Title: [94110] trunk/Source/WebCore
- Revision
- 94110
- Author
- [email protected]
- Date
- 2011-08-30 14:25:23 -0700 (Tue, 30 Aug 2011)
Log Message
https://bugs.webkit.org/show_bug.cgi?id=67210
[Chromium] Use after free in ScheduledAction::execute(WebCore::V8Proxy*)
Reviewed by David Levin.
* bindings/v8/ScheduledAction.cpp:
(WebCore::ScheduledAction::execute):
Removed usage of V8Proxy instance after it could have been deleted.
* bindings/v8/V8Proxy.cpp:
(WebCore::V8Proxy::V8Proxy):
* bindings/v8/V8Proxy.h:
Removed unused timerCallback() and setTimerCallback().
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (94109 => 94110)
--- trunk/Source/WebCore/ChangeLog 2011-08-30 21:22:48 UTC (rev 94109)
+++ trunk/Source/WebCore/ChangeLog 2011-08-30 21:25:23 UTC (rev 94110)
@@ -1,3 +1,19 @@
+2011-08-30 Dmitry Titov <[email protected]>
+
+ https://bugs.webkit.org/show_bug.cgi?id=67210
+ [Chromium] Use after free in ScheduledAction::execute(WebCore::V8Proxy*)
+
+ Reviewed by David Levin.
+
+ * bindings/v8/ScheduledAction.cpp:
+ (WebCore::ScheduledAction::execute):
+ Removed usage of V8Proxy instance after it could have been deleted.
+
+ * bindings/v8/V8Proxy.cpp:
+ (WebCore::V8Proxy::V8Proxy):
+ * bindings/v8/V8Proxy.h:
+ Removed unused timerCallback() and setTimerCallback().
+
2011-08-30 Abhishek Arya <[email protected]>
Style not updated for table parts in :before, :after content.
Modified: trunk/Source/WebCore/bindings/v8/ScheduledAction.cpp (94109 => 94110)
--- trunk/Source/WebCore/bindings/v8/ScheduledAction.cpp 2011-08-30 21:22:48 UTC (rev 94109)
+++ trunk/Source/WebCore/bindings/v8/ScheduledAction.cpp 2011-08-30 21:25:23 UTC (rev 94110)
@@ -120,8 +120,6 @@
v8::Context::Scope scope(v8Context);
- proxy->setTimerCallback(true);
-
// FIXME: Need to implement timeouts for preempting a long-running script.
if (!m_function.IsEmpty() && m_function->IsFunction()) {
proxy->callFunction(v8::Persistent<v8::Function>::Cast(m_function), v8Context->Global(), m_argc, m_argv);
@@ -129,7 +127,7 @@
} else
proxy->evaluate(m_code, 0);
- proxy->setTimerCallback(false);
+ // The 'proxy' may be invalid at this point since JS could have released the owning Frame.
}
#if ENABLE(WORKERS)
Modified: trunk/Source/WebCore/bindings/v8/V8Proxy.cpp (94109 => 94110)
--- trunk/Source/WebCore/bindings/v8/V8Proxy.cpp 2011-08-30 21:22:48 UTC (rev 94109)
+++ trunk/Source/WebCore/bindings/v8/V8Proxy.cpp 2011-08-30 21:25:23 UTC (rev 94110)
@@ -191,7 +191,6 @@
: m_frame(frame)
, m_windowShell(V8DOMWindowShell::create(frame))
, m_inlineCode(false)
- , m_timerCallback(false)
, m_recursion(0)
{
}
Modified: trunk/Source/WebCore/bindings/v8/V8Proxy.h (94109 => 94110)
--- trunk/Source/WebCore/bindings/v8/V8Proxy.h 2011-08-30 21:22:48 UTC (rev 94109)
+++ trunk/Source/WebCore/bindings/v8/V8Proxy.h 2011-08-30 21:25:23 UTC (rev 94110)
@@ -146,9 +146,6 @@
bool inlineCode() const { return m_inlineCode; }
void setInlineCode(bool value) { m_inlineCode = value; }
- bool timerCallback() const { return m_timerCallback; }
- void setTimerCallback(bool value) { m_timerCallback = value; }
-
void finishedWithEvent(Event*) { }
// Evaluate _javascript_ in a new isolated world. The script gets its own
@@ -314,10 +311,6 @@
// Only valid during execution.
bool m_inlineCode;
- // True when executing from within a timer callback. Only valid during
- // execution.
- bool m_timerCallback;
-
// Track the recursion depth to be able to avoid too deep recursion. The V8
// engine allows much more recursion than KJS does so we need to guard against
// excessive recursion in the binding layer.
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
