WebKit Bugzilla
If you use a raw SerializedScriptValue* for serialize()/deserialize(), it can potentially cause a use-after-free. This is because serialize()/deserialize() can destruct a RefPtr of the SerializedScriptValue*, depending on data that is serialized/deserialized. So we should keep a RefPtr<SerializedScriptValue*> when we call serialize()/deserialize(). (See https://bugs.webkit.org/show_bug.cgi?id=107792 for more details.)
Created attachment 184645 [details] Patch
Comment on attachment 184645 [details] Patch Rejecting attachment 184645 [details] from commit-queue. Failed to run "['/mnt/git/webkit-commit-queue/Tools/Scripts/webkit-patch', '--status-host=queues.webkit.org', '--bot-id=gce-cq-03', 'apply-attachment', '--no-update', '--non-interactive', 184645, '--port=chromium-xvfb']" exit_code: 2 cwd: /mnt/git/webkit-commit-queue Last 500 characters of output: webkit-commit-queue Parsed 4 diffs from patch file(s). patch: **** Can't create file /tmp/ppZyipMf : No space left on device patch: **** Can't create file /tmp/ppR1IG0f : No space left on device patch: **** Can't create file /tmp/pp3cp2Ng : No space left on device patch: **** Can't create file /tmp/ppqaQytg : No space left on device Failed to run "[u'/mnt/git/webkit-commit-queue/Tools/Scripts/svn-apply', '--force', '--reviewer', 'Abhishek Arya']" exit_code: 2 cwd: /mnt/git/webkit-commit-queue Full output: http://queues.webkit.org/results/16122087
Comment on attachment 184645 [details] Patch Clearing flags on attachment: 184645 Committed r140886: <http://trac.webkit.org/changeset/140886>
All reviewed patches have been landed. Closing bug.
Comment on attachment 184645 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=184645&action=review > Source/WebCore/page/History.cpp:80 > -bool History::isSameAsCurrentState(SerializedScriptValue* state) const > +bool History::isSameAsCurrentState(PassRefPtr<SerializedScriptValue> state) const This change makes no sense and does no good. The other half of the change would have been sufficient, although you’d have to add a get() at some call sites. There is no reason for this function to take a PassRefPtr, which implies that it takes ownership of its argument. Please roll this part of the change out.
Reopening to attach new patch.
Created attachment 185398 [details] Patch
Comment on attachment 184645 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=184645&action=review >> Source/WebCore/page/History.cpp:80 >> +bool History::isSameAsCurrentState(PassRefPtr<SerializedScriptValue> state) const > > This change makes no sense and does no good. The other half of the change would have been sufficient, although you’d have to add a get() at some call sites. There is no reason for this function to take a PassRefPtr, which implies that it takes ownership of its argument. Please roll this part of the change out. Thanks, uploaded a patch for fix.
Comment on attachment 185398 [details] Patch Clearing flags on attachment: 185398 Committed r141315: <http://trac.webkit.org/changeset/141315>