Skip to site navigation (Press enter)

[webkit-changes] [98934] trunk

commit-queue Mon, 31 Oct 2011 20:38:00 -0700

Title: [98934] trunk

Revision: 98934
Author: commit-qu...@webkit.org
Date: 2011-10-31 20:37:51 -0700 (Mon, 31 Oct 2011)

Log Message

V8MessageEvent::dataAccessorGetter does not return a reference to its caller
https://bugs.webkit.org/show_bug.cgi?id=71229


Patch by Dave Michael <dmich...@chromium.org> on 2011-10-31
Reviewed by Adam Barth.

Test: fast/events/dispatch-message-string-data.html

* bindings/v8/custom/V8MessageEventCustom.cpp:
(WebCore::V8MessageEvent::dataAccessorGetter):

Modified Paths

trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/bindings/v8/custom/V8MessageEventCustom.cpp

Added Paths

trunk/LayoutTests/fast/events/dispatch-message-string-data-expected.txt
trunk/LayoutTests/fast/events/dispatch-message-string-data.html

Diff

Added: trunk/LayoutTests/fast/events/dispatch-message-string-data-expected.txt (0 => 98934)


--- trunk/LayoutTests/fast/events/dispatch-message-string-data-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/events/dispatch-message-string-data-expected.txt	2011-11-01 03:37:51 UTC (rev 98934)
@@ -0,0 +1,4 @@
+This is a test for https://bugs.webkit.org/show_bug.cgi?id=71229 (V8MessageEvent::dataAccessorGetter does not return a reference to its caller). If it succeeds, DONE will appear below. If it fails, you should see messages containing unexpected strings that were received and/or a renderer crash.
+
+DONE
+

Added: trunk/LayoutTests/fast/events/dispatch-message-string-data.html (0 => 98934)


--- trunk/LayoutTests/fast/events/dispatch-message-string-data.html	                        (rev 0)
+++ trunk/LayoutTests/fast/events/dispatch-message-string-data.html	2011-11-01 03:37:51 UTC (rev 98934)
@@ -0,0 +1,67 @@
+<!DOCTYPE html>
+<html>
+<head>
+<p>This is a test for https://bugs.webkit.org/show_bug.cgi?id=71229 (V8MessageEvent::dataAccessorGetter does not return a reference to its caller). If it succeeds, DONE will appear below. If it fails, you should see messages containing unexpected strings that were received and/or a renderer crash.
+<hr>
+<pre id=log></pre>
+<script>
+function log(message)
+{
+    document.getElementById("log").innerHTML += message + "<br>";
+}
+
+var eventTarget;
+
+// Make a long prefix string. This seems to make it more likely that a use-
+// after-free problem will cause an observable error.
+var kPrefix = "Hello";
+for (var i = 0; i < 10; ++i)
+    kPrefix += kPrefix;
+var num = 0;
+var endNum = 1000;
+function HandleMessage(message_event) {
+    if (message_event.data !== kPrefix + num.toString()) {
+        log("Expected '" + num + "', Got: '" + message_event.data + "'");
+    }
+    if (num == endNum) {
+        layoutTestController.notifyDone();
+    }
+    else {
+        ++num;
+        setTimeout(SendString, 0);
+    }
+}
+
+function SendString() {
+    var target = document.getElementById("event_target");
+    var message_event = window.document.createEvent('MessageEvent');
+    message_event.initMessageEvent('message',  // type
+                                   false,  // canBubble
+                                   false,  // cancelable
+                                   kPrefix + num.toString(),  // data
+                                   '',  // origin [*]
+                                   '',  // lastEventId
+                                   null,  // source [*]
+                                   []);  // ports
+    target.dispatchEvent(message_event);
+}
+
+function AddListener() {
+    var target = document.getElementById("event_target");
+    target.addEventListener("message", HandleMessage, false);
+    SendString();
+}
+document.addEventListener("DOMContentLoaded", AddListener, false);
+
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+log("DONE");
+
+</script>
+</head>
+<body>
+<div id="event_target"></div>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (98933 => 98934)


--- trunk/Source/WebCore/ChangeLog	2011-11-01 01:47:17 UTC (rev 98933)
+++ trunk/Source/WebCore/ChangeLog	2011-11-01 03:37:51 UTC (rev 98934)
@@ -1,3 +1,15 @@
+2011-10-31  Dave Michael  <dmich...@chromium.org>
+
+        V8MessageEvent::dataAccessorGetter does not return a reference to its caller
+        https://bugs.webkit.org/show_bug.cgi?id=71229
+
+        Reviewed by Adam Barth.
+
+        Test: fast/events/dispatch-message-string-data.html
+
+        * bindings/v8/custom/V8MessageEventCustom.cpp:
+        (WebCore::V8MessageEvent::dataAccessorGetter):
+
 2011-10-31  Renata Hodovan  <r...@webkit.org>
 
         [Qt] Build fix after r98853.

Modified: trunk/Source/WebCore/bindings/v8/custom/V8MessageEventCustom.cpp (98933 => 98934)


--- trunk/Source/WebCore/bindings/v8/custom/V8MessageEventCustom.cpp	2011-11-01 01:47:17 UTC (rev 98933)
+++ trunk/Source/WebCore/bindings/v8/custom/V8MessageEventCustom.cpp	2011-11-01 03:37:51 UTC (rev 98934)
@@ -56,7 +56,7 @@
         if (scriptValue.hasNoValue())
             result = v8::Null();
         else
-            result = scriptValue.v8Value();
+            result = v8::Local<v8::Value>::New(scriptValue.v8Value());
         break;
     }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes