlobalHistory was converting
     6        WebCore::Strings to WebCore::BStrings, then passing them to
     7        WebNavigationData::createInstance. But the latter function takes BSTR
     8        parameters and adopts them into WebCore::BStrings. So the end result
     9        was that two WebCore::BStrings would end up freeing each underlying
     10        BSTR.
     11
     12        The fix is to only convert to WebCore::BString inside
     13        WebNavigationData.
     14
     15        Fixes <http://webkit.org/b/31998> <rdar://problem/7383452> REGRESSION
     16        (r49564): Crash in updateGlobalHistory when running Javascript iBench
     17        test
     18
     19        I couldn't find a way to reproduce this in DumpRenderTree.
     20
     21        Reviewed by Steve Falkenburg.
     22
     23        * WebCoreSupport/WebFrameLoaderClient.cpp:
     24        (WebFrameLoaderClient::updateGlobalHistory): Pass WebCore::Strings to
     25        WebNavigationData::createInstance.
     26
     27        * WebNavigationData.cpp:
     28        (WebNavigationData::WebNavigationData):
     29        (WebNavigationData::createInstance):
     30        * WebNavigationData.h:
     31        Changed to take const WebCore::String&s instead of BSTRs and to
     32        convert the Strings to BStrings at this level.
     33
    1342009-11-30  Steve Falkenburg  <sfalken@apple.com>
    235

  • trunk/WebKit/win/WebCoreSupport/WebFrameLoaderClient.cpp

    r50772 r51510  
    501501
    502502    if (historyDelegate) {
    503         BString url(loader->urlForHistory());
    504         BString title(loader->title());
    505         BString redirectSource(loader->clientRedirectSourceForHistory());
    506503        COMPtr<IWebURLResponse> urlResponse(AdoptCOM, WebURLResponse::createInstance(loader->response()));
    507504        COMPtr<IWebURLRequest> urlRequest(AdoptCOM, WebMutableURLRequest::createInstance(loader->originalRequestCopy()));
    508505       
    509506        COMPtr<IWebNavigationData> navigationData(AdoptCOM, WebNavigationData::createInstance(
    510             url, title, urlRequest.get(), urlResponse.get(), loader->substituteData().isValid(), redirectSource));
     507            loader->urlForHistory(), loader->title(), urlRequest.get(), urlResponse.get(), loader->substituteData().isValid(), loader->clientRedirectSourceForHistory()));
    511508
    512509        historyDelegate->didNavigateWithNavigationData(webView, navigationData.get(), m_webFrame);

  • trunk/WebKit/win/WebNavigationData.cpp

    r49564 r51510  
    2828#include "WebNavigationData.h"
    2929
    30 #include <WebCore/BString.h>
    31 using WebCore::BString;
     30using namespace WebCore;
    3231
    3332// IUnknown -------------------------------------------------------------------
     
    6362// WebNavigationData -------------------------------------------------------------------
    6463
    65 WebNavigationData::WebNavigationData(BSTR url, BSTR title, IWebURLRequest* request, IWebURLResponse* response, bool hasSubstituteData, BSTR clientRedirectSource)
     64WebNavigationData::WebNavigationData(const String& url, const String& title, IWebURLRequest* request, IWebURLResponse* response, bool hasSubstituteData, const String& clientRedirectSource)
    6665    : m_refCount(0)
     66    , m_url(url)
     67    , m_title(title)
    6768    , m_request(request)
    6869    , m_response(response)
    6970    , m_hasSubstituteData(hasSubstituteData)
     71    , m_clientRedirectSource(clientRedirectSource)
    7072
    7173{
    7274    gClassCount++;
    7375    gClassNameCount.add("WebNavigationData");
    74 
    75     m_url.adoptBSTR(url);
    76     m_title.adoptBSTR(title);
    77     m_clientRedirectSource.adoptBSTR(clientRedirectSource);
    7876}
    7977
     
    8482}
    8583
    86 WebNavigationData* WebNavigationData::createInstance(BSTR url, BSTR title, IWebURLRequest* request, IWebURLResponse* response, bool hasSubstituteData, BSTR clientRedirectSource)
     84WebNavigationData* WebNavigationData::createInstance(const String& url, const String& title, IWebURLRequest* request, IWebURLResponse* response, bool hasSubstituteData, const String& clientRedirectSource)
    8785{
    8886    WebNavigationData* instance = new WebNavigationData(url, title, request, response, hasSubstituteData, clientRedirectSource);

  • trunk/WebKit/win/WebNavigationData.h

    r49564 r51510  
    3434class WebNavigationData : public IWebNavigationData {
    3535public:
    36     static WebNavigationData* createInstance(BSTR, BSTR, IWebURLRequest*, IWebURLResponse*, bool, BSTR);
     36    static WebNavigationData* createInstance(const WebCore::String& url, const WebCore::String& title, IWebURLRequest*, IWebURLResponse*, bool hasSubstituteData, const WebCore::String& clientRedirectSource);
    3737private:
    38     WebNavigationData(BSTR url, BSTR title, IWebURLRequest*, IWebURLResponse*, bool hasSubstituteData, BSTR clientRedirectSource);
     38    WebNavigationData(const WebCore::String& url, const WebCore::String& title, IWebURLRequest*, IWebURLResponse*, bool hasSubstituteData, const WebCore::String& clientRedirectSource);
    3939    ~WebNavigationData();
    4040
Note: See TracChangeset for help on using the changeset viewer.