Skip to site navigation (Press enter)

[webkit-changes] [177072] branches/safari-600.1.4.13-branch/Source

bshafiei Wed, 10 Dec 2014 09:13:41 -0800

Title: [177072] branches/safari-600.1.4.13-branch/Source

Revision: 177072
Author: [email protected]
Date: 2014-12-10 09:12:28 -0800 (Wed, 10 Dec 2014)

Log Message

Merged r176803.  rdar://problem/19131878


Modified Paths

branches/safari-600.1.4.13-branch/Source/_javascript_Core/ChangeLog
branches/safari-600.1.4.13-branch/Source/_javascript_Core/runtime/MapData.h
branches/safari-600.1.4.13-branch/Source/WebCore/ChangeLog
branches/safari-600.1.4.13-branch/Source/WebCore/bindings/js/SerializedScriptValue.cpp

Diff

Modified: branches/safari-600.1.4.13-branch/Source/_javascript_Core/ChangeLog (177071 => 177072)


--- branches/safari-600.1.4.13-branch/Source/_javascript_Core/ChangeLog	2014-12-10 17:10:41 UTC (rev 177071)
+++ branches/safari-600.1.4.13-branch/Source/_javascript_Core/ChangeLog	2014-12-10 17:12:28 UTC (rev 177072)
@@ -1,3 +1,22 @@
+2014-12-10  Babak Shafiei  <[email protected]>
+
+        Merge r176803.
+
+    2014-12-04  Oliver Hunt  <[email protected]>
+
+            Serialization of MapData object provides unsafe access to internal types
+            https://bugs.webkit.org/show_bug.cgi?id=138653
+
+            Reviewed by Geoffrey Garen.
+
+            Converting these ASSERTs into RELEASE_ASSERTs, as it is now obvious
+            that despite trying hard to be safe in all cases it's simply to easy
+            to use an iterator in an unsafe state.
+
+            * runtime/MapData.h:
+            (JSC::MapData::const_iterator::key):
+            (JSC::MapData::const_iterator::value):
+
 2014-09-15  Babak Shafiei  <[email protected]>
 
         <rdar://problem/18327341> Disable Web Timing on this branch.

Modified: branches/safari-600.1.4.13-branch/Source/_javascript_Core/runtime/MapData.h (177071 => 177072)


--- branches/safari-600.1.4.13-branch/Source/_javascript_Core/runtime/MapData.h	2014-12-10 17:10:41 UTC (rev 177071)
+++ branches/safari-600.1.4.13-branch/Source/_javascript_Core/runtime/MapData.h	2014-12-10 17:12:28 UTC (rev 177072)
@@ -42,8 +42,8 @@
         const_iterator(const MapData*);
         ~const_iterator();
         const WTF::KeyValuePair<JSValue, JSValue> operator*() const;
-        JSValue key() const { ASSERT(!atEnd()); return m_mapData->m_entries[m_index].key.get(); }
-        JSValue value() const { ASSERT(!atEnd()); return m_mapData->m_entries[m_index].value.get(); }
+        JSValue key() const { RELEASE_ASSERT(!atEnd()); return m_mapData->m_entries[m_index].key.get(); }
+        JSValue value() const { RELEASE_ASSERT(!atEnd()); return m_mapData->m_entries[m_index].value.get(); }
         void operator++() { ASSERT(!atEnd()); internalIncrement(); }
         static const_iterator end(const MapData*);
         bool operator!=(const const_iterator& other);

Modified: branches/safari-600.1.4.13-branch/Source/WebCore/ChangeLog (177071 => 177072)


--- branches/safari-600.1.4.13-branch/Source/WebCore/ChangeLog	2014-12-10 17:10:41 UTC (rev 177071)
+++ branches/safari-600.1.4.13-branch/Source/WebCore/ChangeLog	2014-12-10 17:12:28 UTC (rev 177072)
@@ -1,5 +1,24 @@
 2014-12-10  Babak Shafiei  <[email protected]>
 
+        Merge r176803.
+
+    2014-12-04  Oliver Hunt  <[email protected]>
+
+            Serialization of MapData object provides unsafe access to internal types
+            https://bugs.webkit.org/show_bug.cgi?id=138653
+
+            Reviewed by Geoffrey Garen.
+
+            We now keep the value portion of the key/value pair in MapData as a
+            separate stack. This allows us to maintain the spec semantic of
+            "atomic" serialisation of the key/value pair without retaining the
+            use of a potentially invalid iterator.
+
+            * bindings/js/SerializedScriptValue.cpp:
+            (WebCore::CloneSerializer::serialize):
+
+2014-12-10  Babak Shafiei  <[email protected]>
+
         Merge r175974.
 
     2014-11-11  David Kilzer  <[email protected]>

Modified: branches/safari-600.1.4.13-branch/Source/WebCore/bindings/js/SerializedScriptValue.cpp (177071 => 177072)


--- branches/safari-600.1.4.13-branch/Source/WebCore/bindings/js/SerializedScriptValue.cpp	2014-12-10 17:10:41 UTC (rev 177071)
+++ branches/safari-600.1.4.13-branch/Source/WebCore/bindings/js/SerializedScriptValue.cpp	2014-12-10 17:12:28 UTC (rev 177072)
@@ -1218,6 +1218,7 @@
     Vector<JSObject*, 32> inputObjectStack;
     Vector<MapData*, 4> mapDataStack;
     Vector<MapData::const_iterator, 4> iteratorStack;
+    Vector<JSValue, 4> iteratorValueStack;
     Vector<WalkerState, 16> stateStack;
     WalkerState state = StateUnknown;
     JSValue inValue = in;
@@ -1386,16 +1387,20 @@
                     goto objectStartVisitMember;
                 }
                 inValue = ptr.key();
+                m_gcBuffer.append(ptr.value());
+                iteratorValueStack.append(ptr.value());
                 stateStack.append(MapDataEndVisitKey);
                 goto stateUnknown;
             }
             case MapDataEndVisitKey: {
-                inValue = iteratorStack.last().value();
+                inValue = iteratorValueStack.last();
+                iteratorValueStack.removeLast();
                 stateStack.append(MapDataEndVisitValue);
                 goto stateUnknown;
             }
             case MapDataEndVisitValue: {
-                ++iteratorStack.last();
+                if (iteratorStack.last() != mapDataStack.last()->end())
+                    ++iteratorStack.last();
                 goto mapDataStartVisitEntry;
             }

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes