Changeset 86945 in webkit
- Timestamp:
- May 20, 2011 6:24:29 AM (13 years ago)
- Location:
- trunk
- Files:
-
- 2 added
- 7 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebKit2/ChangeLog
r86924 r86945 1 2011-05-19 Adam Roben <aroben@apple.com> 2 3 Don't try to process DownloadProxy messages twice (and robustify code that runs if we do) 4 5 Fixes <http://webkit.org/b/61142> <rdar://problem/9471680> REGRESSION (r86812): Crash 6 (preceded by assertion) in fastMalloc when downloading a file 7 8 Reviewed by Darin Adler. 9 10 * Platform/CoreIPC/ArgumentDecoder.cpp: 11 (CoreIPC::alignedBufferIsLargeEnoughToContain): Added. This helper function checks that the 12 given buffer is large enough to hold |size| bytes (and correctly handles the case where 13 we're already at the end or beyond the end of the buffer). 14 15 (CoreIPC::ArgumentDecoder::alignBufferPosition): 16 (CoreIPC::ArgumentDecoder::bufferIsLargeEnoughToContain): 17 Replaced old code that was vulnerable to underflow with the new helper function. 18 19 * UIProcess/WebProcessProxy.cpp: 20 (WebKit::WebProcessProxy::didReceiveSyncMessage): Added back an early return that was 21 mistakenly removed in r86812 so that we don't mistakenly pass DownloadProxy messages on to 22 a WebPageProxy after we've already handled them. 23 1 24 2011-05-19 Jer Noble <jer.noble@apple.com> 2 25 -
trunk/Source/WebKit2/Platform/CoreIPC/ArgumentDecoder.cpp
r86574 r86945 80 80 } 81 81 82 static inline bool alignedBufferIsLargeEnoughToContain(const uint8_t* alignedPosition, const uint8_t* bufferEnd, size_t size) 83 { 84 return bufferEnd >= alignedPosition && static_cast<size_t>(bufferEnd - alignedPosition) >= size; 85 } 86 82 87 bool ArgumentDecoder::alignBufferPosition(unsigned alignment, size_t size) 83 88 { 84 uint8_t* buffer= roundUpToAlignment(m_bufferPos, alignment);85 if ( static_cast<size_t>(m_bufferEnd - buffer) < size) {89 uint8_t* alignedPosition = roundUpToAlignment(m_bufferPos, alignment); 90 if (!alignedBufferIsLargeEnoughToContain(alignedPosition, m_bufferEnd, size)) { 86 91 // We've walked off the end of this buffer. 87 92 markInvalid(); … … 89 94 } 90 95 91 m_bufferPos = buffer;96 m_bufferPos = alignedPosition; 92 97 return true; 93 98 } … … 95 100 bool ArgumentDecoder::bufferIsLargeEnoughToContain(unsigned alignment, size_t size) const 96 101 { 97 return static_cast<size_t>(m_bufferEnd - roundUpToAlignment(m_bufferPos, alignment)) >= size;102 return alignedBufferIsLargeEnoughToContain(roundUpToAlignment(m_bufferPos, alignment), m_bufferEnd, size); 98 103 } 99 104 -
trunk/Source/WebKit2/UIProcess/WebProcessProxy.cpp
r86895 r86945 271 271 || messageID.is<CoreIPC::MessageClassDownloadProxy>() || messageID.is<CoreIPC::MessageClassWebIconDatabase>()) { 272 272 m_context->didReceiveSyncMessage(connection, messageID, arguments, reply); 273 return; 273 274 } 274 275 -
trunk/Tools/ChangeLog
r86930 r86945 1 2011-05-19 Adam Roben <aroben@apple.com> 2 3 Test that the WebKit2 UI process doesn't crash when starting a download 4 5 Test for <http://webkit.org/b/61142> <rdar://problem/9471680> REGRESSION (r86812): Crash 6 (preceded by assertion) in fastMalloc when downloading a file 7 8 Reviewed by Darin Adler. 9 10 * TestWebKitAPI/Tests/WebKit2/18-characters.html: Added. 11 12 * TestWebKitAPI/Tests/WebKit2/DownloadDecideDestinationCrash.cpp: Added. 13 (TestWebKitAPI::decidePolicyForNavigationAction): Start a download. 14 (TestWebKitAPI::decideDestinationWithSuggestedFilename): Record that the download was 15 started, cancel the download, and return a bogus string. 16 17 (TestWebKitAPI::setContextDownloadClient): 18 (TestWebKitAPI::setPagePolicyClient): 19 Simple helper functions. 20 21 (TestWebKitAPI::TEST): Load 18-characters.html, which should trigger a download thanks to 22 our policy client, and run until we know that the download was started. If we haven't 23 crashed, we win! 24 25 * TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj: 26 * TestWebKitAPI/win/TestWebKitAPI.vcproj: 27 * TestWebKitAPI/win/copy-resources.cmd: 28 Added new files. 29 1 30 2011-05-20 Kent Tamura <tkent@chromium.org> 2 31 -
trunk/Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj
r86624 r86945 56 56 C02B77F2126612140026BF0F /* SpacebarScrolling.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C02B77F1126612140026BF0F /* SpacebarScrolling.cpp */; }; 57 57 C02B7854126613AE0026BF0F /* Carbon.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = C02B7853126613AE0026BF0F /* Carbon.framework */; }; 58 C045F9451385C2EA00C0F3CD /* DownloadDecideDestinationCrash.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C045F9441385C2E900C0F3CD /* DownloadDecideDestinationCrash.cpp */; }; 58 59 C0ADBE7C12FCA4D000D2C129 /* JavaScriptTest.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C0ADBE7A12FCA4D000D2C129 /* JavaScriptTest.cpp */; }; 59 60 C0ADBE8312FCA6AA00D2C129 /* RestoreSessionStateContainingFormData.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C0ADBE8212FCA6AA00D2C129 /* RestoreSessionStateContainingFormData.cpp */; }; … … 164 165 C02B7853126613AE0026BF0F /* Carbon.framework */ = {isa = PBXFileReference; explicitFileType = wrapper.framework; name = Carbon.framework; sourceTree = SDKROOT; }; 165 166 C02B7882126615410026BF0F /* spacebar-scrolling.html */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.html; path = "spacebar-scrolling.html"; sourceTree = "<group>"; }; 167 C045F9441385C2E900C0F3CD /* DownloadDecideDestinationCrash.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = DownloadDecideDestinationCrash.cpp; sourceTree = "<group>"; }; 168 C045F9461385C2F800C0F3CD /* 18-characters.html */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.html; path = "18-characters.html"; sourceTree = "<group>"; }; 166 169 C0ADBE7A12FCA4D000D2C129 /* JavaScriptTest.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JavaScriptTest.cpp; sourceTree = "<group>"; }; 167 170 C0ADBE7B12FCA4D000D2C129 /* JavaScriptTest.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JavaScriptTest.h; sourceTree = "<group>"; }; … … 285 288 BCB6803F126FBFE100642A61 /* DocumentStartUserScriptAlertCrash.cpp */, 286 289 BCB68041126FBFF100642A61 /* DocumentStartUserScriptAlertCrash_Bundle.cpp */, 290 C045F9441385C2E900C0F3CD /* DownloadDecideDestinationCrash.cpp */, 287 291 1A5FEFDC1270E2A3000E2921 /* EvaluateJavaScript.cpp */, 288 292 BCC8B95A12611F4700DE46A4 /* FailedLoad.cpp */, … … 322 326 isa = PBXGroup; 323 327 children = ( 328 C045F9461385C2F800C0F3CD /* 18-characters.html */, 324 329 BC2D004A12A9FEB300E732A3 /* file-with-anchor.html */, 325 330 1A02C84B125D4A5E00E3F4BD /* find.html */, … … 462 467 F6F3F29113342FEB00A6BF19 /* CookieManager.cpp in Sources */, 463 468 33BE5AF5137B5A6C00705813 /* MouseMoveAfterCrash.cpp in Sources */, 469 C045F9451385C2EA00C0F3CD /* DownloadDecideDestinationCrash.cpp in Sources */, 464 470 ); 465 471 runOnlyForDeploymentPostprocessing = 0; -
trunk/Tools/TestWebKitAPI/win/TestWebKitAPI.vcproj
r86354 r86945 413 413 > 414 414 <File 415 RelativePath="..\Tests\WebKit2\18-characters.html" 416 > 417 </File> 418 <File 415 419 RelativePath="..\Tests\WebKit2\AboutBlankLoad.cpp" 416 420 > … … 426 430 <File 427 431 RelativePath="..\Tests\WebKit2\DocumentStartUserScriptAlertCrash.cpp" 432 > 433 </File> 434 <File 435 RelativePath="..\Tests\WebKit2\DownloadDecideDestinationCrash.cpp" 428 436 > 429 437 </File> -
trunk/Tools/TestWebKitAPI/win/copy-resources.cmd
r86354 r86945 9 9 mkdir 2>NUL "%ResourcesDirectory%" 10 10 for %%f in ( 11 ..\Tests\WebKit2\18-characters.html 11 12 ..\Tests\WebKit2\file-with-anchor.html 12 13 ..\Tests\WebKit2\find.html
Note: See TracChangeset
for help on using the changeset viewer.