- Revision
- 288672
- Author
- commit-qu...@webkit.org
- Date
- 2022-01-27 07:36:23 -0800 (Thu, 27 Jan 2022)
Log Message
jsc_fuz/wktr: crash with new XRReferenceSpaceEvent('', {referenceSpace})
https://bugs.webkit.org/show_bug.cgi?id=235456
Patch by Gabriel Nava Marino <gnavamar...@apple.com> on 2022-01-27
Reviewed by Chris Dumez.
Source/WebCore:
FastMalloc.h specifies that each derived class needs to be annotated as well with WTF_MAKE_ISO_ALLOCATED
if the base class is annotated with WTF_MAKE_ISO_ALLOCATED.
After doing this, the crash in WebCore::Event::operator new(unsigned long) is no longer reproducible.
However, this caused ASSERT(m_transform) to be hit in debug builds with the attached test case.
The XRReferenceSpaceEvent spec specifies the transform attribute as nullable
(https://immersive-web.github.io/webxr/#dictdef-xrreferencespaceeventinit), so this patch updates the
XRReferenceSpaceEvent IDL and implementation to match the spec, and removes the ASSERT accordingly.
Test: webxr/xr-reference-space-event-crash.html
* Modules/webxr/XRReferenceSpaceEvent.cpp:
(WebCore::XRReferenceSpaceEvent::XRReferenceSpaceEvent):
(WebCore::XRReferenceSpaceEvent::transform const):
* Modules/webxr/XRReferenceSpaceEvent.h:
* Modules/webxr/XRReferenceSpaceEvent.idl:
LayoutTests:
* webxr/xr-reference-space-event-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (288671 => 288672)
--- trunk/LayoutTests/ChangeLog 2022-01-27 11:16:31 UTC (rev 288671)
+++ trunk/LayoutTests/ChangeLog 2022-01-27 15:36:23 UTC (rev 288672)
@@ -1,3 +1,12 @@
+2022-01-27 Gabriel Nava Marino <gnavamar...@apple.com>
+
+ jsc_fuz/wktr: crash with new XRReferenceSpaceEvent('', {referenceSpace})
+ https://bugs.webkit.org/show_bug.cgi?id=235456
+
+ Reviewed by Chris Dumez.
+
+ * webxr/xr-reference-space-event-crash.html: Added.
+
2022-01-27 Kimmo Kinnunen <kkinnu...@apple.com>
Update WebGL conformance test suite to 2022-01-12
Added: trunk/LayoutTests/webxr/xr-reference-space-event-crash-expected.txt (0 => 288672)
--- trunk/LayoutTests/webxr/xr-reference-space-event-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/webxr/xr-reference-space-event-crash-expected.txt 2022-01-27 15:36:23 UTC (rev 288672)
@@ -0,0 +1,11 @@
+Makes sure that constructing a XRReferenceSpaceEvent without a transform member doesn't crash
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS event.referenceSpace is referenceSpace
+PASS event.transform is null
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/webxr/xr-reference-space-event-crash.html (0 => 288672)
--- trunk/LayoutTests/webxr/xr-reference-space-event-crash.html (rev 0)
+++ trunk/LayoutTests/webxr/xr-reference-space-event-crash.html 2022-01-27 15:36:23 UTC (rev 288672)
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script>
+ description("Makes sure that constructing a XRReferenceSpaceEvent without a transform member doesn't crash");
+ jsTestIsAsync = true;
+
+ navigator.xr.requestSession('inline')
+ .then(s => s.requestReferenceSpace('viewer'))
+ .then(_referenceSpace => {
+ referenceSpace = _referenceSpace;
+ event = new XRReferenceSpaceEvent('', { referenceSpace });
+ shouldBe("event.referenceSpace", "referenceSpace");
+ shouldBeNull("event.transform");
+ finishJSTest();
+ });
+</script>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (288671 => 288672)
--- trunk/Source/WebCore/ChangeLog 2022-01-27 11:16:31 UTC (rev 288671)
+++ trunk/Source/WebCore/ChangeLog 2022-01-27 15:36:23 UTC (rev 288672)
@@ -1,3 +1,28 @@
+2022-01-27 Gabriel Nava Marino <gnavamar...@apple.com>
+
+ jsc_fuz/wktr: crash with new XRReferenceSpaceEvent('', {referenceSpace})
+ https://bugs.webkit.org/show_bug.cgi?id=235456
+
+ Reviewed by Chris Dumez.
+
+ FastMalloc.h specifies that each derived class needs to be annotated as well with WTF_MAKE_ISO_ALLOCATED
+ if the base class is annotated with WTF_MAKE_ISO_ALLOCATED.
+
+ After doing this, the crash in WebCore::Event::operator new(unsigned long) is no longer reproducible.
+ However, this caused ASSERT(m_transform) to be hit in debug builds with the attached test case.
+
+ The XRReferenceSpaceEvent spec specifies the transform attribute as nullable
+ (https://immersive-web.github.io/webxr/#dictdef-xrreferencespaceeventinit), so this patch updates the
+ XRReferenceSpaceEvent IDL and implementation to match the spec, and removes the ASSERT accordingly.
+
+ Test: webxr/xr-reference-space-event-crash.html
+
+ * Modules/webxr/XRReferenceSpaceEvent.cpp:
+ (WebCore::XRReferenceSpaceEvent::XRReferenceSpaceEvent):
+ (WebCore::XRReferenceSpaceEvent::transform const):
+ * Modules/webxr/XRReferenceSpaceEvent.h:
+ * Modules/webxr/XRReferenceSpaceEvent.idl:
+
2022-01-27 Antoine Quint <grao...@webkit.org>
<model> should only be draggable on iOS
Modified: trunk/Source/WebCore/Modules/webxr/XRReferenceSpaceEvent.cpp (288671 => 288672)
--- trunk/Source/WebCore/Modules/webxr/XRReferenceSpaceEvent.cpp 2022-01-27 11:16:31 UTC (rev 288671)
+++ trunk/Source/WebCore/Modules/webxr/XRReferenceSpaceEvent.cpp 2022-01-27 15:36:23 UTC (rev 288672)
@@ -33,6 +33,8 @@
namespace WebCore {
+WTF_MAKE_ISO_ALLOCATED_IMPL(XRReferenceSpaceEvent);
+
Ref<XRReferenceSpaceEvent> XRReferenceSpaceEvent::create(const AtomString& type, const Init& initializer, IsTrusted isTrusted)
{
return adoptRef(*new XRReferenceSpaceEvent(type, initializer, isTrusted));
@@ -44,7 +46,6 @@
, m_transform(initializer.transform)
{
ASSERT(m_referenceSpace);
- ASSERT(m_transform);
}
XRReferenceSpaceEvent::~XRReferenceSpaceEvent() = default;
@@ -54,9 +55,9 @@
return *m_referenceSpace;
}
-const WebXRRigidTransform& XRReferenceSpaceEvent::transform() const
+WebXRRigidTransform* XRReferenceSpaceEvent::transform() const
{
- return *m_transform;
+ return m_transform.get();
}
} // namespace WebCore
Modified: trunk/Source/WebCore/Modules/webxr/XRReferenceSpaceEvent.h (288671 => 288672)
--- trunk/Source/WebCore/Modules/webxr/XRReferenceSpaceEvent.h 2022-01-27 11:16:31 UTC (rev 288671)
+++ trunk/Source/WebCore/Modules/webxr/XRReferenceSpaceEvent.h 2022-01-27 15:36:23 UTC (rev 288672)
@@ -37,6 +37,7 @@
class WebXRRigidTransform;
class XRReferenceSpaceEvent : public Event {
+ WTF_MAKE_ISO_ALLOCATED(XRReferenceSpaceEvent);
public:
struct Init : EventInit {
RefPtr<WebXRReferenceSpace> referenceSpace;
@@ -47,7 +48,7 @@
virtual ~XRReferenceSpaceEvent();
const WebXRReferenceSpace& referenceSpace() const;
- const WebXRRigidTransform& transform() const;
+ WebXRRigidTransform* transform() const;
private:
XRReferenceSpaceEvent(const AtomString&, const Init&, IsTrusted);
Modified: trunk/Source/WebCore/Modules/webxr/XRReferenceSpaceEvent.idl (288671 => 288672)
--- trunk/Source/WebCore/Modules/webxr/XRReferenceSpaceEvent.idl 2022-01-27 11:16:31 UTC (rev 288671)
+++ trunk/Source/WebCore/Modules/webxr/XRReferenceSpaceEvent.idl 2022-01-27 15:36:23 UTC (rev 288672)
@@ -29,7 +29,7 @@
Conditional=WEBXR,
] dictionary XRReferenceSpaceEventInit : EventInit {
required WebXRReferenceSpace referenceSpace;
- WebXRRigidTransform transform;
+ WebXRRigidTransform? transform;
};
// https://immersive-web.github.io/webxr/#xrreferencespaceevent
@@ -41,5 +41,5 @@
] interface XRReferenceSpaceEvent : Event {
constructor(DOMString type, XRReferenceSpaceEventInit eventInitDict);
[SameObject] readonly attribute WebXRReferenceSpace referenceSpace;
- [SameObject] readonly attribute WebXRRigidTransform transform;
+ [SameObject] readonly attribute WebXRRigidTransform? transform;
};
