Bug 107900 - Keep a RefPtr<SerializedScriptValue*> when we call serialize()/deserialize() for MessageEvent
Summary: Keep a RefPtr<SerializedScriptValue*> when we call serialize()/deserialize() ...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore JavaScript (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Kentaro Hara
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-01-24 20:00 PST by Kentaro Hara
Modified: 2013-01-25 21:29 PST (History)
4 users (show)

See Also:

Attachments
Patch (4.29 KB, patch)
2013-01-24 20:02 PST, Kentaro Hara 		no flags Details | Formatted Diff | Diff
Patch (4.28 KB, patch)
2013-01-24 20:33 PST, Kentaro Hara 		no flags Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Kentaro Hara 2013-01-24 20:00:21 PST 
If you use a raw SerializedScriptValue* for serialize()/deserialize(), it can potentially cause a use-after-free. This is because serialize()/deserialize() can destruct a RefPtr of the SerializedScriptValue*, depending on data that is serialized/deserialized. So we should keep a RefPtr<SerializedScriptValue*> when we call serialize()/deserialize(). (See https://bugs.webkit.org/show_bug.cgi?id=107792 for more details.)
Comment 1 Kentaro Hara 2013-01-24 20:02:08 PST 
Created attachment 184642 [details]
Patch
Comment 2 Kentaro Hara 2013-01-24 20:33:18 PST 
Created attachment 184646 [details]
Patch
Comment 3 WebKit Review Bot 2013-01-24 21:16:07 PST 
Comment on attachment 184646 [details]
Patch

Rejecting attachment 184646 [details] from commit-queue.

Failed to run "['/mnt/git/webkit-commit-queue/Tools/Scripts/webkit-patch', '--status-host=queues.webkit.org', '--bot-id=gce-cq-01', 'apply-attachment', '--no-update', '--non-interactive', 184646, '--port=chromium-xvfb']" exit_code: 2 cwd: /mnt/git/webkit-commit-queue

Last 500 characters of output:
webkit-commit-queue

Parsed 4 diffs from patch file(s).
patch: **** Can't create file /tmp/ppXGuTHe : No space left on device
patch: **** Can't create file /tmp/ppXchdli : No space left on device
patch: **** Can't create file /tmp/ppJlfgAi : No space left on device
patch: **** Can't create file /tmp/pplJ1oci : No space left on device

Failed to run "[u'/mnt/git/webkit-commit-queue/Tools/Scripts/svn-apply', '--force', '--reviewer', 'Abhishek Arya']" exit_code: 2 cwd: /mnt/git/webkit-commit-queue

Full output: http://queues.webkit.org/results/16117110
Comment 4 WebKit Review Bot 2013-01-24 21:56:57 PST 
Comment on attachment 184646 [details]
Patch

Rejecting attachment 184646 [details] from commit-queue.

Failed to run "['/mnt/git/webkit-commit-queue/Tools/Scripts/webkit-patch', '--status-host=queues.webkit.org', '--bot-id=gce-cq-04', 'apply-attachment', '--no-update', '--non-interactive', 184646, '--port=chromium-xvfb']" exit_code: 2 cwd: /mnt/git/webkit-commit-queue

Last 500 characters of output:
webkit-commit-queue

Parsed 4 diffs from patch file(s).
patch: **** Can't create file /tmp/pp3TdUNN : No space left on device
patch: **** Can't create file /tmp/ppRGbzuO : No space left on device
patch: **** Can't create file /tmp/ppfZ7J6N : No space left on device
patch: **** Can't create file /tmp/pp7cK7zM : No space left on device

Failed to run "[u'/mnt/git/webkit-commit-queue/Tools/Scripts/svn-apply', '--force', '--reviewer', 'Abhishek Arya']" exit_code: 2 cwd: /mnt/git/webkit-commit-queue

Full output: http://queues.webkit.org/results/16112298
Comment 5 WebKit Review Bot 2013-01-25 17:38:09 PST 
Comment on attachment 184646 [details]
Patch

Clearing flags on attachment: 184646

Committed r140891: <http://trac.webkit.org/changeset/140891>
Comment 6 WebKit Review Bot 2013-01-25 17:38:13 PST 
All reviewed patches have been landed.  Closing bug.
Comment 7 Gyuyoung Kim 2013-01-25 21:29:25 PST 
Build break is fixed on EFL WK2 - http://trac.webkit.org/changeset/140902