Title: [201345] trunk/Source/WebCore
- Revision
- 201345
- Author
- [email protected]
- Date
- 2016-05-24 13:01:50 -0700 (Tue, 24 May 2016)
Log Message
Fix use-after-free after r201318
https://bugs.webkit.org/show_bug.cgi?id=158037
rdar://problem/26446729
Reviewed by Brady Eidson.
This fixes a crash when running fast/dom/navigation-with-sideeffects.html with GuardMalloc.
* bindings/scripts/CodeGeneratorJS.pm:
(GenerateImplementation):
* bindings/scripts/test/JS/JSTestObj.cpp:
(WebCore::setJSTestObjPutForwardsNullableAttribute):
Changing RefPtr<${type}> to auto caused the type to sometimes be a raw pointer, which does not keep the object alive.
In the case of JSDocument.cpp, forwardedImpl was what Document::location returned, which is a Location* and not a RefPtr<Location>.
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (201344 => 201345)
--- trunk/Source/WebCore/ChangeLog 2016-05-24 19:56:15 UTC (rev 201344)
+++ trunk/Source/WebCore/ChangeLog 2016-05-24 20:01:50 UTC (rev 201345)
@@ -1,3 +1,20 @@
+2016-05-24 Alex Christensen <[email protected]>
+
+ Fix use-after-free after r201318
+ https://bugs.webkit.org/show_bug.cgi?id=158037
+ rdar://problem/26446729
+
+ Reviewed by Brady Eidson.
+
+ This fixes a crash when running fast/dom/navigation-with-sideeffects.html with GuardMalloc.
+
+ * bindings/scripts/CodeGeneratorJS.pm:
+ (GenerateImplementation):
+ * bindings/scripts/test/JS/JSTestObj.cpp:
+ (WebCore::setJSTestObjPutForwardsNullableAttribute):
+ Changing RefPtr<${type}> to auto caused the type to sometimes be a raw pointer, which does not keep the object alive.
+ In the case of JSDocument.cpp, forwardedImpl was what Document::location returned, which is a Location* and not a RefPtr<Location>.
+
2016-05-24 Chris Dumez <[email protected]>
Use lambda capture with initializer instead of StringCapture
Modified: trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm (201344 => 201345)
--- trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm 2016-05-24 19:56:15 UTC (rev 201344)
+++ trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm 2016-05-24 20:01:50 UTC (rev 201345)
@@ -2919,7 +2919,7 @@
if ($putForwards) {
my $implGetterFunctionName = $codeGenerator->WK_lcfirst($attribute->signature->extendedAttributes->{"ImplementedAs"} || $name);
if ($attribute->signature->isNullable) {
- push(@implContent, " auto forwardedImpl = castedThis->wrapped().${implGetterFunctionName}();\n");
+ push(@implContent, " RefPtr<${type}> forwardedImpl = castedThis->wrapped().${implGetterFunctionName}();\n");
push(@implContent, " if (!forwardedImpl)\n");
push(@implContent, " return false;\n");
push(@implContent, " auto& impl = *forwardedImpl;\n");
Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestObj.cpp (201344 => 201345)
--- trunk/Source/WebCore/bindings/scripts/test/JS/JSTestObj.cpp 2016-05-24 19:56:15 UTC (rev 201344)
+++ trunk/Source/WebCore/bindings/scripts/test/JS/JSTestObj.cpp 2016-05-24 20:01:50 UTC (rev 201345)
@@ -3936,7 +3936,7 @@
if (UNLIKELY(!castedThis)) {
return throwSetterTypeError(*state, "TestObj", "putForwardsNullableAttribute");
}
- auto forwardedImpl = castedThis->wrapped().putForwardsNullableAttribute();
+ RefPtr<TestNode> forwardedImpl = castedThis->wrapped().putForwardsNullableAttribute();
if (!forwardedImpl)
return false;
auto& impl = *forwardedImpl;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
