- Revision
- 289186
- Author
- [email protected]
- Date
- 2022-02-06 16:16:47 -0800 (Sun, 06 Feb 2022)
Log Message
Merge r288672 - jsc_fuz/wktr: crash with new XRReferenceSpaceEvent('', {referenceSpace})
https://bugs.webkit.org/show_bug.cgi?id=235456
Patch by Gabriel Nava Marino <[email protected]> on 2022-01-27
Reviewed by Chris Dumez.
Source/WebCore:
FastMalloc.h specifies that each derived class needs to be annotated as well with WTF_MAKE_ISO_ALLOCATED
if the base class is annotated with WTF_MAKE_ISO_ALLOCATED.
After doing this, the crash in WebCore::Event::operator new(unsigned long) is no longer reproducible.
However, this caused ASSERT(m_transform) to be hit in debug builds with the attached test case.
The XRReferenceSpaceEvent spec specifies the transform attribute as nullable
(https://immersive-web.github.io/webxr/#dictdef-xrreferencespaceeventinit), so this patch updates the
XRReferenceSpaceEvent IDL and implementation to match the spec, and removes the ASSERT accordingly.
Test: webxr/xr-reference-space-event-crash.html
* Modules/webxr/XRReferenceSpaceEvent.cpp:
(WebCore::XRReferenceSpaceEvent::XRReferenceSpaceEvent):
(WebCore::XRReferenceSpaceEvent::transform const):
* Modules/webxr/XRReferenceSpaceEvent.h:
* Modules/webxr/XRReferenceSpaceEvent.idl:
LayoutTests:
* webxr/xr-reference-space-event-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.34/LayoutTests/ChangeLog (289185 => 289186)
--- releases/WebKitGTK/webkit-2.34/LayoutTests/ChangeLog 2022-02-06 23:45:17 UTC (rev 289185)
+++ releases/WebKitGTK/webkit-2.34/LayoutTests/ChangeLog 2022-02-07 00:16:47 UTC (rev 289186)
@@ -1,3 +1,12 @@
+2022-01-27 Gabriel Nava Marino <[email protected]>
+
+ jsc_fuz/wktr: crash with new XRReferenceSpaceEvent('', {referenceSpace})
+ https://bugs.webkit.org/show_bug.cgi?id=235456
+
+ Reviewed by Chris Dumez.
+
+ * webxr/xr-reference-space-event-crash.html: Added.
+
2022-01-23 Antoine Quint <[email protected]>
m_lastStyleChangeEventStyle null ptr deref for accelerated CSS Animation with no duration and an implicit keyframe
Added: releases/WebKitGTK/webkit-2.34/LayoutTests/webxr/xr-reference-space-event-crash-expected.txt (0 => 289186)
--- releases/WebKitGTK/webkit-2.34/LayoutTests/webxr/xr-reference-space-event-crash-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.34/LayoutTests/webxr/xr-reference-space-event-crash-expected.txt 2022-02-07 00:16:47 UTC (rev 289186)
@@ -0,0 +1,11 @@
+Makes sure that constructing a XRReferenceSpaceEvent without a transform member doesn't crash
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS event.referenceSpace is referenceSpace
+PASS event.transform is null
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: releases/WebKitGTK/webkit-2.34/LayoutTests/webxr/xr-reference-space-event-crash.html (0 => 289186)
--- releases/WebKitGTK/webkit-2.34/LayoutTests/webxr/xr-reference-space-event-crash.html (rev 0)
+++ releases/WebKitGTK/webkit-2.34/LayoutTests/webxr/xr-reference-space-event-crash.html 2022-02-07 00:16:47 UTC (rev 289186)
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script>
+ description("Makes sure that constructing a XRReferenceSpaceEvent without a transform member doesn't crash");
+ jsTestIsAsync = true;
+
+ navigator.xr.requestSession('inline')
+ .then(s => s.requestReferenceSpace('viewer'))
+ .then(_referenceSpace => {
+ referenceSpace = _referenceSpace;
+ event = new XRReferenceSpaceEvent('', { referenceSpace });
+ shouldBe("event.referenceSpace", "referenceSpace");
+ shouldBeNull("event.transform");
+ finishJSTest();
+ });
+</script>
+</body>
+</html>
Modified: releases/WebKitGTK/webkit-2.34/Source/WebCore/ChangeLog (289185 => 289186)
--- releases/WebKitGTK/webkit-2.34/Source/WebCore/ChangeLog 2022-02-06 23:45:17 UTC (rev 289185)
+++ releases/WebKitGTK/webkit-2.34/Source/WebCore/ChangeLog 2022-02-07 00:16:47 UTC (rev 289186)
@@ -1,3 +1,28 @@
+2022-01-27 Gabriel Nava Marino <[email protected]>
+
+ jsc_fuz/wktr: crash with new XRReferenceSpaceEvent('', {referenceSpace})
+ https://bugs.webkit.org/show_bug.cgi?id=235456
+
+ Reviewed by Chris Dumez.
+
+ FastMalloc.h specifies that each derived class needs to be annotated as well with WTF_MAKE_ISO_ALLOCATED
+ if the base class is annotated with WTF_MAKE_ISO_ALLOCATED.
+
+ After doing this, the crash in WebCore::Event::operator new(unsigned long) is no longer reproducible.
+ However, this caused ASSERT(m_transform) to be hit in debug builds with the attached test case.
+
+ The XRReferenceSpaceEvent spec specifies the transform attribute as nullable
+ (https://immersive-web.github.io/webxr/#dictdef-xrreferencespaceeventinit), so this patch updates the
+ XRReferenceSpaceEvent IDL and implementation to match the spec, and removes the ASSERT accordingly.
+
+ Test: webxr/xr-reference-space-event-crash.html
+
+ * Modules/webxr/XRReferenceSpaceEvent.cpp:
+ (WebCore::XRReferenceSpaceEvent::XRReferenceSpaceEvent):
+ (WebCore::XRReferenceSpaceEvent::transform const):
+ * Modules/webxr/XRReferenceSpaceEvent.h:
+ * Modules/webxr/XRReferenceSpaceEvent.idl:
+
2022-01-25 Alexey Shvayka <[email protected]>
XPath::Step::nodesInAxis(): add null checks after Attr::ownerElement() calls
Modified: releases/WebKitGTK/webkit-2.34/Source/WebCore/Modules/webxr/XRReferenceSpaceEvent.cpp (289185 => 289186)
--- releases/WebKitGTK/webkit-2.34/Source/WebCore/Modules/webxr/XRReferenceSpaceEvent.cpp 2022-02-06 23:45:17 UTC (rev 289185)
+++ releases/WebKitGTK/webkit-2.34/Source/WebCore/Modules/webxr/XRReferenceSpaceEvent.cpp 2022-02-07 00:16:47 UTC (rev 289186)
@@ -33,6 +33,8 @@
namespace WebCore {
+WTF_MAKE_ISO_ALLOCATED_IMPL(XRReferenceSpaceEvent);
+
Ref<XRReferenceSpaceEvent> XRReferenceSpaceEvent::create(const AtomString& type, const Init& initializer, IsTrusted isTrusted)
{
return adoptRef(*new XRReferenceSpaceEvent(type, initializer, isTrusted));
@@ -44,7 +46,6 @@
, m_transform(initializer.transform)
{
ASSERT(m_referenceSpace);
- ASSERT(m_transform);
}
XRReferenceSpaceEvent::~XRReferenceSpaceEvent() = default;
@@ -54,9 +55,9 @@
return *m_referenceSpace;
}
-const WebXRRigidTransform& XRReferenceSpaceEvent::transform() const
+WebXRRigidTransform* XRReferenceSpaceEvent::transform() const
{
- return *m_transform;
+ return m_transform.get();
}
} // namespace WebCore
Modified: releases/WebKitGTK/webkit-2.34/Source/WebCore/Modules/webxr/XRReferenceSpaceEvent.h (289185 => 289186)
--- releases/WebKitGTK/webkit-2.34/Source/WebCore/Modules/webxr/XRReferenceSpaceEvent.h 2022-02-06 23:45:17 UTC (rev 289185)
+++ releases/WebKitGTK/webkit-2.34/Source/WebCore/Modules/webxr/XRReferenceSpaceEvent.h 2022-02-07 00:16:47 UTC (rev 289186)
@@ -37,6 +37,7 @@
class WebXRRigidTransform;
class XRReferenceSpaceEvent : public Event {
+ WTF_MAKE_ISO_ALLOCATED(XRReferenceSpaceEvent);
public:
struct Init : EventInit {
RefPtr<WebXRReferenceSpace> referenceSpace;
@@ -47,7 +48,7 @@
virtual ~XRReferenceSpaceEvent();
const WebXRReferenceSpace& referenceSpace() const;
- const WebXRRigidTransform& transform() const;
+ WebXRRigidTransform* transform() const;
private:
XRReferenceSpaceEvent(const AtomString&, const Init&, IsTrusted);
Modified: releases/WebKitGTK/webkit-2.34/Source/WebCore/Modules/webxr/XRReferenceSpaceEvent.idl (289185 => 289186)
--- releases/WebKitGTK/webkit-2.34/Source/WebCore/Modules/webxr/XRReferenceSpaceEvent.idl 2022-02-06 23:45:17 UTC (rev 289185)
+++ releases/WebKitGTK/webkit-2.34/Source/WebCore/Modules/webxr/XRReferenceSpaceEvent.idl 2022-02-07 00:16:47 UTC (rev 289186)
@@ -28,7 +28,7 @@
Conditional=WEBXR,
] dictionary XRReferenceSpaceEventInit : EventInit {
required WebXRReferenceSpace referenceSpace;
- WebXRRigidTransform transform;
+ WebXRRigidTransform? transform;
};
[
@@ -40,5 +40,5 @@
constructor(DOMString type, XRReferenceSpaceEventInit eventInitDict);
[SameObject] readonly attribute WebXRReferenceSpace referenceSpace;
- [SameObject] readonly attribute WebXRRigidTransform transform;
+ [SameObject] readonly attribute WebXRRigidTransform? transform;
};
