Modified: trunk/Source/WebCore/ChangeLog (266469 => 266470)
--- trunk/Source/WebCore/ChangeLog 2020-09-02 16:38:46 UTC (rev 266469)
+++ trunk/Source/WebCore/ChangeLog 2020-09-02 17:04:34 UTC (rev 266470)
@@ -1,3 +1,22 @@
+2020-09-02 Sihui Liu <sihui_...@apple.com>
+
+ REGRESSION (r264661): Crashes in WebCore::wrap<WebCore::Blob> in CloneDeserializer
+ https://bugs.webkit.org/show_bug.cgi?id=215835
+
+ Reviewed by Youenn Fablet.
+
+ Partially revert r264661 as there are cases, other than our previous IDB, where we may not use JSDOMGlobalObject
+ for serialization and deserialization, like the one showed in the crashlog. Therefore, we still need the check
+ for JSDOMGlobalObject.
+
+ API Test: WebKit.EvaluateJavaScriptThatCreatesBlob
+
+ * bindings/js/SerializedScriptValue.cpp:
+ (WebCore::CloneDeserializer::CloneDeserializer):
+ (WebCore::CloneDeserializer::readFile):
+ (WebCore::CloneDeserializer::readRTCCertificate):
+ (WebCore::CloneDeserializer::readTerminal):
+
2020-09-02 Chris Dumez <cdu...@apple.com>
Implement event convergence for AudioParam.setTargetAtTime()
Modified: trunk/Source/WebCore/bindings/js/SerializedScriptValue.cpp (266469 => 266470)
--- trunk/Source/WebCore/bindings/js/SerializedScriptValue.cpp 2020-09-02 16:38:46 UTC (rev 266469)
+++ trunk/Source/WebCore/bindings/js/SerializedScriptValue.cpp 2020-09-02 17:04:34 UTC (rev 266470)
@@ -2006,7 +2006,8 @@
)
: CloneBase(lexicalGlobalObject)
, m_globalObject(globalObject)
- , m_isJSIDBSerializationGlobalObject(globalObject->inherits<JSIDBSerializationGlobalObject>(globalObject->vm()))
+ , m_isDOMGlobalObject(globalObject->inherits<JSDOMGlobalObject>(globalObject->vm()))
+ , m_canCreateDOMObject(m_isDOMGlobalObject && !globalObject->inherits<JSIDBSerializationGlobalObject>(globalObject->vm()))
, m_ptr(buffer.data())
, m_end(buffer.data() + buffer.size())
, m_version(0xFFFFFFFF)
@@ -2037,7 +2038,8 @@
)
: CloneBase(lexicalGlobalObject)
, m_globalObject(globalObject)
- , m_isJSIDBSerializationGlobalObject(globalObject->inherits<JSIDBSerializationGlobalObject>(globalObject->vm()))
+ , m_isDOMGlobalObject(globalObject->inherits<JSDOMGlobalObject>(globalObject->vm()))
+ , m_canCreateDOMObject(m_isDOMGlobalObject && !globalObject->inherits<JSIDBSerializationGlobalObject>(globalObject->vm()))
, m_ptr(buffer.data())
, m_end(buffer.data() + buffer.size())
, m_version(0xFFFFFFFF)
@@ -2293,7 +2295,7 @@
if (filePath.isEmpty())
filePath = path->string();
- if (m_isJSIDBSerializationGlobalObject)
+ if (!m_canCreateDOMObject)
return true;
file = File::deserialize(scriptExecutionContextFromExecState(m_lexicalGlobalObject), filePath, URL(URL(), url->string()), type->string(), name->string(), optionalLastModified);
@@ -2950,7 +2952,7 @@
fingerprints.uncheckedAppend(RTCCertificate::DtlsFingerprint { algorithm->string(), value->string() });
}
- if (m_isJSIDBSerializationGlobalObject)
+ if (!m_canCreateDOMObject)
return constructEmptyObject(m_lexicalGlobalObject, m_globalObject->objectPrototype());
auto rtcCertificate = RTCCertificate::create(SecurityOrigin::createFromString(origin->string()), expires, WTFMove(fingerprints), certificate->takeString(), keyedMaterial->takeString());
@@ -3164,7 +3166,7 @@
RefPtr<File> file;
if (!readFile(file))
return JSValue();
- if (m_isJSIDBSerializationGlobalObject)
+ if (!m_canCreateDOMObject)
return jsNull();
return toJS(m_lexicalGlobalObject, jsCast<JSDOMGlobalObject*>(m_globalObject), file.get());
}
@@ -3178,10 +3180,10 @@
RefPtr<File> file;
if (!readFile(file))
return JSValue();
- if (!m_isJSIDBSerializationGlobalObject)
+ if (m_canCreateDOMObject)
files.append(file.releaseNonNull());
}
- if (m_isJSIDBSerializationGlobalObject)
+ if (!m_canCreateDOMObject)
return jsNull();
return getJSValue(FileList::create(WTFMove(files)).get());
}
@@ -3199,6 +3201,10 @@
fail();
return JSValue();
}
+ if (!m_isDOMGlobalObject) {
+ m_ptr += length;
+ return jsNull();
+ }
IntSize imageSize(width, height);
RELEASE_ASSERT(!length || (imageSize.area() * 4).unsafeGet() <= length);
auto result = ImageData::create(imageSize);
@@ -3223,7 +3229,7 @@
unsigned long long size = 0;
if (!read(size))
return JSValue();
- if (m_isJSIDBSerializationGlobalObject)
+ if (!m_canCreateDOMObject)
return jsNull();
return getJSValue(Blob::deserialize(scriptExecutionContextFromExecState(m_lexicalGlobalObject), URL(URL(), url->string()), type->string(), size, blobFilePathForBlobURL(url->string())).get());
}
@@ -3416,7 +3422,8 @@
}
JSGlobalObject* m_globalObject;
- bool m_isJSIDBSerializationGlobalObject;
+ bool m_isDOMGlobalObject;
+ bool m_canCreateDOMObject;
const uint8_t* m_ptr;
const uint8_t* m_end;
unsigned m_version;
Modified: trunk/Tools/TestWebKitAPI/Tests/WebKit/EvaluateJavaScript.cpp (266469 => 266470)
--- trunk/Tools/TestWebKitAPI/Tests/WebKit/EvaluateJavaScript.cpp 2020-09-02 16:38:46 UTC (rev 266469)
+++ trunk/Tools/TestWebKitAPI/Tests/WebKit/EvaluateJavaScript.cpp 2020-09-02 17:04:34 UTC (rev 266470)
@@ -60,6 +60,28 @@
Util::run(&testDone);
}
+static void didCreateBlob(WKSerializedScriptValueRef serializedScriptValue, WKErrorRef error, void* context)
+{
+ EXPECT_NOT_NULL(serializedScriptValue);
+ JSGlobalContextRef jsContext = JSGlobalContextCreate(0);
+ EXPECT_NOT_NULL(jsContext);
+ auto jsValue = WKSerializedScriptValueDeserialize(serializedScriptValue, jsContext, 0);
+ EXPECT_NOT_NULL(jsValue);
+
+ testDone = true;
+}
+
+TEST(WebKit, EvaluateJavaScriptThatCreatesBlob)
+{
+ WKRetainPtr<WKContextRef> context = adoptWK(WKContextCreateWithConfiguration(nullptr));
+ PlatformWebView webView(context.get());
+
+ WKRetainPtr<WKStringRef> _javascript_String = adoptWK(WKStringCreateWithUTF8CString("new Blob(['this is a test blob'])"));
+ WKPageRunJavaScriptInMainFrame(webView.page(), _javascript_String.get(), 0, didCreateBlob);
+
+ Util::run(&testDone);
+}
+
} // namespace TestWebKitAPI
#endif
