Bug 107904 - Keep a RefPtr<SerializedScriptValue*> when we call serialize()/deserialize() in PopStateEvent
: Keep a RefPtr<SerializedScriptValue*> when we call serialize()/deserialize() ...
Status: RESOLVED FIXED
: WebKit
WebCore JavaScript
: 528+ (Nightly build)
: Unspecified Unspecified
: P2 Normal
Assigned To:
:
:
:
:
  Show dependency treegraph
 
Reported: 2013-01-24 20:30 PST by
Modified: 2013-01-30 14:38 PST (History)


Attachments
Patch (3.20 KB, patch)
2013-01-24 20:32 PST, Kentaro Hara
no flags Review Patch | Details | Formatted Diff | Diff
Patch (3.95 KB, patch)
2013-01-29 22:19 PST, Kentaro Hara
no flags Review Patch | Details | Formatted Diff | Diff


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2013-01-24 20:30:35 PST
If you use a raw SerializedScriptValue* for serialize()/deserialize(), it can potentially cause a use-after-free. This is because serialize()/deserialize() can destruct a RefPtr of the SerializedScriptValue*, depending on data that is serialized/deserialized. So we should keep a RefPtr<SerializedScriptValue*> when we call serialize()/deserialize(). (See https://bugs.webkit.org/show_bug.cgi?id=107792 for more details.)
------- Comment #1 From 2013-01-24 20:32:40 PST -------
Created an attachment (id=184645) [details]
Patch
------- Comment #2 From 2013-01-24 21:15:34 PST -------
(From update of attachment 184645 [details])
Rejecting attachment 184645 [details] from commit-queue.

Failed to run "['/mnt/git/webkit-commit-queue/Tools/Scripts/webkit-patch', '--status-host=queues.webkit.org', '--bot-id=gce-cq-03', 'apply-attachment', '--no-update', '--non-interactive', 184645, '--port=chromium-xvfb']" exit_code: 2 cwd: /mnt/git/webkit-commit-queue

Last 500 characters of output:
webkit-commit-queue

Parsed 4 diffs from patch file(s).
patch: **** Can't create file /tmp/ppZyipMf : No space left on device
patch: **** Can't create file /tmp/ppR1IG0f : No space left on device
patch: **** Can't create file /tmp/pp3cp2Ng : No space left on device
patch: **** Can't create file /tmp/ppqaQytg : No space left on device

Failed to run "[u'/mnt/git/webkit-commit-queue/Tools/Scripts/svn-apply', '--force', '--reviewer', 'Abhishek Arya']" exit_code: 2 cwd: /mnt/git/webkit-commit-queue

Full output: http://queues.webkit.org/results/16122087
------- Comment #3 From 2013-01-25 17:27:38 PST -------
(From update of attachment 184645 [details])
Clearing flags on attachment: 184645

Committed r140886: <http://trac.webkit.org/changeset/140886>
------- Comment #4 From 2013-01-25 17:27:41 PST -------
All reviewed patches have been landed.  Closing bug.
------- Comment #5 From 2013-01-29 09:35:43 PST -------
(From update of attachment 184645 [details])
View in context: https://bugs.webkit.org/attachment.cgi?id=184645&action=review

> Source/WebCore/page/History.cpp:80
> -bool History::isSameAsCurrentState(SerializedScriptValue* state) const
> +bool History::isSameAsCurrentState(PassRefPtr<SerializedScriptValue> state) const

This change makes no sense and does no good. The other half of the change would have been sufficient, although you’d have to add a get() at some call sites. There is no reason for this function to take a PassRefPtr, which implies that it takes ownership of its argument. Please roll this part of the change out.
------- Comment #6 From 2013-01-29 22:19:09 PST -------
Reopening to attach new patch.
------- Comment #7 From 2013-01-29 22:19:12 PST -------
Created an attachment (id=185398) [details]
Patch
------- Comment #8 From 2013-01-29 22:19:35 PST -------
(From update of attachment 184645 [details])
View in context: https://bugs.webkit.org/attachment.cgi?id=184645&action=review

>> Source/WebCore/page/History.cpp:80
>> +bool History::isSameAsCurrentState(PassRefPtr<SerializedScriptValue> state) const
> 
> This change makes no sense and does no good. The other half of the change would have been sufficient, although you’d have to add a get() at some call sites. There is no reason for this function to take a PassRefPtr, which implies that it takes ownership of its argument. Please roll this part of the change out.

Thanks, uploaded a patch for fix.
------- Comment #9 From 2013-01-30 14:37:58 PST -------
(From update of attachment 185398 [details])
Clearing flags on attachment: 185398

Committed r141315: <http://trac.webkit.org/changeset/141315>
------- Comment #10 From 2013-01-30 14:38:02 PST -------
All reviewed patches have been landed.  Closing bug.