JSValue CInstance::stringValue(ExecState* exec) const { JSValue value; if (toJSPrimitive(exec, "toString", value)) return value; // Fallback to default implementation. char buf[1024]; snprintf(buf, sizeof(buf), "NPObject %p, NPClass %p", _object, _object->_class); return jsString(exec, buf); } In the above toString() default implementation, it leaks address of NPObject & NPClass to JS, it should be something like below, JSValue CInstance::stringValue(ExecState* exec) const { JSValue value; if (toJSPrimitive(exec, "toString", value)) return value; // Fallback to default implementation. return jsString(exec, "NPObject"); }
Created attachment 197633 [details] Patch
The commit-queue encountered the following flaky tests while processing attachment 197633 [details]: svg/custom/empty-clip-path.svg bug 114453 (author: rwlbuis@gmail.com) The commit-queue is continuing to process your patch.
Comment on attachment 197633 [details] Patch Rejecting attachment 197633 [details] from commit-queue. Failed to run "['/Volumes/Data/EWS/WebKit/Tools/Scripts/webkit-patch', '--status-host=webkit-queues.appspot.com', '--bot-id=webkit-cq-02', 'land-attachment', '--force-clean', '--non-interactive', '--parent-command=commit-queue', 197633, '--port=mac']" exit_code: 2 cwd: /Volumes/Data/EWS/WebKit Last 500 characters of output: -> origin/master Partial-rebuilding .git/svn/refs/remotes/origin/master/.rev_map.268f45cc-cd09-0410-ab3c-d52691b4dbfc ... Currently at 148214 = 820de4ece1da437818b95493f95a9bd02d45ac22 r148215 = 2bf34076aea6c98a56cb3985fb0255efc93faac2 r148216 = 39af3eace1316d74ce17e04bdd5c449fcf51da8d Done rebuilding .git/svn/refs/remotes/origin/master/.rev_map.268f45cc-cd09-0410-ab3c-d52691b4dbfc First, rewinding head to replay your work on top of it... Fast-forwarded master to refs/remotes/origin/master. Full output: http://webkit-queues.appspot.com/results/19114
Created attachment 197650 [details] Patch
Comment on attachment 197650 [details] Patch Clearing flags on attachment: 197650 Committed r148224: <http://trac.webkit.org/changeset/148224>
All reviewed patches have been landed. Closing bug.
Comment on attachment 197650 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=197650&action=review > Source/WebCore/bridge/c/c_instance.cpp:285 > + return jsString(exec, "NPObject"); This should be calling jsNontrivialString rather than jsString.
(In reply to comment #7) > (From update of attachment 197650 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=197650&action=review > > > Source/WebCore/bridge/c/c_instance.cpp:285 > > + return jsString(exec, "NPObject"); > > This should be calling jsNontrivialString rather than jsString. jsNontrivialString(exec, String(ASCIILiteral("NPObject")) is ok?