Bug 39010

Summary: [Qt] QtField::name() returns a dangling pointer
Product: WebKit Reporter: Anders Bakken <agbakken>
Component: WebKit QtAssignee: Anders Bakken <agbakken>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, kenneth
Priority: P2 Keywords: Qt, QtTriaged
Version: 528+ (Nightly build)   
Hardware: PC   
OS: All   
Attachments:
Description Flags
Patch that fixes the problem
kenneth: review-
Patch that fixes the problem
none
Patch for landing none

Anders Bakken
Reported 2010-05-12 11:45:09 PDT
QObject::objectName() returns a QString and the QtField::name() creates a temporary QByteArray object and returns constData() from it. This is not safe. The attached fix changes the signature to be a QByteArray instead of const char* and makes it non-virtual (since it never should have been). It's not a Bindings::Field function but rather an implementation detail in QtField and it's never reimplemented. The patch also includes a minor optimization to use const & in a foreach loop which is faster.
Attachments
Patch that fixes the problem (3.00 KB, patch)
2010-05-12 11:48 PDT, Anders Bakken 		kenneth: review-
DetailsFormatted DiffDiff
Patch that fixes the problem (3.07 KB, patch)
2010-05-13 08:30 PDT, Anders Bakken 		no flags
DetailsFormatted DiffDiff
Patch for landing (3.23 KB, patch)
2010-05-15 17:56 PDT, Adam Barth 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Anders Bakken
Comment 1 2010-05-12 11:48:32 PDT
Created attachment 55879 [details] Patch that fixes the problem
Jesus Sanchez-Palencia
Comment 2 2010-05-13 07:07:31 PDT
(In reply to comment #1) > Created an attachment (id=55879) [details] > Patch that fixes the problem Did you forget to mark it for review?! :) Quick tips for your next bug reports: - please add the 'Qt' Keyword; - if the bug is Qt specific add a '[Qt]' to the Summary; Thanks!
Kenneth Rohde Christiansen
Comment 3 2010-05-13 07:55:58 PDT
Comment on attachment 55879 [details] Patch that fixes the problem > Index: WebCore/ChangeLog > =================================================================== > --- WebCore/ChangeLog (revision 59246) > +++ WebCore/ChangeLog (working copy) > @@ -1,3 +1,19 @@ > +2010-05-12 Anders Bakken <agbakken@gmail.com> > + > + QObject::objectName() returns a QString and QtField::name() > + creates a temporary QByteArray object and returns constData() from it. > + This is not safe. > + > + This patch changes the signature of the function to return a > + QByteArray instead of const char *. > + > + https://bugs.webkit.org/show_bug.cgi?id=39010 > + > + * bridge/qt/qt_instance.cpp: > + (JSC::Bindings::QtInstance::getPropertyNames): > + (JSC::Bindings::QtField::name): > + * bridge/qt/qt_runtime.h: > + Please fix the indentation WebCore/bridge/qt/qt_instance.cpp:234 + for (i=0; i < methodCount; i++) { i = 0, please fix the spacing Apart from this is look fine.
Anders Bakken
Comment 4 2010-05-13 08:30:19 PDT
Created attachment 55985 [details] Patch that fixes the problem
Kenneth Rohde Christiansen
Comment 5 2010-05-13 09:33:19 PDT
Don't forget to add the r? and cq? flags
WebKit Commit Bot
Comment 6 2010-05-15 08:51:06 PDT
Comment on attachment 55985 [details] Patch that fixes the problem Rejecting patch 55985 from commit-queue. Unexpected failure when landing patch! Please file a bug against webkit-patch. Failed to run "['./WebKitTools/Scripts/webkit-patch', '--status-host=webkit-commit-queue.appspot.com', 'land-attachment', '--force-clean', '--build', '--non-interactive', '--ignore-builders', '--build-style=both', '--quiet', 55985, '--test', '--parent-command=commit-queue', '--no-update']" exit_code: 1 Logging in as eseidel@chromium.org... Fetching: https://bugs.webkit.org/attachment.cgi?id=55985&action=edit Fetching: https://bugs.webkit.org/show_bug.cgi?id=39010&ctype=xml Processing 1 patch from 1 bug. Cleaning working directory Processing patch 55985 from bug 39010. ERROR: /Users/eseidel/Projects/CommitQueue/WebCore/ChangeLog neither lists a valid reviewer nor contains the string "Unreviewed" or "Rubber stamp" (case insensitive).
Kenneth Rohde Christiansen
Comment 7 2010-05-15 12:31:51 PDT
Anders, you cannot remove the "Reviewed by NOBODY (OOPS!!)". If you do that we cannot land using the commit-queue. It has to be exactly like the prepare-ChangeLog scripts writes it. Now you can reupload the patch with this fixed and reset r? and cq? -- or -- You can upload the patch with "Reviewed by Kenneth Rohde Christiansen" and just set cq? The latter is preferred as anyone with committer-rights can change the cq? to cq+ Another option would be to get someone to land it manually using webkit-patch or similar.
Adam Barth
Comment 8 2010-05-15 17:56:40 PDT
Created attachment 56167 [details] Patch for landing
WebKit Commit Bot
Comment 9 2010-05-15 20:03:50 PDT
Comment on attachment 56167 [details] Patch for landing Clearing flags on attachment: 56167 Committed r59564: <http://trac.webkit.org/changeset/59564>
WebKit Commit Bot
Comment 10 2010-05-15 20:03:56 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.