[webkit-changes] [144507] trunk/Source/WebCore

[aestes]

Title: [144507] trunk/Source/WebCore

Revision

144507

Author

aes...@apple.com

Date

2013-03-01 14:39:10 -0800 (Fri, 01 Mar 2013)

Log Message

REGRESSION (r125809): CFStrings created via StringImpl::createCFString()  might reference freed memory when Objective-C garbage collection is enabled
https://bugs.webkit.org/show_bug.cgi?id=111219

Reviewed by Benjamin Poulain.

StringImpl::createCFString() uses CFStringCreateWithBytesNoCopy() in
order to create CFString without making an unnecessary copy. In order
to ensure that the the StringImpl's backing buffer isn't deallocated
while the CFString is still alive, we use a custom CFAllocator to
ref/deref the StringImpl at the appropriate times.

However, custom allocators aren't supported when Objective-C garbage
collection is enabled, so in this case we use the default CF allocator.
Since we can't guarantee the lifetime of the StringImpl in this case,
we should just fall back to copying the string, as we did prior to r125809.

* platform/text/cf/StringImplCF.cpp:
(garbageCollectionEnabled): Moved the check for whether garbage
collection is enabled from StringWrapperCFAllocator::create() to here.
(WTF::StringWrapperCFAllocator::create): Call garbageCollectionEnabled().
(WTF::StringImpl::createCFString): If garbage collection is enabled,
call the variants of CFStringCreate that copy the string.

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/platform/text/cf/StringImplCF.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (144506 => 144507)

--- trunk/Source/WebCore/ChangeLog	2013-03-01 22:38:28 UTC (rev 144506)
+++ trunk/Source/WebCore/ChangeLog	2013-03-01 22:39:10 UTC (rev 144507)
@@ -1,3 +1,28 @@
+2013-03-01  Andy Estes  <aes...@apple.com>
+
+        REGRESSION (r125809): CFStrings created via StringImpl::createCFString()  might reference freed memory when Objective-C garbage collection is enabled
+        https://bugs.webkit.org/show_bug.cgi?id=111219
+
+        Reviewed by Benjamin Poulain.
+
+        StringImpl::createCFString() uses CFStringCreateWithBytesNoCopy() in
+        order to create CFString without making an unnecessary copy. In order
+        to ensure that the the StringImpl's backing buffer isn't deallocated
+        while the CFString is still alive, we use a custom CFAllocator to
+        ref/deref the StringImpl at the appropriate times.
+
+        However, custom allocators aren't supported when Objective-C garbage
+        collection is enabled, so in this case we use the default CF allocator.
+        Since we can't guarantee the lifetime of the StringImpl in this case,
+        we should just fall back to copying the string, as we did prior to r125809.
+
+        * platform/text/cf/StringImplCF.cpp:
+        (garbageCollectionEnabled): Moved the check for whether garbage
+        collection is enabled from StringWrapperCFAllocator::create() to here.
+        (WTF::StringWrapperCFAllocator::create): Call garbageCollectionEnabled().
+        (WTF::StringImpl::createCFString): If garbage collection is enabled,
+        call the variants of CFStringCreate that copy the string.
+
 2013-03-01  Roger Fong  <roger_f...@apple.com>
 
         Unreviewed AppleWin build fix.

Modified: trunk/Source/WebCore/platform/text/cf/StringImplCF.cpp (144506 => 144507)

--- trunk/Source/WebCore/platform/text/cf/StringImplCF.cpp	2013-03-01 22:38:28 UTC (rev 144506)
+++ trunk/Source/WebCore/platform/text/cf/StringImplCF.cpp	2013-03-01 22:39:10 UTC (rev 144507)
@@ -29,10 +29,19 @@
 #include <wtf/RetainPtr.h>
 #include <wtf/Threading.h>
 
-#if PLATFORM(MAC)
+#if PLATFORM(MAC) && !PLATFORM(IOS)
 #include <objc/objc-auto.h>
 #endif
 
+static inline bool garbageCollectionEnabled()
+{
+#if PLATFORM(MAC) && !PLATFORM(IOS)
+    return objc_collectingEnabled();
+#else
+    return false;
+#endif
+}
+
 namespace WTF {
 
 namespace StringWrapperCFAllocator {
@@ -116,11 +125,7 @@
 
     static CFAllocatorRef create()
     {
-#if PLATFORM(MAC)
-        // Since garbage collection isn't compatible with custom allocators, don't use this at all when garbage collection is active.
-        if (objc_collectingEnabled())
-            return 0;
-#endif
+        ASSERT(!garbageCollectionEnabled());
         CFAllocatorContext context = { 0, 0, retain, release, copyDescription, allocate, reallocate, deallocate, preferredSize };
         return CFAllocatorCreate(0, &context);
     }
@@ -135,7 +140,9 @@
 
 RetainPtr<CFStringRef> StringImpl::createCFString()
 {
-    if (!m_length || !isMainThread()) {
+    // Since garbage collection isn't compatible with custom allocators, we
+    // can't use the NoCopy variants of CFStringCreate*() when GC is enabled.
+    if (!m_length || !isMainThread() || garbageCollectionEnabled()) {
         if (is8Bit())
             return adoptCF(CFStringCreateWithBytes(0, reinterpret_cast<const UInt8*>(characters8()), m_length, kCFStringEncodingISOLatin1, false));
         return adoptCF(CFStringCreateWithCharacters(0, reinterpret_cast<const UniChar*>(characters16()), m_length));

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes