[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc
oliver at apple.com
oliver at apple.com
Wed Dec 22 14:44:35 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit 8660960f541f54f704717839d998df8687fe348e
Author: oliver at apple.com <oliver at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Tue Oct 19 02:33:33 2010 +0000
2010-10-18 Oliver Hunt <oliver at apple.com>
Reviewed by Sam Weinig.
REGRESSION: Feedly extension crashes Webkit
https://bugs.webkit.org/show_bug.cgi?id=45811
Make test cover large number of properties/string pairs, at two offsets to get the
new allocation to occur at different locations.
* fast/dom/Window/window-postmessage-clone-expected.txt:
* fast/dom/Window/window-postmessage-clone.html:
2010-10-18 Oliver Hunt <oliver at apple.com>
Reviewed by Sam Weinig.
REGRESSION: Feedly extension crashes Webkit
https://bugs.webkit.org/show_bug.cgi?id=45811
The basic problem was the deserializer was holding a pointer into
the constant pool, but if you were sufficiently unlucky then the
constant pool would be moved while still relying on the pointer,
which leads to badness.
I looked at just making all the sites this could happen extract the
right string/jsstring before any possible allocations, but it seemed
too fragile so i've gone for a forwarding object as the solution.
* bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneDeserializer::CachedStringRef::CachedStringRef):
(WebCore::CloneDeserializer::CachedStringRef::operator->):
(WebCore::CloneDeserializer::readStringData):
(WebCore::CloneDeserializer::readFile):
(WebCore::CloneDeserializer::readTerminal):
(WebCore::CloneDeserializer::deserialize):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@70018 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 62e5eed..116980e 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,16 @@
+2010-10-18 Oliver Hunt <oliver at apple.com>
+
+ Reviewed by Sam Weinig.
+
+ REGRESSION: Feedly extension crashes Webkit
+ https://bugs.webkit.org/show_bug.cgi?id=45811
+
+ Make test cover large number of properties/string pairs, at two offsets to get the
+ new allocation to occur at different locations.
+
+ * fast/dom/Window/window-postmessage-clone-expected.txt:
+ * fast/dom/Window/window-postmessage-clone.html:
+
2010-10-18 James Robinson <jamesr at chromium.org>
Update chromium test expectations
diff --git a/LayoutTests/fast/dom/Window/window-postmessage-clone-expected.txt b/LayoutTests/fast/dom/Window/window-postmessage-clone-expected.txt
index edb0124..7b4fc89 100644
--- a/LayoutTests/fast/dom/Window/window-postmessage-clone-expected.txt
+++ b/LayoutTests/fast/dom/Window/window-postmessage-clone-expected.txt
@@ -15,6 +15,8 @@ PASS: eventData is [object Object] of type object
PASS: eventData is [object Object] of type object
PASS: eventData is [object Object] of type object
PASS: eventData is [object Object] of type object
+PASS: eventData is [object Object] of type object
+PASS: eventData is [object Object] of type object
PASS: eventData is of type object
PASS: eventData is a,a,b,a,b of type object
PASS: eventData is a,a,b,[object Object] of type object
diff --git a/LayoutTests/fast/dom/Window/window-postmessage-clone.html b/LayoutTests/fast/dom/Window/window-postmessage-clone.html
index 6cb337d..6733e09 100644
--- a/LayoutTests/fast/dom/Window/window-postmessage-clone.html
+++ b/LayoutTests/fast/dom/Window/window-postmessage-clone.html
@@ -126,6 +126,8 @@ tryPostMessage('({})');
tryPostMessage('({a:1})');
tryPostMessage('({a:"a"})');
tryPostMessage('({b:"a", a:"b"})');
+tryPostMessage('({p0:"string0", p1:"string1", p2:"string2", p3:"string3", p4:"string4", p5:"string5", p6:"string6", p7:"string7", p8:"string8", p9:"string9", p10:"string10", p11:"string11", p12:"string12", p13:"string13", p14:"string14", p15:"string15", p16:"string16", p17:"string17", p18:"string18", p19:"string19"})');
+tryPostMessage('({p0:"string1", p1:"string1", p2:"string2", p3:"string3", p4:"string4", p5:"string5", p6:"string6", p7:"string7", p8:"string8", p9:"string9", p10:"string10", p11:"string11", p12:"string12", p13:"string13", p14:"string14", p15:"string15", p16:"string16", p17:"string17", p18:"string18", p19:"string19"})');
tryPostMessage('({a:""})');
tryPostMessage('({a:0})');
tryPostMessage('({a:1})');
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 9ab6db2..078807b 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,27 @@
+2010-10-18 Oliver Hunt <oliver at apple.com>
+
+ Reviewed by Sam Weinig.
+
+ REGRESSION: Feedly extension crashes Webkit
+ https://bugs.webkit.org/show_bug.cgi?id=45811
+
+ The basic problem was the deserializer was holding a pointer into
+ the constant pool, but if you were sufficiently unlucky then the
+ constant pool would be moved while still relying on the pointer,
+ which leads to badness.
+
+ I looked at just making all the sites this could happen extract the
+ right string/jsstring before any possible allocations, but it seemed
+ too fragile so i've gone for a forwarding object as the solution.
+
+ * bindings/js/SerializedScriptValue.cpp:
+ (WebCore::CloneDeserializer::CachedStringRef::CachedStringRef):
+ (WebCore::CloneDeserializer::CachedStringRef::operator->):
+ (WebCore::CloneDeserializer::readStringData):
+ (WebCore::CloneDeserializer::readFile):
+ (WebCore::CloneDeserializer::readTerminal):
+ (WebCore::CloneDeserializer::deserialize):
+
2010-10-18 Chris Rogers <crogers at google.com>
Reviewed by Chris Fleizach.
diff --git a/WebCore/bindings/js/SerializedScriptValue.cpp b/WebCore/bindings/js/SerializedScriptValue.cpp
index 1711687..c9ad0e6 100644
--- a/WebCore/bindings/js/SerializedScriptValue.cpp
+++ b/WebCore/bindings/js/SerializedScriptValue.cpp
@@ -781,6 +781,25 @@ private:
JSValue m_jsString;
};
+ struct CachedStringRef {
+ CachedStringRef()
+ : m_base(0)
+ , m_index(0)
+ {
+ }
+ CachedStringRef(Vector<CachedString>* base, size_t index)
+ : m_base(base)
+ , m_index(index)
+ {
+ }
+
+ CachedString* operator->() { ASSERT(m_base); return &m_base->at(m_index); }
+
+ private:
+ Vector<CachedString>* m_base;
+ size_t m_index;
+ };
+
CloneDeserializer(ExecState* exec, JSGlobalObject* globalObject, const Vector<uint8_t>& buffer)
: CloneBase(exec)
, m_globalObject(globalObject)
@@ -934,13 +953,13 @@ private:
return true;
}
- bool readStringData(CachedString*& cachedString)
+ bool readStringData(CachedStringRef& cachedString)
{
bool scratch;
return readStringData(cachedString, scratch);
}
- bool readStringData(CachedString*& cachedString, bool& wasTerminator)
+ bool readStringData(CachedStringRef& cachedString, bool& wasTerminator)
{
if (m_failed)
return false;
@@ -961,7 +980,7 @@ private:
fail();
return false;
}
- cachedString = &m_constantPool[index];
+ cachedString = CachedStringRef(&m_constantPool, index);
return true;
}
UString str;
@@ -970,7 +989,7 @@ private:
return false;
}
m_constantPool.append(str);
- cachedString = &m_constantPool.last();
+ cachedString = CachedStringRef(&m_constantPool, m_constantPool.size() - 1);
return true;
}
@@ -996,13 +1015,13 @@ private:
bool readFile(RefPtr<File>& file)
{
- CachedString* path = 0;
+ CachedStringRef path;
if (!readStringData(path))
return 0;
- CachedString* url = 0;
+ CachedStringRef url;
if (!readStringData(url))
return 0;
- CachedString* type = 0;
+ CachedStringRef type;
if (!readStringData(type))
return 0;
if (m_isDOMGlobalObject)
@@ -1092,10 +1111,10 @@ private:
return toJS(m_exec, static_cast<JSDOMGlobalObject*>(m_globalObject), result.get());
}
case BlobTag: {
- CachedString* url = 0;
+ CachedStringRef url;
if (!readStringData(url))
return JSValue();
- CachedString* type = 0;
+ CachedStringRef type;
if (!readStringData(type))
return JSValue();
unsigned long long size = 0;
@@ -1106,7 +1125,7 @@ private:
return toJS(m_exec, static_cast<JSDOMGlobalObject*>(m_globalObject), Blob::create(KURL(KURL(), url->ustring().impl()), String(type->ustring().impl()), size));
}
case StringTag: {
- CachedString* cachedString = 0;
+ CachedStringRef cachedString;
if (!readStringData(cachedString))
return JSValue();
return cachedString->jsString(m_exec);
@@ -1114,10 +1133,10 @@ private:
case EmptyStringTag:
return jsEmptyString(&m_exec->globalData());
case RegExpTag: {
- CachedString* pattern = 0;
+ CachedStringRef pattern;
if (!readStringData(pattern))
return JSValue();
- CachedString* flags = 0;
+ CachedStringRef flags;
if (!readStringData(flags))
return JSValue();
RefPtr<RegExp> regExp = RegExp::create(&m_exec->globalData(), pattern->ustring(), flags->ustring());
@@ -1223,7 +1242,7 @@ JSValue CloneDeserializer::deserialize()
tickCount = ticksUntilNextCheck();
}
- CachedString* cachedString = 0;
+ CachedStringRef cachedString;
bool wasTerminator = false;
if (!readStringData(cachedString, wasTerminator)) {
if (!wasTerminator)
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list