106385 2013-01-08 14:50:04 -0800 CanvasRenderingContext2D::setFont argument may reference destroyed object 2013-01-08 18:31:27 -0800 1 1 1 Unclassified WebKit New Bugs 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED P2 Normal --- 1 junov junov darin inferno ojan.autocc webkit.review.bot oldest_to_newest 802679 0 junov 2013-01-08 14:50:04 -0800 CanvasRenderingContext2D::setFont argument may reference destroyed object 802683 1 181773 junov 2013-01-08 14:53:33 -0800 Created attachment 181773 Patch 802700 2 181773 inferno 2013-01-08 15:04:06 -0800 Comment on attachment 181773 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=181773&action=review > Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp:2091 > + String newFontSafeCopy(newFont); // In case newFont is a ref to a string touched by realizeSaves The comment could be improved like "Create a string copy since newFont can be deleted inside realizeSaves." 802719 3 181773 darin 2013-01-08 15:19:01 -0800 Comment on attachment 181773 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=181773&action=review > Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp:2093 > + modifiableState().m_unparsedFont = newFontSafeCopy; If this was a RefPtr then we’d want to do a release here to avoid reference count churn. Since it’s a String, we *could* avoid the churn by doing a swap here instead of assignment. But I’m thinking that’s too ugly for the tiny performance win. > Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp:2379 > if (!state().m_realizedFont) { > - // Create temporary string object to hold ref count in case > - // state().m_unparsedFont in unreffed by call to realizeSaves in > - // setFont. > - String unparsedFont(state().m_unparsedFont); > - setFont(unparsedFont); > + setFont(state().m_unparsedFont); > } Should take out the braces here too. 802746 4 junov 2013-01-08 15:42:52 -0800 (In reply to comment #3) > Should take out the braces here too. I wonder how come this passed the style check... 802752 5 181792 junov 2013-01-08 15:44:53 -0800 Created attachment 181792 Patch for landing 802876 6 181792 webkit.review.bot 2013-01-08 18:31:24 -0800 Comment on attachment 181792 Patch for landing Clearing flags on attachment: 181792 Committed r139144: <http://trac.webkit.org/changeset/139144> 802877 7 webkit.review.bot 2013-01-08 18:31:27 -0800 All reviewed patches have been landed. Closing bug. 181773 2013-01-08 14:53:33 -0800 2013-01-08 15:44:51 -0800 Patch bug-106385-20130108175037.patch text/plain 2327 junov U3VidmVyc2lvbiBSZXZpc2lvbjogMTM5MTAzCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggMzA5NWQ3YjZjMjkxNmU5 MTE4MmZlZDhiODgzYTNmNGFmMjM2ZTc3ZS4uNzRjMTc4ZDA1OWQ5MjIxY2Y4ZDgzMjQ5Y2UwNmYz ODkwNjVjODA3YiAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE5IEBACisyMDEzLTAxLTA4ICBKdXN0 aW4gTm92b3NhZCAgPGp1bm92QGdvb2dsZS5jb20+CisKKyAgICAgICAgQ2FudmFzUmVuZGVyaW5n Q29udGV4dDJEOjpzZXRGb250IGFyZ3VtZW50IG1heSByZWZlcmVuY2UgZGVzdHJveWVkIG9iamVj dAorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTA2Mzg1 CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgTm8gbmV3 IHRlc3RzOiBjb3ZlcmVkIGJ5IGZhc3QvY2FudmFzL2NhbnZhcy1tZWFzdXJlVGV4dC5odG1sCisK KyAgICAgICAgVGhpcyBpcyBhIHJlLXdyaXRlIG9mIHIxMzg5OTQuICBGaXhpbmcgYnVnIGluIHNl dEZvbnQgaW5zdGVhZCBvZgorICAgICAgICB3b3JrYXJvdW5kIGF0IGNhbGwgc2l0ZS4gCisKKyAg ICAgICAgKiBodG1sL2NhbnZhcy9DYW52YXNSZW5kZXJpbmdDb250ZXh0MkQuY3BwOgorICAgICAg ICAoV2ViQ29yZTo6Q2FudmFzUmVuZGVyaW5nQ29udGV4dDJEOjpzZXRGb250KToKKyAgICAgICAg KFdlYkNvcmU6OkNhbnZhc1JlbmRlcmluZ0NvbnRleHQyRDo6YWNjZXNzRm9udCk6CisKIDIwMTMt MDEtMDggIEFuZHJlYXMgS2xpbmcgIDxha2xpbmdAYXBwbGUuY29tPgogCiAgICAgICAgIEhlYXAt dXNlLWFmdGVyLWZyZWUgaW4gYm9vbCBXZWJDb3JlOjpTZWxlY3RvckNoZWNrZXI6OmNoZWNrT25l U2VsZWN0b3IuCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9odG1sL2NhbnZhcy9DYW52YXNS ZW5kZXJpbmdDb250ZXh0MkQuY3BwIGIvU291cmNlL1dlYkNvcmUvaHRtbC9jYW52YXMvQ2FudmFz UmVuZGVyaW5nQ29udGV4dDJELmNwcAppbmRleCA3ZGQwOTE2M2U1ODk5ZWIzMWQ2Mzc3YTZlZDEz NDcwNjMwZDI4MTI1Li40ZjQzMTZlN2UwMTRiNjJjZTVmNGJkN2M2MmZhNzIwNzVlNjA4NWMyIDEw MDY0NAotLS0gYS9Tb3VyY2UvV2ViQ29yZS9odG1sL2NhbnZhcy9DYW52YXNSZW5kZXJpbmdDb250 ZXh0MkQuY3BwCisrKyBiL1NvdXJjZS9XZWJDb3JlL2h0bWwvY2FudmFzL0NhbnZhc1JlbmRlcmlu Z0NvbnRleHQyRC5jcHAKQEAgLTIwODgsOCArMjA4OCw5IEBAIHZvaWQgQ2FudmFzUmVuZGVyaW5n Q29udGV4dDJEOjpzZXRGb250KGNvbnN0IFN0cmluZyYgbmV3Rm9udCkKICAgICAgICAgcmV0dXJu OwogCiAgICAgLy8gVGhlIHBhcnNlIHN1Y2NlZWRlZC4KKyAgICBTdHJpbmcgbmV3Rm9udFNhZmVD b3B5KG5ld0ZvbnQpOyAvLyBJbiBjYXNlIG5ld0ZvbnQgaXMgYSByZWYgdG8gYSBzdHJpbmcgdG91 Y2hlZCBieSByZWFsaXplU2F2ZXMKICAgICByZWFsaXplU2F2ZXMoKTsKLSAgICBtb2RpZmlhYmxl U3RhdGUoKS5tX3VucGFyc2VkRm9udCA9IG5ld0ZvbnQ7CisgICAgbW9kaWZpYWJsZVN0YXRlKCku bV91bnBhcnNlZEZvbnQgPSBuZXdGb250U2FmZUNvcHk7CiAKICAgICAvLyBNYXAgdGhlIDxjYW52 YXM+IGZvbnQgaW50byB0aGUgdGV4dCBzdHlsZS4gSWYgdGhlIGZvbnQgdXNlcyBrZXl3b3JkcyBs aWtlIGxhcmdlci9zbWFsbGVyLCB0aGVzZSB3aWxsIHdvcmsKICAgICAvLyByZWxhdGl2ZSB0byB0 aGUgY2FudmFzLgpAQCAtMjM3NCwxMSArMjM3NSw3IEBAIGNvbnN0IEZvbnQmIENhbnZhc1JlbmRl cmluZ0NvbnRleHQyRDo6YWNjZXNzRm9udCgpCiAgICAgY2FudmFzKCktPmRvY3VtZW50KCktPnVw ZGF0ZVN0eWxlSWZOZWVkZWQoKTsKIAogICAgIGlmICghc3RhdGUoKS5tX3JlYWxpemVkRm9udCkg ewotICAgICAgICAvLyBDcmVhdGUgdGVtcG9yYXJ5IHN0cmluZyBvYmplY3QgdG8gaG9sZCByZWYg Y291bnQgaW4gY2FzZQotICAgICAgICAvLyBzdGF0ZSgpLm1fdW5wYXJzZWRGb250IGluIHVucmVm ZmVkIGJ5IGNhbGwgdG8gcmVhbGl6ZVNhdmVzIGluCi0gICAgICAgIC8vIHNldEZvbnQuCi0gICAg ICAgIFN0cmluZyB1bnBhcnNlZEZvbnQoc3RhdGUoKS5tX3VucGFyc2VkRm9udCk7Ci0gICAgICAg IHNldEZvbnQodW5wYXJzZWRGb250KTsKKyAgICAgICAgc2V0Rm9udChzdGF0ZSgpLm1fdW5wYXJz ZWRGb250KTsKICAgICB9CiAgICAgcmV0dXJuIHN0YXRlKCkubV9mb250OwogfQo= 181792 2013-01-08 15:44:53 -0800 2013-01-08 18:31:24 -0800 Patch for landing bug-106385-20130108184157.patch text/plain 2375 junov U3VidmVyc2lvbiBSZXZpc2lvbjogMTM5MTAzCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggMzA5NWQ3YjZjMjkxNmU5 MTE4MmZlZDhiODgzYTNmNGFmMjM2ZTc3ZS4uOGY5YjMwNjgxZWU4YmQ4NGE1ZWRkNDk2ZThkNjgz YWJjYTEyN2UyMSAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE5IEBACisyMDEzLTAxLTA4ICBKdXN0 aW4gTm92b3NhZCAgPGp1bm92QGdvb2dsZS5jb20+CisKKyAgICAgICAgQ2FudmFzUmVuZGVyaW5n Q29udGV4dDJEOjpzZXRGb250IGFyZ3VtZW50IG1heSByZWZlcmVuY2UgZGVzdHJveWVkIG9iamVj dAorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTA2Mzg1 CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgQWJoaXNoZWsgQXJ5YS4KKworICAgICAgICBObyBuZXcg dGVzdHM6IGNvdmVyZWQgYnkgZmFzdC9jYW52YXMvY2FudmFzLW1lYXN1cmVUZXh0Lmh0bWwKKwor ICAgICAgICBUaGlzIGlzIGEgcmUtd3JpdGUgb2YgcjEzODk5NC4gIEZpeGluZyBidWcgaW4gc2V0 Rm9udCBpbnN0ZWFkIG9mCisgICAgICAgIHdvcmthcm91bmQgYXQgY2FsbCBzaXRlLiAKKworICAg ICAgICAqIGh0bWwvY2FudmFzL0NhbnZhc1JlbmRlcmluZ0NvbnRleHQyRC5jcHA6CisgICAgICAg IChXZWJDb3JlOjpDYW52YXNSZW5kZXJpbmdDb250ZXh0MkQ6OnNldEZvbnQpOgorICAgICAgICAo V2ViQ29yZTo6Q2FudmFzUmVuZGVyaW5nQ29udGV4dDJEOjphY2Nlc3NGb250KToKKwogMjAxMy0w MS0wOCAgQW5kcmVhcyBLbGluZyAgPGFrbGluZ0BhcHBsZS5jb20+CiAKICAgICAgICAgSGVhcC11 c2UtYWZ0ZXItZnJlZSBpbiBib29sIFdlYkNvcmU6OlNlbGVjdG9yQ2hlY2tlcjo6Y2hlY2tPbmVT ZWxlY3Rvci4KZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJDb3JlL2h0bWwvY2FudmFzL0NhbnZhc1Jl bmRlcmluZ0NvbnRleHQyRC5jcHAgYi9Tb3VyY2UvV2ViQ29yZS9odG1sL2NhbnZhcy9DYW52YXNS ZW5kZXJpbmdDb250ZXh0MkQuY3BwCmluZGV4IDdkZDA5MTYzZTU4OTllYjMxZDYzNzdhNmVkMTM0 NzA2MzBkMjgxMjUuLmE1ODk4NzFhNmUzZDk1MDdlNGU4ZDFmZTg1YTcwYTA4ZmY2YTU2ODQgMTAw NjQ0Ci0tLSBhL1NvdXJjZS9XZWJDb3JlL2h0bWwvY2FudmFzL0NhbnZhc1JlbmRlcmluZ0NvbnRl eHQyRC5jcHAKKysrIGIvU291cmNlL1dlYkNvcmUvaHRtbC9jYW52YXMvQ2FudmFzUmVuZGVyaW5n Q29udGV4dDJELmNwcApAQCAtMjA4OCw4ICsyMDg4LDkgQEAgdm9pZCBDYW52YXNSZW5kZXJpbmdD b250ZXh0MkQ6OnNldEZvbnQoY29uc3QgU3RyaW5nJiBuZXdGb250KQogICAgICAgICByZXR1cm47 CiAKICAgICAvLyBUaGUgcGFyc2Ugc3VjY2VlZGVkLgorICAgIFN0cmluZyBuZXdGb250U2FmZUNv cHkobmV3Rm9udCk7IC8vIENyZWF0ZSBhIHN0cmluZyBjb3B5IHNpbmNlIG5ld0ZvbnQgY2FuIGJl IGRlbGV0ZWQgaW5zaWRlIHJlYWxpemVTYXZlcy4KICAgICByZWFsaXplU2F2ZXMoKTsKLSAgICBt b2RpZmlhYmxlU3RhdGUoKS5tX3VucGFyc2VkRm9udCA9IG5ld0ZvbnQ7CisgICAgbW9kaWZpYWJs ZVN0YXRlKCkubV91bnBhcnNlZEZvbnQgPSBuZXdGb250U2FmZUNvcHk7CiAKICAgICAvLyBNYXAg dGhlIDxjYW52YXM+IGZvbnQgaW50byB0aGUgdGV4dCBzdHlsZS4gSWYgdGhlIGZvbnQgdXNlcyBr ZXl3b3JkcyBsaWtlIGxhcmdlci9zbWFsbGVyLCB0aGVzZSB3aWxsIHdvcmsKICAgICAvLyByZWxh dGl2ZSB0byB0aGUgY2FudmFzLgpAQCAtMjM3MywxMyArMjM3NCw4IEBAIGNvbnN0IEZvbnQmIENh bnZhc1JlbmRlcmluZ0NvbnRleHQyRDo6YWNjZXNzRm9udCgpCiB7CiAgICAgY2FudmFzKCktPmRv Y3VtZW50KCktPnVwZGF0ZVN0eWxlSWZOZWVkZWQoKTsKIAotICAgIGlmICghc3RhdGUoKS5tX3Jl YWxpemVkRm9udCkgewotICAgICAgICAvLyBDcmVhdGUgdGVtcG9yYXJ5IHN0cmluZyBvYmplY3Qg dG8gaG9sZCByZWYgY291bnQgaW4gY2FzZQotICAgICAgICAvLyBzdGF0ZSgpLm1fdW5wYXJzZWRG b250IGluIHVucmVmZmVkIGJ5IGNhbGwgdG8gcmVhbGl6ZVNhdmVzIGluCi0gICAgICAgIC8vIHNl dEZvbnQuCi0gICAgICAgIFN0cmluZyB1bnBhcnNlZEZvbnQoc3RhdGUoKS5tX3VucGFyc2VkRm9u dCk7Ci0gICAgICAgIHNldEZvbnQodW5wYXJzZWRGb250KTsKLSAgICB9CisgICAgaWYgKCFzdGF0 ZSgpLm1fcmVhbGl6ZWRGb250KQorICAgICAgICBzZXRGb250KHN0YXRlKCkubV91bnBhcnNlZEZv bnQpOwogICAgIHJldHVybiBzdGF0ZSgpLm1fZm9udDsKIH0KIAo=