[webkit-changes] [136986] trunk/Source

[ggaren]

Title: [136986] trunk/Source

Revision

136986

Author

gga...@apple.com

Date

2012-12-07 14:34:04 -0800 (Fri, 07 Dec 2012)

Log Message

Crash in JSC::Bindings::RootObject::globalObject() sync'ing notes in Evernote
https://bugs.webkit.org/show_bug.cgi?id=104321
<rdar://problem/12770497>

Reviewed by Sam Weinig.

../_javascript_Core: 

Work around a JSValueUnprotect(NULL) in Evernote.

* API/JSValueRef.cpp:
(evernoteHackNeeded):
(JSValueUnprotect):

../WebCore: 

Missed a null check.

* bindings/objc/WebScriptObject.mm:
(-[WebScriptObject JSObject]): If our root object has been cleared, don't
try to dereference it. This happens in Evernote during tear-down.

This matches the behavior of other methods in the same class.

(_isSafeScript returns false if the root object has been cleared.)

If we believe _isSafeScript is a good idea, it's probably the right test
to use here (as opposed to just null-checking _rootObject) because this API
gives the client unlimited access to the underlying _javascript_ object.

Modified Paths

• trunk/Source/_javascript_Core/API/JSValueRef.cpp
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/bindings/objc/WebScriptObject.mm

Diff

Modified: trunk/Source/_javascript_Core/API/JSValueRef.cpp (136985 => 136986)

--- trunk/Source/_javascript_Core/API/JSValueRef.cpp	2012-12-07 22:16:05 UTC (rev 136985)
+++ trunk/Source/_javascript_Core/API/JSValueRef.cpp	2012-12-07 22:34:04 UTC (rev 136986)
@@ -44,8 +44,23 @@
 
 #include <algorithm> // for std::min
 
+#if PLATFORM(MAC)
+#include <mach-o/dyld.h>
+#endif
+
 using namespace JSC;
 
+#if PLATFORM(MAC)
+static bool evernoteHackNeeded()
+{
+    static const int32_t webkitLastVersionWithEvernoteHack = 35133959;
+    static bool hackNeeded = CFEqual(CFBundleGetIdentifier(CFBundleGetMainBundle()), CFSTR("com.evernote.Evernote"))
+        && NSVersionOfLinkTimeLibrary("_javascript_Core") <= webkitLastVersionWithEvernoteHack;
+
+    return hackNeeded;
+}
+#endif
+
 ::JSType JSValueGetType(JSContextRef ctx, JSValueRef value)
 {
     ExecState* exec = toJS(ctx);
@@ -332,6 +347,11 @@
 
 void JSValueUnprotect(JSContextRef ctx, JSValueRef value)
 {
+#if PLATFORM(MAC)
+    if ((!value || !ctx) && evernoteHackNeeded())
+        return;
+#endif
+
     ExecState* exec = toJS(ctx);
     APIEntryShim entryShim(exec);
 

Modified: trunk/Source/_javascript_Core/ChangeLog (136985 => 136986)

--- trunk/Source/_javascript_Core/ChangeLog	2012-12-07 22:16:05 UTC (rev 136985)
+++ trunk/Source/_javascript_Core/ChangeLog	2012-12-07 22:34:04 UTC (rev 136986)
@@ -1,3 +1,17 @@
+2012-12-07  Geoffrey Garen  <gga...@apple.com>
+
+        Crash in JSC::Bindings::RootObject::globalObject() sync'ing notes in Evernote
+        https://bugs.webkit.org/show_bug.cgi?id=104321
+        <rdar://problem/12770497>
+
+        Reviewed by Sam Weinig.
+
+        Work around a JSValueUnprotect(NULL) in Evernote.
+
+        * API/JSValueRef.cpp:
+        (evernoteHackNeeded):
+        (JSValueUnprotect):
+
 2012-12-06  Filip Pizlo  <fpi...@apple.com>
 
         Incorrect inequality for checking whether a statement is within bounds of a handler

Modified: trunk/Source/WebCore/ChangeLog (136985 => 136986)

--- trunk/Source/WebCore/ChangeLog	2012-12-07 22:16:05 UTC (rev 136985)
+++ trunk/Source/WebCore/ChangeLog	2012-12-07 22:34:04 UTC (rev 136986)
@@ -1,3 +1,25 @@
+2012-12-06  Geoffrey Garen  <gga...@apple.com>
+
+        Crash in JSC::Bindings::RootObject::globalObject() sync'ing notes in Evernote
+        https://bugs.webkit.org/show_bug.cgi?id=104321
+        <rdar://problem/12770497>
+
+        Reviewed by Sam Weinig.
+
+        Missed a null check.
+
+        * bindings/objc/WebScriptObject.mm:
+        (-[WebScriptObject JSObject]): If our root object has been cleared, don't
+        try to dereference it. This happens in Evernote during tear-down.
+
+        This matches the behavior of other methods in the same class.
+
+        (_isSafeScript returns false if the root object has been cleared.)
+
+        If we believe _isSafeScript is a good idea, it's probably the right test
+        to use here (as opposed to just null-checking _rootObject) because this API
+        gives the client unlimited access to the underlying _javascript_ object.
+
 2012-12-07  Stephen Chenney  <schen...@chromium.org>
 
         XMLSerializer is too aggressive in adding prefixes

Modified: trunk/Source/WebCore/bindings/objc/WebScriptObject.mm (136985 => 136986)

--- trunk/Source/WebCore/bindings/objc/WebScriptObject.mm	2012-12-07 22:16:05 UTC (rev 136985)
+++ trunk/Source/WebCore/bindings/objc/WebScriptObject.mm	2012-12-07 22:34:04 UTC (rev 136986)
@@ -501,12 +501,11 @@
 
 - (JSObjectRef)JSObject
 {
+    if (![self _isSafeScript])
+        return 0;
     ExecState* exec = [self _rootObject]->globalObject()->globalExec();
     
     JSLockHolder lock(exec);
-    if (![self _isSafeScript])
-        return NULL;
-
     return toRef([self _imp]);
 }
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes