[SCM] WebKit Debian packaging branch, webkit-1.2, updated. upstream/1.1.90-6072-g9a69373

aroben at apple.com aroben at apple.com
Thu Apr 8 00:03:20 UTC 2010 

The following commit has been merged in the webkit-1.2 branch:
commit 391d91e902c4b6c5baf93f8e3ff4ab4038adb0b6
Author: aroben at apple.com <aroben at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Mon Nov 30 21:41:03 2009 +0000

    Fix double-free of BSTRs passed to WebNavigationData::createInstance
    
    WebFrameLoaderClient::updateGlobalHistory was converting
    WebCore::Strings to WebCore::BStrings, then passing them to
    WebNavigationData::createInstance. But the latter function takes BSTR
    parameters and adopts them into WebCore::BStrings. So the end result
    was that two WebCore::BStrings would end up freeing each underlying
    BSTR.
    
    The fix is to only convert to WebCore::BString inside
    WebNavigationData.
    
    Fixes <http://webkit.org/b/31998> <rdar://problem/7383452> REGRESSION
    (r49564): Crash in updateGlobalHistory when running Javascript iBench
    test
    
    I couldn't find a way to reproduce this in DumpRenderTree.
    
    Reviewed by Steve Falkenburg.
    
    * WebCoreSupport/WebFrameLoaderClient.cpp:
    (WebFrameLoaderClient::updateGlobalHistory): Pass WebCore::Strings to
    WebNavigationData::createInstance.
    
    * WebNavigationData.cpp:
    (WebNavigationData::WebNavigationData):
    (WebNavigationData::createInstance):
    * WebNavigationData.h:
    Changed to take const WebCore::String&s instead of BSTRs and to
    convert the Strings to BStrings at this level.
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@51510 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/WebKit/win/ChangeLog b/WebKit/win/ChangeLog
index f18a808..514bd74 100644
--- a/WebKit/win/ChangeLog
+++ b/WebKit/win/ChangeLog
@@ -1,3 +1,36 @@
+2009-11-30  Adam Roben  <aroben at apple.com>
+
+        Fix double-free of BSTRs passed to WebNavigationData::createInstance
+
+        WebFrameLoaderClient::updateGlobalHistory was converting
+        WebCore::Strings to WebCore::BStrings, then passing them to
+        WebNavigationData::createInstance. But the latter function takes BSTR
+        parameters and adopts them into WebCore::BStrings. So the end result
+        was that two WebCore::BStrings would end up freeing each underlying
+        BSTR.
+
+        The fix is to only convert to WebCore::BString inside
+        WebNavigationData.
+
+        Fixes <http://webkit.org/b/31998> <rdar://problem/7383452> REGRESSION
+        (r49564): Crash in updateGlobalHistory when running Javascript iBench
+        test
+
+        I couldn't find a way to reproduce this in DumpRenderTree.
+
+        Reviewed by Steve Falkenburg.
+
+        * WebCoreSupport/WebFrameLoaderClient.cpp:
+        (WebFrameLoaderClient::updateGlobalHistory): Pass WebCore::Strings to
+        WebNavigationData::createInstance.
+
+        * WebNavigationData.cpp:
+        (WebNavigationData::WebNavigationData):
+        (WebNavigationData::createInstance):
+        * WebNavigationData.h:
+        Changed to take const WebCore::String&s instead of BSTRs and to
+        convert the Strings to BStrings at this level.
+
 2009-11-30  Steve Falkenburg  <sfalken at apple.com>
 
         Reviewed by Adam Roben.
diff --git a/WebKit/win/WebCoreSupport/WebFrameLoaderClient.cpp b/WebKit/win/WebCoreSupport/WebFrameLoaderClient.cpp
index 558348f..5eabcde 100644
--- a/WebKit/win/WebCoreSupport/WebFrameLoaderClient.cpp
+++ b/WebKit/win/WebCoreSupport/WebFrameLoaderClient.cpp
@@ -500,14 +500,11 @@ void WebFrameLoaderClient::updateGlobalHistory()
     webView->historyDelegate(&historyDelegate);
 
     if (historyDelegate) {
-        BString url(loader->urlForHistory());
-        BString title(loader->title());
-        BString redirectSource(loader->clientRedirectSourceForHistory());
         COMPtr<IWebURLResponse> urlResponse(AdoptCOM, WebURLResponse::createInstance(loader->response()));
         COMPtr<IWebURLRequest> urlRequest(AdoptCOM, WebMutableURLRequest::createInstance(loader->originalRequestCopy()));
         
         COMPtr<IWebNavigationData> navigationData(AdoptCOM, WebNavigationData::createInstance(
-            url, title, urlRequest.get(), urlResponse.get(), loader->substituteData().isValid(), redirectSource));
+            loader->urlForHistory(), loader->title(), urlRequest.get(), urlResponse.get(), loader->substituteData().isValid(), loader->clientRedirectSourceForHistory()));
 
         historyDelegate->didNavigateWithNavigationData(webView, navigationData.get(), m_webFrame);
         return;
diff --git a/WebKit/win/WebNavigationData.cpp b/WebKit/win/WebNavigationData.cpp
index 1ae3fe5..1ea028c 100644
--- a/WebKit/win/WebNavigationData.cpp
+++ b/WebKit/win/WebNavigationData.cpp
@@ -27,8 +27,7 @@
 #include "WebKitDLL.h"
 #include "WebNavigationData.h"
 
-#include <WebCore/BString.h>
-using WebCore::BString;
+using namespace WebCore;
 
 // IUnknown -------------------------------------------------------------------
 
@@ -62,19 +61,18 @@ ULONG STDMETHODCALLTYPE WebNavigationData::Release(void)
 
 // WebNavigationData -------------------------------------------------------------------
 
-WebNavigationData::WebNavigationData(BSTR url, BSTR title, IWebURLRequest* request, IWebURLResponse* response, bool hasSubstituteData, BSTR clientRedirectSource)
+WebNavigationData::WebNavigationData(const String& url, const String& title, IWebURLRequest* request, IWebURLResponse* response, bool hasSubstituteData, const String& clientRedirectSource)
     : m_refCount(0)
+    , m_url(url)
+    , m_title(title)
     , m_request(request)
     , m_response(response)
     , m_hasSubstituteData(hasSubstituteData)
+    , m_clientRedirectSource(clientRedirectSource)
 
 {
     gClassCount++;
     gClassNameCount.add("WebNavigationData");
-
-    m_url.adoptBSTR(url);
-    m_title.adoptBSTR(title);
-    m_clientRedirectSource.adoptBSTR(clientRedirectSource);
 }
 
 WebNavigationData::~WebNavigationData()
@@ -83,7 +81,7 @@ WebNavigationData::~WebNavigationData()
     gClassNameCount.remove("WebNavigationData");
 }
 
-WebNavigationData* WebNavigationData::createInstance(BSTR url, BSTR title, IWebURLRequest* request, IWebURLResponse* response, bool hasSubstituteData, BSTR clientRedirectSource)
+WebNavigationData* WebNavigationData::createInstance(const String& url, const String& title, IWebURLRequest* request, IWebURLResponse* response, bool hasSubstituteData, const String& clientRedirectSource)
 {
     WebNavigationData* instance = new WebNavigationData(url, title, request, response, hasSubstituteData, clientRedirectSource);
     instance->AddRef();
diff --git a/WebKit/win/WebNavigationData.h b/WebKit/win/WebNavigationData.h
index 0443fd7..d00912c 100644
--- a/WebKit/win/WebNavigationData.h
+++ b/WebKit/win/WebNavigationData.h
@@ -33,9 +33,9 @@
 
 class WebNavigationData : public IWebNavigationData {
 public:
-    static WebNavigationData* createInstance(BSTR, BSTR, IWebURLRequest*, IWebURLResponse*, bool, BSTR);
+    static WebNavigationData* createInstance(const WebCore::String& url, const WebCore::String& title, IWebURLRequest*, IWebURLResponse*, bool hasSubstituteData, const WebCore::String& clientRedirectSource);
 private:
-    WebNavigationData(BSTR url, BSTR title, IWebURLRequest*, IWebURLResponse*, bool hasSubstituteData, BSTR clientRedirectSource);
+    WebNavigationData(const WebCore::String& url, const WebCore::String& title, IWebURLRequest*, IWebURLResponse*, bool hasSubstituteData, const WebCore::String& clientRedirectSource);
     ~WebNavigationData();
 
 public:

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list