On Thu, Sep 17, 2020 at 2:51 AM Emilio Cobos Álvarez <emi...@crisal.io> wrote:
> Interesting. This looks fairly similar to some of the checkers we use in > mozilla-central, fwiw. > > One interesting difference is that we opted for explicitly annotating > the functions that can run script (think updateStyleIfNeeded(), > dispatchEvent() etc equivalents) to be able to not warn for cases where > using raw pointers is fine. See [1] for the current rules we're using. > That's an interesting alternative. We should consider that if the current approach proves to cause perf issues. So, I wonder... for a concrete example like [2], what is what would > allow you to use shadowHost() without storing it on a local RefPtr > otherwise, for example? Or is the plan to either pay the refcount churn, > or silence the warnings on a per-case basis? > In this case, we'd like to store shadowHost() on a local RefPtr. "contains" might be a common enough function that we could consider marking as safe but in more generic case, there is no guarantee that contains would never trigger a style or layout update, either of which may execute arbitrary scripts. Also, script execution isn't the only way to get to memory unsafely. Any piece of code that manipulates a complex enough data structure may lead to use-after-free even if there was no arbitrary script execution involved. [1]: > > https://searchfox.org/mozilla-central/rev/f4b4008f5ee00f5afa3095f48c54f16828e4b22b/build/clang-plugin/CanRunScriptChecker.cpp#5-49 > [2]: > > https://webkit-search.igalia.com/webkit/rev/4c54a6d287d7fba30e1fb37d5afda692fb12a758/Source/WebCore/dom/Node.cpp#1041 - R. Niwa
_______________________________________________ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev