Bug 106385

Summary: CanvasRenderingContext2D::setFont argument may reference destroyed object
Product: WebKit Reporter: Justin Novosad <junov>
Component: New BugsAssignee: Justin Novosad <junov>
Status: RESOLVED FIXED    
Severity: Normal CC: darin, inferno, ojan.autocc, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch for landing none

Justin Novosad
Reported 2013-01-08 14:50:04 PST
CanvasRenderingContext2D::setFont argument may reference destroyed object
Attachments
Patch (2.27 KB, patch)
2013-01-08 14:53 PST, Justin Novosad 		no flags
DetailsFormatted DiffDiff
Patch for landing (2.32 KB, patch)
2013-01-08 15:44 PST, Justin Novosad 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Justin Novosad
Comment 1 2013-01-08 14:53:33 PST
Created attachment 181773 [details] Patch
Abhishek Arya
Comment 2 2013-01-08 15:04:06 PST
Comment on attachment 181773 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=181773&action=review > Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp:2091 > + String newFontSafeCopy(newFont); // In case newFont is a ref to a string touched by realizeSaves The comment could be improved like "Create a string copy since newFont can be deleted inside realizeSaves."
Darin Adler
Comment 3 2013-01-08 15:19:01 PST
Comment on attachment 181773 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=181773&action=review > Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp:2093 > + modifiableState().m_unparsedFont = newFontSafeCopy; If this was a RefPtr then we’d want to do a release here to avoid reference count churn. Since it’s a String, we *could* avoid the churn by doing a swap here instead of assignment. But I’m thinking that’s too ugly for the tiny performance win. > Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp:2379 > if (!state().m_realizedFont) { > - // Create temporary string object to hold ref count in case > - // state().m_unparsedFont in unreffed by call to realizeSaves in > - // setFont. > - String unparsedFont(state().m_unparsedFont); > - setFont(unparsedFont); > + setFont(state().m_unparsedFont); > } Should take out the braces here too.
Justin Novosad
Comment 4 2013-01-08 15:42:52 PST
(In reply to comment #3) > Should take out the braces here too. I wonder how come this passed the style check...
Justin Novosad
Comment 5 2013-01-08 15:44:53 PST
Created attachment 181792 [details] Patch for landing
WebKit Review Bot
Comment 6 2013-01-08 18:31:24 PST
Comment on attachment 181792 [details] Patch for landing Clearing flags on attachment: 181792 Committed r139144: <http://trac.webkit.org/changeset/139144>
WebKit Review Bot
Comment 7 2013-01-08 18:31:27 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.