-
haraken@chromium.org authored
https://bugs.webkit.org/show_bug.cgi?id=107904 Reviewed by Abhishek Arya. If you use a raw SerializedScriptValue* for serialize()/deserialize(), it can potentially cause a use-after-free. This is because serialize()/ deserialize() can destruct a RefPtr of the SerializedScriptValue*, depending on data that is serialized/deserialized. So we should keep a RefPtr<SerializedScriptValue*> when we call serialize()/deserialize(). (See https://bugs.webkit.org/show_bug.cgi?id=107792 for more details.) No tests. This is just a just-in-case fix. * dom/PopStateEvent.h: (WebCore::PopStateEvent::serializedState): * page/History.cpp: (WebCore::History::isSameAsCurrentState): * page/History.h: (History): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@140886 268f45cc-cd09-0410-ab3c-d52691b4dbfc
7fc422b8