Changeset 70018 in webkit

Timestamp:

Oct 18, 2010 7:33:33 PM (14 years ago)

Author:

oliver@apple.com

Message:

2010-10-18 Oliver Hunt <​oliver@apple.com>

Reviewed by Sam Weinig.

REGRESSION: Feedly extension crashes Webkit
​https://bugs.webkit.org/show_bug.cgi?id=45811

Make test cover large number of properties/string pairs, at two offsets to get the
new allocation to occur at different locations.

• fast/dom/Window/window-postmessage-clone-expected.txt:
• fast/dom/Window/window-postmessage-clone.html:

2010-10-18 Oliver Hunt <​oliver@apple.com>

Reviewed by Sam Weinig.

REGRESSION: Feedly extension crashes Webkit
​https://bugs.webkit.org/show_bug.cgi?id=45811

The basic problem was the deserializer was holding a pointer into
the constant pool, but if you were sufficiently unlucky then the
constant pool would be moved while still relying on the pointer,
which leads to badness.

I looked at just making all the sites this could happen extract the
right string/jsstring before any possible allocations, but it seemed
too fragile so i've gone for a forwarding object as the solution.

• bindings/js/SerializedScriptValue.cpp: (WebCore::CloneDeserializer::CachedStringRef::CachedStringRef): (WebCore::CloneDeserializer::CachedStringRef::operator->): (WebCore::CloneDeserializer::readStringData): (WebCore::CloneDeserializer::readFile): (WebCore::CloneDeserializer::readTerminal): (WebCore::CloneDeserializer::deserialize):

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/dom/Window/window-postmessage-clone-expected.txt (modified) (1 diff)
• LayoutTests/fast/dom/Window/window-postmessage-clone.html (modified) (1 diff)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/bindings/js/SerializedScriptValue.cpp (modified) (10 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2010-10-18  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Sam Weinig.
+
+        REGRESSION: Feedly extension crashes Webkit
+        https://bugs.webkit.org/show_bug.cgi?id=45811
+
+        Make test cover large number of properties/string pairs, at two offsets to get the
+        new allocation to occur at different locations.
+
+        * fast/dom/Window/window-postmessage-clone-expected.txt:
+        * fast/dom/Window/window-postmessage-clone.html:
+
 2010-10-18  James Robinson  <jamesr@chromium.org>
 

trunk/LayoutTests/fast/dom/Window/window-postmessage-clone-expected.txt

@@ -9 +9 @@
 PASS: eventData is true of type boolean
 PASS: eventData is 1 of type string
+PASS: eventData is [object Object] of type object
+PASS: eventData is [object Object] of type object
 PASS: eventData is [object Object] of type object
 PASS: eventData is [object Object] of type object

trunk/LayoutTests/fast/dom/Window/window-postmessage-clone.html

@@ -127 +127 @@
 tryPostMessage('({a:"a"})');
 tryPostMessage('({b:"a", a:"b"})');
+tryPostMessage('({p0:"string0", p1:"string1", p2:"string2", p3:"string3", p4:"string4", p5:"string5", p6:"string6", p7:"string7", p8:"string8", p9:"string9", p10:"string10", p11:"string11", p12:"string12", p13:"string13", p14:"string14", p15:"string15", p16:"string16", p17:"string17", p18:"string18", p19:"string19"})');
+tryPostMessage('({p0:"string1", p1:"string1", p2:"string2", p3:"string3", p4:"string4", p5:"string5", p6:"string6", p7:"string7", p8:"string8", p9:"string9", p10:"string10", p11:"string11", p12:"string12", p13:"string13", p14:"string14", p15:"string15", p16:"string16", p17:"string17", p18:"string18", p19:"string19"})');
 tryPostMessage('({a:""})');
 tryPostMessage('({a:0})');

trunk/WebCore/ChangeLog

@@ +1 @@
+2010-10-18  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Sam Weinig.
+
+        REGRESSION: Feedly extension crashes Webkit
+        https://bugs.webkit.org/show_bug.cgi?id=45811
+
+        The basic problem was the deserializer was holding a pointer into
+        the constant pool, but if you were sufficiently unlucky then the
+        constant pool would be moved while still relying on the pointer,
+        which leads to badness.
+
+        I looked at just making all the sites this could happen extract the
+        right string/jsstring before any possible allocations, but it seemed
+        too fragile so i've gone for a forwarding object as the solution.
+
+        * bindings/js/SerializedScriptValue.cpp:
+        (WebCore::CloneDeserializer::CachedStringRef::CachedStringRef):
+        (WebCore::CloneDeserializer::CachedStringRef::operator->):
+        (WebCore::CloneDeserializer::readStringData):
+        (WebCore::CloneDeserializer::readFile):
+        (WebCore::CloneDeserializer::readTerminal):
+        (WebCore::CloneDeserializer::deserialize):
+
 2010-10-18  Chris Rogers  <crogers@google.com>
 

trunk/WebCore/bindings/js/SerializedScriptValue.cpp

@@ -782 +782 @@
     };
 
+    struct CachedStringRef {
+        CachedStringRef()
+            : m_base(0)
+            , m_index(0)
+        {
+        }
+        CachedStringRef(Vector<CachedString>* base, size_t index)
+            : m_base(base)
+            , m_index(index)
+        {
+        }
+        
+        CachedString* operator->() { ASSERT(m_base); return &m_base->at(m_index); }
+        
+    private:
+        Vector<CachedString>* m_base;
+        size_t m_index;
+    };
+
     CloneDeserializer(ExecState* exec, JSGlobalObject* globalObject, const Vector<uint8_t>& buffer)
         : CloneBase(exec)
@@ -935 +954 @@
     }
 
-    bool readStringData(CachedString*& cachedString)
+    bool readStringData(CachedStringRef& cachedString)
     {
         bool scratch;
@@ -941 +960 @@
     }
 
-    bool readStringData(CachedString*& cachedString, bool& wasTerminator)
+    bool readStringData(CachedStringRef& cachedString, bool& wasTerminator)
     {
         if (m_failed)
@@ -962 +981 @@
                 return false;
             }
-            cachedString = &m_constantPool[index];
+            cachedString = CachedStringRef(&m_constantPool, index);
             return true;
         }
@@ -971 +990 @@
         }
         m_constantPool.append(str);
-        cachedString = &m_constantPool.last();
+        cachedString = CachedStringRef(&m_constantPool, m_constantPool.size() - 1);
         return true;
     }
@@ -997 +1016 @@
     bool readFile(RefPtr<File>& file)
     {
-        CachedString* path = 0;
+        CachedStringRef path;
         if (!readStringData(path))
             return 0;
-        CachedString* url = 0;
+        CachedStringRef url;
         if (!readStringData(url))
             return 0;
-        CachedString* type = 0;
+        CachedStringRef type;
         if (!readStringData(type))
             return 0;
@@ -1093 +1112 @@
         }
         case BlobTag: {
-            CachedString* url = 0;
+            CachedStringRef url;
             if (!readStringData(url))
                 return JSValue();
-            CachedString* type = 0;
+            CachedStringRef type;
             if (!readStringData(type))
                 return JSValue();
@@ -1107 +1126 @@
         }
         case StringTag: {
-            CachedString* cachedString = 0;
+            CachedStringRef cachedString;
             if (!readStringData(cachedString))
                 return JSValue();
@@ -1115 +1134 @@
             return jsEmptyString(&m_exec->globalData());
         case RegExpTag: {
-            CachedString* pattern = 0;
+            CachedStringRef pattern;
             if (!readStringData(pattern))
                 return JSValue();
-            CachedString* flags = 0;
+            CachedStringRef flags;
             if (!readStringData(flags))
                 return JSValue();
@@ -1224 +1243 @@
             }
 
-            CachedString* cachedString = 0;
+            CachedStringRef cachedString;
             bool wasTerminator = false;
             if (!readStringData(cachedString, wasTerminator)) {