Changeset 57638 in webkit

Timestamp:

Apr 15, 2010 3:03:31 AM (14 years ago)

Author:

eric@webkit.org

Message:

2010-04-15 Bruno Schmidt <​bruno.schmidt@gmail.com>

Reviewed by Kenneth Rohde Christiansen.

[Qt] Null QObjects properties cause Segmentation Fault
​https://bugs.webkit.org/show_bug.cgi?id=34730

QObjects exported to the QWebkit javascript with properties that are
a null "QObject*" cause Segmentation Fault.

If an QObject is added to the javascript context and it contains
properties of the type QObject* with NULL value, calling the property
causes Segmentation Fault.
So now the code below properly checks for null pointers:

• bridge/qt/qt_instance.cpp: (JSC::Bindings::QtInstance::getClass): may return NULL (JSC::Bindings::QtInstance::getMethod): may return jsNull() (JSC::Bindings::QtInstance::stringValue): may return jsNull() (JSC::Bindings::QtInstance::booleanValue): may return false
• bridge/qt/qt_runtime.cpp: (JSC::Bindings::convertValueToQVariant): (JSC::Bindings::convertQVariantToValue): May return jsNull on QObjectStar

2010-04-15 Bruno Schmidt <​bruno.schmidt@gmail.com>

Reviewed by Kenneth Rohde Christiansen.

[Qt] Null QObjects properties cause Segmentation Fault
​https://bugs.webkit.org/show_bug.cgi?id=34730

QObjects exported to the QWebkit javascript with properties that are
a null "QObject*" cause Segmentation Fault.

If an QObject is added to the javascript context and it contains
properties of the type QObject* with NULL value, calling the property
causes Segmentation Fault.

Follow the tests for the corrections done over WebCore.

• tests/qwebframe/tst_qwebframe.cpp: (MyQObject::MyQObject): init the field m_objectStar (MyQObject::objectStarProperty): read the Object* prop (MyQObject::setObjectStarProperty): write the Object* prop (tst_QWebFrame::getSetStaticProperty): new tests for the new prop

Location:

trunk

Files:

• WebCore/ChangeLog (modified) (1 diff)
• WebCore/bridge/qt/qt_instance.cpp (modified) (4 diffs)
• WebCore/bridge/qt/qt_runtime.cpp (modified) (2 diffs)
• WebKit/qt/ChangeLog (modified) (1 diff)
• WebKit/qt/tests/qwebframe/tst_qwebframe.cpp (modified) (6 diffs)

trunk/WebCore/ChangeLog

@@ +1 @@
+2010-04-15  Bruno Schmidt  <bruno.schmidt@gmail.com>
+
+        Reviewed by Kenneth Rohde Christiansen.
+
+        [Qt] Null QObjects properties cause Segmentation Fault
+        https://bugs.webkit.org/show_bug.cgi?id=34730
+
+        QObjects exported to the QWebkit javascript with properties that are
+        a null "QObject*" cause Segmentation Fault.
+
+        If an QObject is added to the javascript context and it contains
+        properties of the type QObject* with NULL value, calling the property
+        causes Segmentation Fault.
+        So now the code below properly checks for null pointers:
+
+        * bridge/qt/qt_instance.cpp:
+        (JSC::Bindings::QtInstance::getClass): may return NULL
+        (JSC::Bindings::QtInstance::getMethod): may return jsNull()
+        (JSC::Bindings::QtInstance::stringValue): may return jsNull()
+        (JSC::Bindings::QtInstance::booleanValue): may return false
+        * bridge/qt/qt_runtime.cpp:
+        (JSC::Bindings::convertValueToQVariant): 
+        (JSC::Bindings::convertQVariantToValue): May return jsNull on QObjectStar
+
 2010-04-14  Simon Fraser  <simon.fraser@apple.com>
 

trunk/WebCore/bridge/qt/qt_instance.cpp

@@ -172 +172 @@
 Class* QtInstance::getClass() const
 {
+    if (!m_object)
+        return 0;
     if (!m_class)
         m_class = QtClass::classForObject(m_object);
@@ -239 +241 @@
 JSValue QtInstance::getMethod(ExecState* exec, const Identifier& propertyName)
 {
-    MethodList methodList = getClass()->methodsNamed(propertyName, this);
+    if (!getClass())
+        return jsNull();
+    MethodList methodList = m_class->methodsNamed(propertyName, this);
     return new (exec) RuntimeMethod(exec, propertyName, methodList);
 }
@@ -260 +264 @@
 JSValue QtInstance::stringValue(ExecState* exec) const
 {
+    QObject* obj = getObject();
+    if (!obj)
+        return jsNull();
+
     // Hmm.. see if there is a toString defined
     QByteArray buf;
     bool useDefault = true;
     getClass();
-    QObject* obj = getObject();
-    if (m_class && obj) {
+    if (m_class) {
         // Cheat and don't use the full name resolution
         int index = obj->metaObject()->indexOfMethod("toString()");
@@ -310 +317 @@
 {
     // ECMA 9.2
-    return jsBoolean(true);
+    return jsBoolean(getObject());
 }
 

trunk/WebCore/bridge/qt/qt_runtime.cpp

@@ -333 +333 @@
         }
 
-        case QMetaType::QVariantMap: 
+        case QMetaType::QVariantMap:
             if (type == Object || type == Array || type == RTArray) {
                 // Enumerate the contents of the object
@@ -872 +872 @@
     if (type == QMetaType::QObjectStar || type == QMetaType::QWidgetStar) {
         QObject* obj = variant.value<QObject*>();
+        if (!obj)
+            return jsNull();
         return QtInstance::getQtInstance(obj, root, QScriptEngine::QtOwnership)->createRuntimeObject(exec);
     }

trunk/WebKit/qt/ChangeLog

@@ +1 @@
+2010-04-15  Bruno Schmidt  <bruno.schmidt@gmail.com>
+
+        Reviewed by Kenneth Rohde Christiansen.
+
+        [Qt] Null QObjects properties cause Segmentation Fault
+        https://bugs.webkit.org/show_bug.cgi?id=34730
+
+        QObjects exported to the QWebkit javascript with properties that are
+        a null "QObject*" cause Segmentation Fault.
+
+        If an QObject is added to the javascript context and it contains
+        properties of the type QObject* with NULL value, calling the property
+        causes Segmentation Fault.
+
+        Follow the tests for the corrections done over WebCore.
+
+        * tests/qwebframe/tst_qwebframe.cpp:
+        (MyQObject::MyQObject): init the field m_objectStar
+        (MyQObject::objectStarProperty): read the Object* prop
+        (MyQObject::setObjectStarProperty): write the Object* prop
+        (tst_QWebFrame::getSetStaticProperty): new tests for the new prop
+
 2010-04-14  Luiz Agostini  <luiz.agostini@openbossa.org>
 

trunk/WebKit/qt/tests/qwebframe/tst_qwebframe.cpp

@@ -68 +68 @@
     Q_PROPERTY(CustomType propWithCustomType READ propWithCustomType WRITE setPropWithCustomType)
     Q_PROPERTY(QWebElement webElementProperty READ webElementProperty WRITE setWebElementProperty)
+    Q_PROPERTY(QObject* objectStarProperty READ objectStarProperty WRITE setObjectStarProperty)
     Q_ENUMS(Policy Strategy)
     Q_FLAGS(Ability)
@@ -105 +106 @@
             m_writeOnlyValue(789),
             m_readOnlyValue(987),
+            m_objectStar(0),
             m_qtFunctionInvoked(-1) { }
 
@@ -197 +199 @@
         m_customType = c;
     }
+
+    QObject* objectStarProperty() const {
+        return m_objectStar;
+    }
+
+    void setObjectStarProperty(QObject* object) {
+        m_objectStar = object;
+    }
+
 
     int qtFunctionInvoked() const {
@@ -483 +494 @@
     QWebElement m_webElement;
     CustomType m_customType;
+    QObject* m_objectStar;
     int m_qtFunctionInvoked;
     QVariantList m_actuals;
@@ -879 +891 @@
                     "myObject.readOnlyProperty == 987"), sTrue);
     QCOMPARE(m_myObject->readOnlyProperty(), 987);
+
+    // QObject* property
+    m_myObject->setObjectStarProperty(0);
+    QCOMPARE(m_myObject->objectStarProperty(), (QObject*)0);
+    QCOMPARE(evalJS("myObject.objectStarProperty == null"), sTrue);
+    QCOMPARE(evalJS("typeof myObject.objectStarProperty"), sObject);
+    QCOMPARE(evalJS("Boolean(myObject.objectStarProperty)"), sFalse);
+    QCOMPARE(evalJS("String(myObject.objectStarProperty) == 'null'"), sTrue);
+    QCOMPARE(evalJS("myObject.objectStarProperty.objectStarProperty"),
+        sUndefined);
+    m_myObject->setObjectStarProperty(this);
+    QCOMPARE(evalJS("myObject.objectStarProperty != null"), sTrue);
+    QCOMPARE(evalJS("typeof myObject.objectStarProperty"), sObject);
+    QCOMPARE(evalJS("Boolean(myObject.objectStarProperty)"), sTrue);
+    QCOMPARE(evalJS("String(myObject.objectStarProperty) != 'null'"), sTrue);
 }
 
@@ -2841 +2868 @@
     QTest::qWaitForWindowShown(&view);
 #else
-    QTest::qWait(2000); 
+    QTest::qWait(2000);
 #endif