[webkit-changes] [176803] trunk/Source

[ddkilzer]

Title: [176803] trunk/Source

Revision

176803

Author

ddkil...@apple.com

Date

2014-12-04 10:31:47 -0800 (Thu, 04 Dec 2014)

Log Message

Serialization of MapData object provides unsafe access to internal types
https://bugs.webkit.org/show_bug.cgi?id=138653

Patch by Oliver Hunt <oli...@apple.com> on 2014-12-04
Reviewed by Geoffrey Garen.

Source/_javascript_Core:

Converting these ASSERTs into RELEASE_ASSERTs, as it is now obvious
that despite trying hard to be safe in all cases it's simply to easy
to use an iterator in an unsafe state.

* runtime/MapData.h:
(JSC::MapData::const_iterator::key):
(JSC::MapData::const_iterator::value):

Source/WebCore:

We now keep the value portion of the key/value pair in MapData as a
separate stack. This allows us to maintain the spec semantic of
"atomic" serialisation of the key/value pair without retaining the
use of a potentially invalid iterator.

* bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneSerializer::serialize):

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/runtime/MapData.h
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/bindings/js/SerializedScriptValue.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (176802 => 176803)

--- trunk/Source/_javascript_Core/ChangeLog	2014-12-04 17:41:51 UTC (rev 176802)
+++ trunk/Source/_javascript_Core/ChangeLog	2014-12-04 18:31:47 UTC (rev 176803)
@@ -1,3 +1,18 @@
+2014-12-04  Oliver Hunt  <oli...@apple.com>
+
+        Serialization of MapData object provides unsafe access to internal types
+        https://bugs.webkit.org/show_bug.cgi?id=138653
+
+        Reviewed by Geoffrey Garen.
+
+        Converting these ASSERTs into RELEASE_ASSERTs, as it is now obvious
+        that despite trying hard to be safe in all cases it's simply to easy
+        to use an iterator in an unsafe state.
+
+        * runtime/MapData.h:
+        (JSC::MapData::const_iterator::key):
+        (JSC::MapData::const_iterator::value):
+
 2014-12-03  Gyuyoung Kim  <gyuyoung....@samsung.com>
 
         Move _javascript_Core/dfg to std::unique_ptr

Modified: trunk/Source/_javascript_Core/runtime/MapData.h (176802 => 176803)

--- trunk/Source/_javascript_Core/runtime/MapData.h	2014-12-04 17:41:51 UTC (rev 176802)
+++ trunk/Source/_javascript_Core/runtime/MapData.h	2014-12-04 18:31:47 UTC (rev 176803)
@@ -42,8 +42,8 @@
         const_iterator(const MapData*);
         ~const_iterator();
         const WTF::KeyValuePair<JSValue, JSValue> operator*() const;
-        JSValue key() const { ASSERT(!atEnd()); return m_mapData->m_entries[m_index].key.get(); }
-        JSValue value() const { ASSERT(!atEnd()); return m_mapData->m_entries[m_index].value.get(); }
+        JSValue key() const { RELEASE_ASSERT(!atEnd()); return m_mapData->m_entries[m_index].key.get(); }
+        JSValue value() const { RELEASE_ASSERT(!atEnd()); return m_mapData->m_entries[m_index].value.get(); }
         void operator++() { ASSERT(!atEnd()); internalIncrement(); }
         static const_iterator end(const MapData*);
         bool operator!=(const const_iterator& other);

Modified: trunk/Source/WebCore/ChangeLog (176802 => 176803)

--- trunk/Source/WebCore/ChangeLog	2014-12-04 17:41:51 UTC (rev 176802)
+++ trunk/Source/WebCore/ChangeLog	2014-12-04 18:31:47 UTC (rev 176803)
@@ -1,3 +1,18 @@
+2014-12-04  Oliver Hunt  <oli...@apple.com>
+
+        Serialization of MapData object provides unsafe access to internal types
+        https://bugs.webkit.org/show_bug.cgi?id=138653
+
+        Reviewed by Geoffrey Garen.
+
+        We now keep the value portion of the key/value pair in MapData as a
+        separate stack. This allows us to maintain the spec semantic of
+        "atomic" serialisation of the key/value pair without retaining the
+        use of a potentially invalid iterator.
+
+        * bindings/js/SerializedScriptValue.cpp:
+        (WebCore::CloneSerializer::serialize):
+
 2014-12-04  Radu Stavila  <stav...@adobe.com>
 
         [SVG Masking] Add support for referencing <mask> elements from -webkit-mask-image

Modified: trunk/Source/WebCore/bindings/js/SerializedScriptValue.cpp (176802 => 176803)

--- trunk/Source/WebCore/bindings/js/SerializedScriptValue.cpp	2014-12-04 17:41:51 UTC (rev 176802)
+++ trunk/Source/WebCore/bindings/js/SerializedScriptValue.cpp	2014-12-04 18:31:47 UTC (rev 176803)
@@ -1218,6 +1218,7 @@
     Vector<JSObject*, 32> inputObjectStack;
     Vector<MapData*, 4> mapDataStack;
     Vector<MapData::const_iterator, 4> iteratorStack;
+    Vector<JSValue, 4> iteratorValueStack;
     Vector<WalkerState, 16> stateStack;
     WalkerState state = StateUnknown;
     JSValue inValue = in;
@@ -1386,16 +1387,20 @@
                     goto objectStartVisitMember;
                 }
                 inValue = ptr.key();
+                m_gcBuffer.append(ptr.value());
+                iteratorValueStack.append(ptr.value());
                 stateStack.append(MapDataEndVisitKey);
                 goto stateUnknown;
             }
             case MapDataEndVisitKey: {
-                inValue = iteratorStack.last().value();
+                inValue = iteratorValueStack.last();
+                iteratorValueStack.removeLast();
                 stateStack.append(MapDataEndVisitValue);
                 goto stateUnknown;
             }
             case MapDataEndVisitValue: {
-                ++iteratorStack.last();
+                if (iteratorStack.last() != mapDataStack.last()->end())
+                    ++iteratorStack.last();
                 goto mapDataStartVisitEntry;
             }
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes