107902 – Keep a RefPtr<SerializedScriptValue*> when we call serialize()/deserialize() in code generators

Bug 107902 - Keep a RefPtr<SerializedScriptValue*> when we call serialize()/deserialize() in code generators

Summary: Keep a RefPtr<SerializedScriptValue*> when we call serialize()/deserialize() ...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebCore JavaScript (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Kentaro Hara

URL:
Keywords:

Depends on:
Blocks:

Reported:	2013-01-24 20:24 PST by Kentaro Hara
Modified:	2013-01-25 17:39 PST (History)
CC List:	3 users (show)

See Also:

Attachments
Patch (9.44 KB, patch) 2013-01-24 20:25 PST, Kentaro Hara	no flags	Details \| Formatted Diff \| Diff
Patch (9.43 KB, patch) 2013-01-24 20:34 PST, Kentaro Hara	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Kentaro Hara 2013-01-24 20:24:10 PST

If you use a raw SerializedScriptValue* for serialize()/deserialize(), it can potentially cause a use-after-free. This is because serialize()/deserialize() can destruct a RefPtr of the SerializedScriptValue*, depending on data that is serialized/deserialized. So we should keep a RefPtr<SerializedScriptValue*> when we call serialize()/deserialize(). (See https://bugs.webkit.org/show_bug.cgi?id=107792 for more details.)

Comment 1 Kentaro Hara 2013-01-24 20:25:48 PST

Created attachment 184643 [details]
Patch

Comment 2 Kentaro Hara 2013-01-24 20:34:08 PST

Created attachment 184647 [details]
Patch

Comment 3 WebKit Review Bot 2013-01-24 21:16:36 PST

Comment on attachment 184647 [details]
Patch

Rejecting attachment 184647 [details] from commit-queue.

Failed to run "['/mnt/git/webkit-commit-queue/Tools/Scripts/webkit-patch', '--status-host=queues.webkit.org', '--bot-id=gce-cq-03', 'apply-attachment', '--no-update', '--non-interactive', 184647, '--port=chromium-xvfb']" exit_code: 2 cwd: /mnt/git/webkit-commit-queue

Last 500 characters of output:
n't create file /tmp/ppVYjXZI : No space left on device
patch: **** Can't create file /tmp/pp1pdqoH : No space left on device
patch: **** Can't create file /tmp/ppBnOc2G : No space left on device
patch: **** Can't create file /tmp/ppBoGKbH : No space left on device
patch: **** Can't create file /tmp/pptq9YZH : No space left on device

Failed to run "[u'/mnt/git/webkit-commit-queue/Tools/Scripts/svn-apply', '--force', '--reviewer', 'Abhishek Arya']" exit_code: 2 cwd: /mnt/git/webkit-commit-queue

Full output: http://queues.webkit.org/results/16124063

Comment 4 WebKit Review Bot 2013-01-24 21:57:00 PST

Comment on attachment 184647 [details]
Patch

Rejecting attachment 184647 [details] from commit-queue.

Failed to run "['/mnt/git/webkit-commit-queue/Tools/Scripts/webkit-patch', '--status-host=queues.webkit.org', '--bot-id=gce-cq-03', 'apply-attachment', '--no-update', '--non-interactive', 184647, '--port=chromium-xvfb']" exit_code: 2 cwd: /mnt/git/webkit-commit-queue

Last 500 characters of output:
n't create file /tmp/ppBXIyUe : No space left on device
patch: **** Can't create file /tmp/ppCTVKte : No space left on device
patch: **** Can't create file /tmp/ppAyMyCh : No space left on device
patch: **** Can't create file /tmp/ppwMl1Oh : No space left on device
patch: **** Can't create file /tmp/ppOB4lqh : No space left on device

Failed to run "[u'/mnt/git/webkit-commit-queue/Tools/Scripts/svn-apply', '--force', '--reviewer', 'Abhishek Arya']" exit_code: 2 cwd: /mnt/git/webkit-commit-queue

Full output: http://queues.webkit.org/results/16121123

Comment 5 WebKit Review Bot 2013-01-25 17:39:36 PST

Comment on attachment 184647 [details]
Patch

Clearing flags on attachment: 184647

Committed r140892: <http://trac.webkit.org/changeset/140892>

Comment 6 WebKit Review Bot 2013-01-25 17:39:39 PST

All reviewed patches have been landed.  Closing bug.