[webkit-changes] [95619] trunk/Source/WebCore

Wed, 21 Sep 2011 06:07:27 -0700

Title: [95619] trunk/Source/WebCore
Revision
95619
Author
commit-qu...@webkit.org
Date
2011-09-21 06:08:19 -0700 (Wed, 21 Sep 2011)

Log Message

Protect against misuse of EventListenerIterator.
https://bugs.webkit.org/show_bug.cgi?id=68364

Patch by Andreas Kling <kl...@webkit.org> on 2011-09-21
Reviewed by Darin Adler.

In debug mode, keep track of the number of active EventListenerIterators
on an EventListenerMap, and assert that there are no iterators when the
map is being modified.

* dom/EventListenerMap.cpp:
(WebCore::EventListenerMap::EventListenerMap):
(WebCore::EventListenerMap::clear):
(WebCore::EventListenerMap::add):
(WebCore::EventListenerMap::remove):
(WebCore::EventListenerMap::find):
(WebCore::EventListenerMap::removeFirstEventListenerCreatedFromMarkup):
(WebCore::EventListenerMap::copyEventListenersNotCreatedFromMarkupToTarget):
(WebCore::EventListenerIterator::EventListenerIterator):
(WebCore::EventListenerIterator::~EventListenerIterator):
* dom/EventListenerMap.h:

Modified Paths

Diff

Modified: trunk/Source/WebCore/ChangeLog (95618 => 95619)


--- trunk/Source/WebCore/ChangeLog	2011-09-21 13:05:56 UTC (rev 95618)
+++ trunk/Source/WebCore/ChangeLog	2011-09-21 13:08:19 UTC (rev 95619)
@@ -1,3 +1,26 @@
+2011-09-21  Andreas Kling  <kl...@webkit.org>
+
+        Protect against misuse of EventListenerIterator.
+        https://bugs.webkit.org/show_bug.cgi?id=68364
+
+        Reviewed by Darin Adler.
+
+        In debug mode, keep track of the number of active EventListenerIterators
+        on an EventListenerMap, and assert that there are no iterators when the
+        map is being modified.
+
+        * dom/EventListenerMap.cpp:
+        (WebCore::EventListenerMap::EventListenerMap):
+        (WebCore::EventListenerMap::clear):
+        (WebCore::EventListenerMap::add):
+        (WebCore::EventListenerMap::remove):
+        (WebCore::EventListenerMap::find):
+        (WebCore::EventListenerMap::removeFirstEventListenerCreatedFromMarkup):
+        (WebCore::EventListenerMap::copyEventListenersNotCreatedFromMarkupToTarget):
+        (WebCore::EventListenerIterator::EventListenerIterator):
+        (WebCore::EventListenerIterator::~EventListenerIterator):
+        * dom/EventListenerMap.h:
+
 2011-09-21  Pavel Feldman  <pfeld...@google.com>
 
         Web Inspector: minor fixes in the DOM domain of the protocol.

Modified: trunk/Source/WebCore/dom/EventListenerMap.cpp (95618 => 95619)


--- trunk/Source/WebCore/dom/EventListenerMap.cpp	2011-09-21 13:05:56 UTC (rev 95618)
+++ trunk/Source/WebCore/dom/EventListenerMap.cpp	2011-09-21 13:08:19 UTC (rev 95619)
@@ -44,6 +44,9 @@
 namespace WebCore {
 
 EventListenerMap::EventListenerMap()
+#ifndef NDEBUG
+    : m_activeIteratorCount(0)
+#endif
 {
 }
 
@@ -68,6 +71,8 @@
 
 void EventListenerMap::clear()
 {
+    ASSERT(!m_activeIteratorCount);
+
     if (m_hashMap) {
         deleteAllValues(*m_hashMap);
         m_hashMap.clear();
@@ -105,6 +110,8 @@
 
 bool EventListenerMap::add(const AtomicString& eventType, PassRefPtr<EventListener> listener, bool useCapture)
 {
+    ASSERT(!m_activeIteratorCount);
+
     if (m_singleEventListenerVector && m_singleEventListenerType != eventType) {
         // We already have a single (first) listener vector, and this event is not
         // of that type, so create the hash map and move the first listener vector there.
@@ -143,6 +150,8 @@
 
 bool EventListenerMap::remove(const AtomicString& eventType, EventListener* listener, bool useCapture, size_t& indexOfRemovedListener)
 {
+    ASSERT(!m_activeIteratorCount);
+
     if (!m_hashMap) {
         if (m_singleEventListenerType != eventType)
             return false;
@@ -168,6 +177,8 @@
 
 EventListenerVector* EventListenerMap::find(const AtomicString& eventType)
 {
+    ASSERT(!m_activeIteratorCount);
+
     if (m_hashMap) {
         EventListenerHashMap::iterator it = m_hashMap->find(eventType);
         if (it == m_hashMap->end())
@@ -200,6 +211,8 @@
 
 void EventListenerMap::removeFirstEventListenerCreatedFromMarkup(const AtomicString& eventType)
 {
+    ASSERT(!m_activeIteratorCount);
+
     if (m_hashMap) {
         EventListenerHashMap::iterator result = m_hashMap->find(eventType);
         ASSERT(result != m_hashMap->end());
@@ -239,6 +252,8 @@
 
 void EventListenerMap::copyEventListenersNotCreatedFromMarkupToTarget(EventTarget* target)
 {
+    ASSERT(!m_activeIteratorCount);
+
     if (m_hashMap) {
         EventListenerHashMap::iterator end = m_hashMap->end();
         for (EventListenerHashMap::iterator it = m_hashMap->begin(); it != end; ++it)
@@ -272,12 +287,24 @@
 
     m_map = &data->eventListenerMap;
 
+#ifndef NDEBUG
+    m_map->m_activeIteratorCount++;
+#endif
+
     if (m_map->m_hashMap) {
         m_mapIterator = m_map->m_hashMap->begin();
         m_mapEnd = m_map->m_hashMap->end();
     }
 }
 
+#ifndef NDEBUG
+EventListenerIterator::~EventListenerIterator()
+{
+    if (m_map)
+        m_map->m_activeIteratorCount--;
+}
+#endif
+
 EventListener* EventListenerIterator::nextListener()
 {
     if (!m_map)

Modified: trunk/Source/WebCore/dom/EventListenerMap.h (95618 => 95619)


--- trunk/Source/WebCore/dom/EventListenerMap.h	2011-09-21 13:05:56 UTC (rev 95618)
+++ trunk/Source/WebCore/dom/EventListenerMap.h	2011-09-21 13:08:19 UTC (rev 95619)
@@ -75,15 +75,20 @@
 
     AtomicString m_singleEventListenerType;
     OwnPtr<EventListenerVector> m_singleEventListenerVector;
+
+#ifndef NDEBUG
+    int m_activeIteratorCount;
+#endif
 };
 
 class EventListenerIterator {
     WTF_MAKE_NONCOPYABLE(EventListenerIterator);
 public:
     EventListenerIterator();
-
-    // EventTarget must not be modified while an iterator is active.
     EventListenerIterator(EventTarget*);
+#ifndef NDEBUG
+    ~EventListenerIterator();
+#endif
 
     EventListener* nextListener();
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to