RESOLVED FIXED 21939
Uninitialized ExceptionCode in DOMWindow::postMessage
https://bugs.webkit.org/show_bug.cgi?id=21939
Summary Uninitialized ExceptionCode in DOMWindow::postMessage
Mike Belshe
Reported 2008-10-28 16:44:29 PDT
Several functions in MessagePort don't initialize their ExceptionCodes. This caused me trouble in DOMWindow::postMessage, which calls MessagePort::clone. The call succeeded, but the uninitialized ec value caused a failure.
Attachments
Initialize the exceptioncodes. (1.52 KB, patch)
2008-10-28 16:45 PDT, Mike Belshe
no flags
Updated patch. (1.99 KB, patch)
2008-10-28 16:50 PDT, Mike Belshe
no flags
revised patch (874 bytes, patch)
2009-03-03 10:48 PST, Mike Belshe
ap: review+
Mike Belshe
Comment 1 2008-10-28 16:45:58 PDT
Created attachment 24736 [details] Initialize the exceptioncodes.
Mike Belshe
Comment 2 2008-10-28 16:50:06 PDT
Created attachment 24737 [details] Updated patch. Same patch as before, but this one contains a changelog.
Darin Adler
Comment 3 2008-10-28 16:54:27 PDT
Comment on attachment 24737 [details] Updated patch. The rules for ExceptionCode& arguments are: 1) If there's no exception, the function has no obligation to set the exception code. 2) If a caller wants to look at the exception code, it's responsible for setting it to 0 before calling. So there's no bug here.
Alexey Proskuryakov
Comment 4 2008-10-29 03:50:45 PDT
And the caller (JSDOMWindow::postMessage()) does initialize ec - maybe the issue you are seeing is V8-specific?
Mike Belshe
Comment 5 2008-10-29 08:45:18 PDT
Thanks Darin for clarification on the convention; I didn't know that. Given that, the changes to MessagePort.cpp are unnecessary. Part of this patch is still valid, I think: DOMWindow.cpp DOMWindow::postMessage calls messagePort->clone with an uninitialized ec. Re-marking for review.
Mike Belshe
Comment 6 2008-10-29 08:45:55 PDT
Comment on attachment 24737 [details] Updated patch. See my comments about the changes to DOMWindow.cpp, which I think is still a valid bug.
Mike Belshe
Comment 7 2008-10-29 08:52:54 PDT
OK - nevermind. Alexey - I see what you are saying. We want the declarer to initialize.
Mike Belshe
Comment 8 2008-10-29 09:03:54 PDT
I might have closed this prematurely. As per Darin, we want the declarer of the ExceptionCode to initialize. That makes sense, and that is why I closed this bug. However, DOMWindow::postMessage is non-deterministic based on whether the caller initialized the ExceptionCode before calling. DOMWindow::postMessage uses ec internally with messagePort->clone(). If the caller of postMessage didn't initialize it, postMessage will have undefined behavior. (clone won't touch ec unless there is an exception, so when we come out of clone() postMessage will be using an uninitialized ec). There are two possible fixes; either we modify postMessage to use a different ExceptionCode for calling into clone() or we initialize ec within postMessage as per the patch here. Does this sound right?
Darin Adler
Comment 9 2008-10-29 09:20:23 PDT
(In reply to comment #8) > DOMWindow::postMessage uses ec internally with messagePort->clone(). If the > caller of postMessage didn't initialize it, postMessage will have undefined > behavior. (clone won't touch ec unless there is an exception, so when we come > out of clone() postMessage will be using an uninitialized ec). > > There are two possible fixes; either we modify postMessage to use a different > ExceptionCode for calling into clone() or we initialize ec within postMessage > as per the patch here. > > Does this sound right? Yes. Retitled bug to reflect this problem.
Alexey Proskuryakov
Comment 10 2008-10-29 11:05:00 PDT
Hmm - still doesn't make sense to me. JS bindings must initialize ec before calling DOMWindow::postMessage(), so of course its behavior is undefined if that didn't happen. What am I missing?
Alexey Proskuryakov
Comment 11 2008-10-29 11:24:02 PDT
Or are you saying that some other code could raise an exception before DOMWindow::postMessage (something that doesn't currently happen, as it's only JS bindings that call it)? Looking at some existing code, I see ec being cleared before making a call in DOM, but this seems really weird, as this loses information about the earlier exception.
Darin Adler
Comment 12 2008-10-29 13:06:03 PDT
(In reply to comment #10) > JS bindings must initialize ec before > calling DOMWindow::postMessage(), so of course its behavior is undefined if > that didn't happen. What am I missing? Yes, JavaScript bindings will always initialize ec. But other callers within WebCore are allowed to call the function without initializing ec if they wish to make the call and ignore the exception code. That's our current rule for the DOM. We could change it. A quick grep found at least 31 call sites that make calls and pass uninitialized ExceptionCode arguments because the caller didn't plan to look at the result. For examples of this, look at the call to Node::remove() inside Node::normalize(). And the call to EventTargetNode::dispatchEvent() inside EventHandler::keyEvent().
Darin Adler
Comment 13 2008-10-29 13:07:27 PDT
(In reply to comment #11) > Looking at some existing code, I see ec being > cleared before making a call in DOM, but this seems really weird, as this loses > information about the earlier exception. Generally speaking, if there is an earlier exception, it's the obligation of the implementer to return at that point and not try to do further work. It may be easier to discuss specific cases.
Alexey Proskuryakov
Comment 14 2008-10-29 14:01:51 PDT
I see, thank you for the clarification!
Mike Belshe
Comment 15 2009-03-03 10:48:20 PST
Created attachment 28229 [details] revised patch Finally cycled back to this bug; revised the patch just to contain the one ec initialization which we agreed was important.
Alexey Proskuryakov
Comment 16 2009-03-03 22:46:46 PST
Comment on attachment 28229 [details] revised patch r=me (I hope Darin doesn't mind!) Please be sure to add bug URL and title to ChangeLog when landing.
Darin Fisher (:fishd, Google)
Comment 17 2009-03-03 23:20:28 PST
Note You need to log in before you can comment on or make changes to this bug.