- Revision
- 132140
- Author
- jsb...@chromium.org
- Date
- 2012-10-22 14:53:27 -0700 (Mon, 22 Oct 2012)
Log Message
IndexedDB: Bounds check for IDBCursor.advance() incorrect
https://bugs.webkit.org/show_bug.cgi?id=100014
Reviewed by Tony Chang.
Source/WebCore:
Fix introduced by trac.webkit.org/changeset/131658 restricted cursor.advance()'s argument
as [EnforceRange] unsigned long long, but it's typed as [EnforceRange] unsigned long; the
useless comparison was caught by a clang check.
In lieu of webkit.org/b/96798 make it long long and correct the range check.
Test: storage/indexeddb/cursor-advance.html
* Modules/indexeddb/IDBCursor.cpp:
(WebCore::IDBCursor::advance):
* Modules/indexeddb/IDBCursor.h:
(IDBCursor):
* Modules/indexeddb/IDBCursor.idl:
LayoutTests:
Assert that advance(2^32) throws and advance(2^32-1) does not, per WebIDL.
* storage/indexeddb/cursor-advance-expected.txt:
* storage/indexeddb/resources/cursor-advance.js:
(testBadAdvance.advanceBadly):
(testBadAdvance):
(testEdges.request.onsuccess):
(testEdges):
Modified Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (132139 => 132140)
--- trunk/LayoutTests/ChangeLog 2012-10-22 21:49:08 UTC (rev 132139)
+++ trunk/LayoutTests/ChangeLog 2012-10-22 21:53:27 UTC (rev 132140)
@@ -1,3 +1,19 @@
+2012-10-22 Joshua Bell <jsb...@chromium.org>
+
+ IndexedDB: Bounds check for IDBCursor.advance() incorrect
+ https://bugs.webkit.org/show_bug.cgi?id=100014
+
+ Reviewed by Tony Chang.
+
+ Assert that advance(2^32) throws and advance(2^32-1) does not, per WebIDL.
+
+ * storage/indexeddb/cursor-advance-expected.txt:
+ * storage/indexeddb/resources/cursor-advance.js:
+ (testBadAdvance.advanceBadly):
+ (testBadAdvance):
+ (testEdges.request.onsuccess):
+ (testEdges):
+
2012-10-22 Raphael Kubo da Costa <raphael.kubo.da.co...@intel.com>
[EFL] Rebaseline pixel expectations after r131941 and r131991, part 7.
Modified: trunk/LayoutTests/storage/indexeddb/cursor-advance-expected.txt (132139 => 132140)
--- trunk/LayoutTests/storage/indexeddb/cursor-advance-expected.txt 2012-10-22 21:49:08 UTC (rev 132139)
+++ trunk/LayoutTests/storage/indexeddb/cursor-advance-expected.txt 2012-10-22 21:53:27 UTC (rev 132140)
@@ -140,9 +140,26 @@
Expecting TypeError exception from cursor.advance(-1)
PASS Exception was thrown.
PASS cursor.advance(-1) threw TypeError: Type error
+Expecting TypeError exception from cursor.advance(0x100000000)
+PASS Exception was thrown.
+PASS cursor.advance(0x100000000) threw TypeError: Type error
Expecting TypeError exception from cursor.advance(0x20000000000000)
PASS Exception was thrown.
PASS cursor.advance(0x20000000000000) threw TypeError: Type error
+
+testEdges():
+trans = db.transaction(objectStoreName, 'readonly')
+objectStore = trans.objectStore(objectStoreName)
+request = objectStore.openCursor()
+
+onSuccess():
+cursor = event.target.result
+PASS cursor is non-null.
+cursor.advance(0xffffffff)
+
+onSuccess():
+cursor = event.target.result
+PASS cursor is null
testDelete()
trans = db.transaction(objectStoreName, 'readwrite')
objectStore = trans.objectStore(objectStoreName)
Modified: trunk/LayoutTests/storage/indexeddb/resources/cursor-advance.js (132139 => 132140)
--- trunk/LayoutTests/storage/indexeddb/resources/cursor-advance.js 2012-10-22 21:49:08 UTC (rev 132139)
+++ trunk/LayoutTests/storage/indexeddb/resources/cursor-advance.js 2012-10-22 21:53:27 UTC (rev 132140)
@@ -331,12 +331,38 @@
evalAndExpectExceptionClass("cursor.advance(0)", "TypeError");
evalAndExpectExceptionClass("cursor.advance(-1)", "TypeError");
+ evalAndExpectExceptionClass("cursor.advance(0x100000000)", "TypeError");
evalAndExpectExceptionClass("cursor.advance(0x20000000000000)", "TypeError");
- testDelete();
+ testEdges();
}
request._onsuccess_ = advanceBadly;
request._onerror_ = unexpectedErrorCallback;
+}
+function testEdges()
+{
+ preamble();
+ evalAndLog("trans = db.transaction(objectStoreName, 'readonly')");
+ trans._onabort_ = unexpectedAbortCallback;
+
+ objectStore = evalAndLog("objectStore = trans.objectStore(objectStoreName)");
+ evalAndLog("request = objectStore.openCursor()");
+ request._onerror_ = unexpectedErrorCallback;
+
+ firstSuccess = true;
+ request._onsuccess_ = function onSuccess(evt) {
+ preamble(event);
+ evalAndLog("cursor = event.target.result");
+ if (firstSuccess) {
+ shouldBeNonNull("cursor");
+ firstSuccess = false;
+ evalAndLog("cursor.advance(0xffffffff)");
+ } else {
+ shouldBeNull("cursor");
+ }
+ };
+
+ trans._oncomplete_ = testDelete;
}
function testDelete()
Modified: trunk/Source/WebCore/ChangeLog (132139 => 132140)
--- trunk/Source/WebCore/ChangeLog 2012-10-22 21:49:08 UTC (rev 132139)
+++ trunk/Source/WebCore/ChangeLog 2012-10-22 21:53:27 UTC (rev 132140)
@@ -1,3 +1,24 @@
+2012-10-22 Joshua Bell <jsb...@chromium.org>
+
+ IndexedDB: Bounds check for IDBCursor.advance() incorrect
+ https://bugs.webkit.org/show_bug.cgi?id=100014
+
+ Reviewed by Tony Chang.
+
+ Fix introduced by trac.webkit.org/changeset/131658 restricted cursor.advance()'s argument
+ as [EnforceRange] unsigned long long, but it's typed as [EnforceRange] unsigned long; the
+ useless comparison was caught by a clang check.
+
+ In lieu of webkit.org/b/96798 make it long long and correct the range check.
+
+ Test: storage/indexeddb/cursor-advance.html
+
+ * Modules/indexeddb/IDBCursor.cpp:
+ (WebCore::IDBCursor::advance):
+ * Modules/indexeddb/IDBCursor.h:
+ (IDBCursor):
+ * Modules/indexeddb/IDBCursor.idl:
+
2012-10-22 Tony Chang <t...@chromium.org>
WebKit does not support 'flex-wrap: nowrap'
Modified: trunk/Source/WebCore/Modules/indexeddb/IDBCursor.cpp (132139 => 132140)
--- trunk/Source/WebCore/Modules/indexeddb/IDBCursor.cpp 2012-10-22 21:49:08 UTC (rev 132139)
+++ trunk/Source/WebCore/Modules/indexeddb/IDBCursor.cpp 2012-10-22 21:53:27 UTC (rev 132140)
@@ -39,6 +39,7 @@
#include "IDBTransaction.h"
#include "ScriptCallStack.h"
#include "ScriptExecutionContext.h"
+#include <limits>
namespace WebCore {
@@ -156,7 +157,7 @@
return objectStore->put(IDBObjectStoreBackendInterface::CursorUpdate, IDBAny::create(this), context, value, m_currentPrimaryKey, ec);
}
-void IDBCursor::advance(long count, ExceptionCode& ec)
+void IDBCursor::advance(long long count, ExceptionCode& ec)
{
IDB_TRACE("IDBCursor::advance");
if (!m_gotValue) {
@@ -170,8 +171,7 @@
}
// FIXME: This should only need to check for 0 once webkit.org/b/96798 lands.
- const int64_t maxECMAScriptInteger = 0x20000000000000LL - 1;
- if (count < 1 || count > maxECMAScriptInteger) {
+ if (count < 1 || count > UINT_MAX) {
ec = NATIVE_TYPE_ERR;
return;
}
Modified: trunk/Source/WebCore/Modules/indexeddb/IDBCursor.h (132139 => 132140)
--- trunk/Source/WebCore/Modules/indexeddb/IDBCursor.h 2012-10-22 21:49:08 UTC (rev 132139)
+++ trunk/Source/WebCore/Modules/indexeddb/IDBCursor.h 2012-10-22 21:53:27 UTC (rev 132140)
@@ -76,7 +76,8 @@
IDBAny* source() const;
PassRefPtr<IDBRequest> update(ScriptExecutionContext*, ScriptValue&, ExceptionCode&);
- void advance(long, ExceptionCode&);
+ // FIXME: Make this unsigned long once webkit.org/b/96798 lands.
+ void advance(long long, ExceptionCode&);
void continueFunction(PassRefPtr<IDBKey>, ExceptionCode&);
PassRefPtr<IDBRequest> deleteFunction(ScriptExecutionContext*, ExceptionCode&);
Modified: trunk/Source/WebCore/Modules/indexeddb/IDBCursor.idl (132139 => 132140)
--- trunk/Source/WebCore/Modules/indexeddb/IDBCursor.idl 2012-10-22 21:49:08 UTC (rev 132139)
+++ trunk/Source/WebCore/Modules/indexeddb/IDBCursor.idl 2012-10-22 21:53:27 UTC (rev 132140)
@@ -40,7 +40,7 @@
[CallWith=ScriptExecutionContext] IDBRequest update(in any value)
raises (IDBDatabaseException);
// FIXME: Make this [EnforceRange] unsigned long once webkit.org/b/96798 lands.
- void advance(in long count)
+ void advance(in long long count)
raises (IDBDatabaseException);
[ImplementedAs=continueFunction] void continue(in [Optional] IDBKey key)
raises (IDBDatabaseException);