Changeset 70018 in webkit
- Timestamp:
- Oct 18, 2010 7:33:33 PM (14 years ago)
- Location:
- trunk
- Files:
-
- 5 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r70011 r70018 1 2010-10-18 Oliver Hunt <oliver@apple.com> 2 3 Reviewed by Sam Weinig. 4 5 REGRESSION: Feedly extension crashes Webkit 6 https://bugs.webkit.org/show_bug.cgi?id=45811 7 8 Make test cover large number of properties/string pairs, at two offsets to get the 9 new allocation to occur at different locations. 10 11 * fast/dom/Window/window-postmessage-clone-expected.txt: 12 * fast/dom/Window/window-postmessage-clone.html: 13 1 14 2010-10-18 James Robinson <jamesr@chromium.org> 2 15 -
trunk/LayoutTests/fast/dom/Window/window-postmessage-clone-expected.txt
r66850 r70018 9 9 PASS: eventData is true of type boolean 10 10 PASS: eventData is 1 of type string 11 PASS: eventData is [object Object] of type object 12 PASS: eventData is [object Object] of type object 11 13 PASS: eventData is [object Object] of type object 12 14 PASS: eventData is [object Object] of type object -
trunk/LayoutTests/fast/dom/Window/window-postmessage-clone.html
r66850 r70018 127 127 tryPostMessage('({a:"a"})'); 128 128 tryPostMessage('({b:"a", a:"b"})'); 129 tryPostMessage('({p0:"string0", p1:"string1", p2:"string2", p3:"string3", p4:"string4", p5:"string5", p6:"string6", p7:"string7", p8:"string8", p9:"string9", p10:"string10", p11:"string11", p12:"string12", p13:"string13", p14:"string14", p15:"string15", p16:"string16", p17:"string17", p18:"string18", p19:"string19"})'); 130 tryPostMessage('({p0:"string1", p1:"string1", p2:"string2", p3:"string3", p4:"string4", p5:"string5", p6:"string6", p7:"string7", p8:"string8", p9:"string9", p10:"string10", p11:"string11", p12:"string12", p13:"string13", p14:"string14", p15:"string15", p16:"string16", p17:"string17", p18:"string18", p19:"string19"})'); 129 131 tryPostMessage('({a:""})'); 130 132 tryPostMessage('({a:0})'); -
trunk/WebCore/ChangeLog
r70015 r70018 1 2010-10-18 Oliver Hunt <oliver@apple.com> 2 3 Reviewed by Sam Weinig. 4 5 REGRESSION: Feedly extension crashes Webkit 6 https://bugs.webkit.org/show_bug.cgi?id=45811 7 8 The basic problem was the deserializer was holding a pointer into 9 the constant pool, but if you were sufficiently unlucky then the 10 constant pool would be moved while still relying on the pointer, 11 which leads to badness. 12 13 I looked at just making all the sites this could happen extract the 14 right string/jsstring before any possible allocations, but it seemed 15 too fragile so i've gone for a forwarding object as the solution. 16 17 * bindings/js/SerializedScriptValue.cpp: 18 (WebCore::CloneDeserializer::CachedStringRef::CachedStringRef): 19 (WebCore::CloneDeserializer::CachedStringRef::operator->): 20 (WebCore::CloneDeserializer::readStringData): 21 (WebCore::CloneDeserializer::readFile): 22 (WebCore::CloneDeserializer::readTerminal): 23 (WebCore::CloneDeserializer::deserialize): 24 1 25 2010-10-18 Chris Rogers <crogers@google.com> 2 26 -
trunk/WebCore/bindings/js/SerializedScriptValue.cpp
r69682 r70018 782 782 }; 783 783 784 struct CachedStringRef { 785 CachedStringRef() 786 : m_base(0) 787 , m_index(0) 788 { 789 } 790 CachedStringRef(Vector<CachedString>* base, size_t index) 791 : m_base(base) 792 , m_index(index) 793 { 794 } 795 796 CachedString* operator->() { ASSERT(m_base); return &m_base->at(m_index); } 797 798 private: 799 Vector<CachedString>* m_base; 800 size_t m_index; 801 }; 802 784 803 CloneDeserializer(ExecState* exec, JSGlobalObject* globalObject, const Vector<uint8_t>& buffer) 785 804 : CloneBase(exec) … … 935 954 } 936 955 937 bool readStringData(CachedString *& cachedString)956 bool readStringData(CachedStringRef& cachedString) 938 957 { 939 958 bool scratch; … … 941 960 } 942 961 943 bool readStringData(CachedString *& cachedString, bool& wasTerminator)962 bool readStringData(CachedStringRef& cachedString, bool& wasTerminator) 944 963 { 945 964 if (m_failed) … … 962 981 return false; 963 982 } 964 cachedString = &m_constantPool[index];983 cachedString = CachedStringRef(&m_constantPool, index); 965 984 return true; 966 985 } … … 971 990 } 972 991 m_constantPool.append(str); 973 cachedString = &m_constantPool.last();992 cachedString = CachedStringRef(&m_constantPool, m_constantPool.size() - 1); 974 993 return true; 975 994 } … … 997 1016 bool readFile(RefPtr<File>& file) 998 1017 { 999 CachedString * path = 0;1018 CachedStringRef path; 1000 1019 if (!readStringData(path)) 1001 1020 return 0; 1002 CachedString * url = 0;1021 CachedStringRef url; 1003 1022 if (!readStringData(url)) 1004 1023 return 0; 1005 CachedString * type = 0;1024 CachedStringRef type; 1006 1025 if (!readStringData(type)) 1007 1026 return 0; … … 1093 1112 } 1094 1113 case BlobTag: { 1095 CachedString * url = 0;1114 CachedStringRef url; 1096 1115 if (!readStringData(url)) 1097 1116 return JSValue(); 1098 CachedString * type = 0;1117 CachedStringRef type; 1099 1118 if (!readStringData(type)) 1100 1119 return JSValue(); … … 1107 1126 } 1108 1127 case StringTag: { 1109 CachedString * cachedString = 0;1128 CachedStringRef cachedString; 1110 1129 if (!readStringData(cachedString)) 1111 1130 return JSValue(); … … 1115 1134 return jsEmptyString(&m_exec->globalData()); 1116 1135 case RegExpTag: { 1117 CachedString * pattern = 0;1136 CachedStringRef pattern; 1118 1137 if (!readStringData(pattern)) 1119 1138 return JSValue(); 1120 CachedString * flags = 0;1139 CachedStringRef flags; 1121 1140 if (!readStringData(flags)) 1122 1141 return JSValue(); … … 1224 1243 } 1225 1244 1226 CachedString * cachedString = 0;1245 CachedStringRef cachedString; 1227 1246 bool wasTerminator = false; 1228 1247 if (!readStringData(cachedString, wasTerminator)) {
Note: See TracChangeset
for help on using the changeset viewer.