Diff
Modified: branches/safari-536.30-branch/Source/WebCore/ChangeLog (148341 => 148342)
--- branches/safari-536.30-branch/Source/WebCore/ChangeLog 2013-04-13 03:15:35 UTC (rev 148341)
+++ branches/safari-536.30-branch/Source/WebCore/ChangeLog 2013-04-13 03:52:37 UTC (rev 148342)
@@ -1,5 +1,46 @@
2013-04-12 Ryosuke Niwa <rn...@webkit.org>
+ Merge r140892
+
+ 2013-01-25 Kentaro Hara <hara...@chromium.org>
+
+ Keep a RefPtr<SerializedScriptValue*> when we call serialize()/deserialize() in code generators
+ https://bugs.webkit.org/show_bug.cgi?id=107902
+
+ Reviewed by Abhishek Arya.
+
+ If you use a raw SerializedScriptValue* for serialize()/deserialize(),
+ it can potentially cause a use-after-free. This is because serialize()/
+ deserialize() can destruct a RefPtr of the SerializedScriptValue*,
+ depending on data that is serialized/deserialized. So we should keep a
+ RefPtr<SerializedScriptValue*> when we call serialize()/deserialize().
+ (See https://bugs.webkit.org/show_bug.cgi?id=107792 for more details.)
+
+ No tests. This is just a just-in-case fix.
+
+ * Modules/intents/Intent.h:
+ (WebCore::Intent::data):
+ * Modules/intents/IntentRequest.cpp:
+ (WebCore::IntentRequest::postResult):
+ (WebCore::IntentRequest::postFailure):
+ * Modules/intents/IntentRequest.h:
+ (IntentRequest):
+ * Modules/intents/IntentResultCallback.h:
+ (IntentResultCallback):
+ * bindings/scripts/CodeGeneratorJS.pm:
+ (GetNativeTypeForCallbacks):
+ * bindings/scripts/CodeGeneratorV8.pm:
+ (GenerateNormalAttrGetter):
+ (GetNativeTypeForCallbacks):
+ * bindings/scripts/test/V8/V8TestSerializedScriptValueInterface.cpp:
+ (WebCore::TestSerializedScriptValueInterfaceV8Internal::cachedValueAttrGetter):
+ (WebCore::TestSerializedScriptValueInterfaceV8Internal::cachedReadonlyValueAttrGetter):
+ * dom/MessagePortChannel.h:
+ (WebCore::MessagePortChannel::EventData::message):
+
+
+2013-04-12 Ryosuke Niwa <rn...@webkit.org>
+
Merge r140891
2013-01-25 Kentaro Hara <hara...@chromium.org>
Modified: branches/safari-536.30-branch/Source/WebCore/Modules/intents/Intent.h (148341 => 148342)
--- branches/safari-536.30-branch/Source/WebCore/Modules/intents/Intent.h 2013-04-13 03:15:35 UTC (rev 148341)
+++ branches/safari-536.30-branch/Source/WebCore/Modules/intents/Intent.h 2013-04-13 03:52:37 UTC (rev 148342)
@@ -55,7 +55,7 @@
const String& action() const { return m_action; }
const String& type() const { return m_type; }
- SerializedScriptValue* data() const { return m_data.get(); }
+ PassRefPtr<SerializedScriptValue> data() const { return m_data.get(); }
MessagePortChannelArray* messagePorts() const { return m_ports.get(); }
const KURL& service() const { return m_service; }
Modified: branches/safari-536.30-branch/Source/WebCore/Modules/intents/IntentRequest.cpp (148341 => 148342)
--- branches/safari-536.30-branch/Source/WebCore/Modules/intents/IntentRequest.cpp 2013-04-13 03:15:35 UTC (rev 148341)
+++ branches/safari-536.30-branch/Source/WebCore/Modules/intents/IntentRequest.cpp 2013-04-13 03:52:37 UTC (rev 148342)
@@ -69,7 +69,7 @@
m_stopped = true;
}
-void IntentRequest::postResult(SerializedScriptValue* data)
+void IntentRequest::postResult(PassRefPtr<SerializedScriptValue> data)
{
if (m_stopped)
return;
@@ -86,7 +86,7 @@
m_errorCallback.clear();
}
-void IntentRequest::postFailure(SerializedScriptValue* data)
+void IntentRequest::postFailure(PassRefPtr<SerializedScriptValue> data)
{
if (m_stopped)
return;
Modified: branches/safari-536.30-branch/Source/WebCore/Modules/intents/IntentRequest.h (148341 => 148342)
--- branches/safari-536.30-branch/Source/WebCore/Modules/intents/IntentRequest.h 2013-04-13 03:15:35 UTC (rev 148341)
+++ branches/safari-536.30-branch/Source/WebCore/Modules/intents/IntentRequest.h 2013-04-13 03:52:37 UTC (rev 148342)
@@ -47,8 +47,8 @@
Intent* intent() { return m_intent.get(); }
- void postResult(SerializedScriptValue*);
- void postFailure(SerializedScriptValue*);
+ void postResult(PassRefPtr<SerializedScriptValue>);
+ void postFailure(PassRefPtr<SerializedScriptValue>);
virtual void contextDestroyed() OVERRIDE;
Modified: branches/safari-536.30-branch/Source/WebCore/Modules/intents/IntentResultCallback.h (148341 => 148342)
--- branches/safari-536.30-branch/Source/WebCore/Modules/intents/IntentResultCallback.h 2013-04-13 03:15:35 UTC (rev 148341)
+++ branches/safari-536.30-branch/Source/WebCore/Modules/intents/IntentResultCallback.h 2013-04-13 03:52:37 UTC (rev 148342)
@@ -41,7 +41,7 @@
class IntentResultCallback : public RefCounted<IntentResultCallback> {
public:
virtual ~IntentResultCallback() { }
- virtual bool handleEvent(SerializedScriptValue* result) = 0;
+ virtual bool handleEvent(PassRefPtr<SerializedScriptValue> result) = 0;
};
}
Modified: branches/safari-536.30-branch/Source/WebCore/bindings/scripts/CodeGeneratorV8.pm (148341 => 148342)
--- branches/safari-536.30-branch/Source/WebCore/bindings/scripts/CodeGeneratorV8.pm 2013-04-13 03:15:35 UTC (rev 148341)
+++ branches/safari-536.30-branch/Source/WebCore/bindings/scripts/CodeGeneratorV8.pm 2013-04-13 03:52:37 UTC (rev 148342)
@@ -1005,7 +1005,7 @@
if ($attribute->signature->type eq "SerializedScriptValue" && $attrExt->{"CachedAttribute"}) {
my $getterFunc = $codeGenerator->WK_lcfirst($attribute->signature->name);
push(@implContentDecls, <<END);
- SerializedScriptValue* serialized = imp->${getterFunc}();
+ RefPtr<SerializedScriptValue> serialized = imp->${getterFunc}();
value = serialized ? serialized->deserialize() : v8::Handle<v8::Value>(v8::Null());
info.Holder()->SetHiddenValue(propertyName, value);
return value;
@@ -3475,7 +3475,7 @@
{
my $type = shift;
return "const String&" if $type eq "DOMString";
- return "SerializedScriptValue*" if $type eq "SerializedScriptValue";
+ return "PassRefPtr<SerializedScriptValue>" if $type eq "SerializedScriptValue";
# Callbacks use raw pointers, so pass isParameter = 1
return GetNativeType($type, 1);
Modified: branches/safari-536.30-branch/Source/WebCore/bindings/scripts/test/V8/V8TestSerializedScriptValueInterface.cpp (148341 => 148342)
--- branches/safari-536.30-branch/Source/WebCore/bindings/scripts/test/V8/V8TestSerializedScriptValueInterface.cpp 2013-04-13 03:15:35 UTC (rev 148341)
+++ branches/safari-536.30-branch/Source/WebCore/bindings/scripts/test/V8/V8TestSerializedScriptValueInterface.cpp 2013-04-13 03:52:37 UTC (rev 148342)
@@ -76,7 +76,7 @@
if (!value.IsEmpty())
return value;
TestSerializedScriptValueInterface* imp = V8TestSerializedScriptValueInterface::toNative(info.Holder());
- SerializedScriptValue* serialized = imp->cachedValue();
+ RefPtr<SerializedScriptValue> serialized = imp->cachedValue();
value = serialized ? serialized->deserialize() : v8::Handle<v8::Value>(v8::Null());
info.Holder()->SetHiddenValue(propertyName, value);
return value;
@@ -114,7 +114,7 @@
if (!value.IsEmpty())
return value;
TestSerializedScriptValueInterface* imp = V8TestSerializedScriptValueInterface::toNative(info.Holder());
- SerializedScriptValue* serialized = imp->cachedReadonlyValue();
+ RefPtr<SerializedScriptValue> serialized = imp->cachedReadonlyValue();
value = serialized ? serialized->deserialize() : v8::Handle<v8::Value>(v8::Null());
info.Holder()->SetHiddenValue(propertyName, value);
return value;
Modified: branches/safari-536.30-branch/Source/WebCore/dom/MessagePortChannel.h (148341 => 148342)
--- branches/safari-536.30-branch/Source/WebCore/dom/MessagePortChannel.h 2013-04-13 03:15:35 UTC (rev 148341)
+++ branches/safari-536.30-branch/Source/WebCore/dom/MessagePortChannel.h 2013-04-13 03:52:37 UTC (rev 148342)
@@ -84,7 +84,7 @@
public:
static PassOwnPtr<EventData> create(PassRefPtr<SerializedScriptValue>, PassOwnPtr<MessagePortChannelArray>);
- SerializedScriptValue* message() { return m_message.get(); }
+ PassRefPtr<SerializedScriptValue> message() { return m_message; }
PassOwnPtr<MessagePortChannelArray> channels() { return m_channels.release(); }
private: