Commit 3ac3ec8d authored by oliver@apple.com's avatar oliver@apple.com
Browse files

Web Inspector frontend heap allocates ScriptFunctionCall which is unsafe

https://bugs.webkit.org/show_bug.cgi?id=32098

Reviewed by Sam Weinig.

Fix is simply to make the ScriptFunctionCall stack allocated as nature intended
Doing this required adding an appendArgument(char*) to ScriptFunctionCall so
that an explicit String cast would not be necessary.

To prevent something like this happening again in future i've added private
operator new implementations to ScriptFunctionCall making this type of mistake
produce errors when compiling.

Test case: Inspector tests now pass with GC on every alloc enabled.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@51621 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 9c12fc11
2009-12-02 Oliver Hunt <oliver@apple.com>
Reviewed by Sam Weinig.
Web Inspector frontend heap allocates ScriptFunctionCall which is unsafe
https://bugs.webkit.org/show_bug.cgi?id=32098
Fix is simply to make the ScriptFunctionCall stack allocated as nature intended.
Doing this required adding an appendArgument(char*) to ScriptFunctionCall so
that an explicit String cast would not be necessary.
To prevent something like this happening again in future i've added private
operator new implementations to ScriptFunctionCall making this type of mistake
produce errors when compiling.
Test case: Inspector tests now pass with GC on every alloc enabled.
* bindings/js/ScriptFunctionCall.cpp:
(WebCore::ScriptFunctionCall::appendArgument):
* bindings/js/ScriptFunctionCall.h:
(WebCore::ScriptFunctionCall::operator new):
(WebCore::ScriptFunctionCall::operator new[]):
* inspector/InspectorFrontend.cpp:
(WebCore::InspectorFrontend::addConsoleMessage):
(WebCore::InspectorFrontend::updateConsoleMessageRepeatCount):
(WebCore::InspectorFrontend::addResource):
(WebCore::InspectorFrontend::updateResource):
(WebCore::InspectorFrontend::removeResource):
(WebCore::InspectorFrontend::updateFocusedNode):
(WebCore::InspectorFrontend::setAttachedWindow):
(WebCore::InspectorFrontend::addRecordToTimeline):
(WebCore::InspectorFrontend::parsedScriptSource):
(WebCore::InspectorFrontend::failedToParseScriptSource):
(WebCore::InspectorFrontend::addProfileHeader):
(WebCore::InspectorFrontend::setRecordingProfile):
(WebCore::InspectorFrontend::didGetProfileHeaders):
(WebCore::InspectorFrontend::didGetProfile):
(WebCore::InspectorFrontend::pausedScript):
(WebCore::InspectorFrontend::setDocument):
(WebCore::InspectorFrontend::setDetachedRoot):
(WebCore::InspectorFrontend::setChildNodes):
(WebCore::InspectorFrontend::childNodeCountUpdated):
(WebCore::InspectorFrontend::childNodeInserted):
(WebCore::InspectorFrontend::childNodeRemoved):
(WebCore::InspectorFrontend::attributesUpdated):
(WebCore::InspectorFrontend::didRemoveNode):
(WebCore::InspectorFrontend::didGetChildNodes):
(WebCore::InspectorFrontend::didApplyDomChange):
(WebCore::InspectorFrontend::didGetEventListenersForNode):
(WebCore::InspectorFrontend::didGetCookies):
(WebCore::InspectorFrontend::didDispatchOnInjectedScript):
(WebCore::InspectorFrontend::addDatabase):
(WebCore::InspectorFrontend::selectDatabase):
(WebCore::InspectorFrontend::didGetDatabaseTableNames):
(WebCore::InspectorFrontend::addDOMStorage):
(WebCore::InspectorFrontend::selectDOMStorage):
(WebCore::InspectorFrontend::didGetDOMStorageEntries):
(WebCore::InspectorFrontend::didSetDOMStorageItem):
(WebCore::InspectorFrontend::didRemoveDOMStorageItem):
(WebCore::InspectorFrontend::updateDOMStorage):
(WebCore::InspectorFrontend::addNodesToSearchResult):
(WebCore::InspectorFrontend::evaluateForTestInFrontend):
* inspector/InspectorFrontend.h:
2009-12-02 Dave Hyatt <hyatt@apple.com>
 
Reviewed by Darin Adler.
......@@ -72,6 +72,13 @@ void ScriptFunctionCall::appendArgument(const String& argument)
void ScriptFunctionCall::appendArgument(const JSC::UString& argument)
{
JSLock lock(SilenceAssertionsOnly);
m_arguments.append(jsString(m_exec, argument));
}
void ScriptFunctionCall::appendArgument(const char* argument)
{
JSLock lock(SilenceAssertionsOnly);
m_arguments.append(jsString(m_exec, argument));
}
......
......@@ -55,6 +55,7 @@ namespace WebCore {
void appendArgument(const ScriptString&);
void appendArgument(const ScriptValue&);
void appendArgument(const String&);
void appendArgument(const char*);
void appendArgument(const JSC::UString&);
void appendArgument(JSC::JSValue);
void appendArgument(long);
......@@ -72,6 +73,12 @@ namespace WebCore {
ScriptObject m_thisObject;
String m_name;
JSC::MarkedArgumentBuffer m_arguments;
private:
// MarkedArgumentBuffer must be stack allocated, so prevent heap
// alloc of ScriptFunctionCall as well.
void* operator new(size_t) { ASSERT_NOT_REACHED(); return reinterpret_cast<void*>(0xbadbeef); }
void* operator new[](size_t) { ASSERT_NOT_REACHED(); return reinterpret_cast<void*>(0xbadbeef); }
};
} // namespace WebCore
......
This diff is collapsed.
......@@ -136,7 +136,6 @@ namespace WebCore {
void evaluateForTestInFrontend(int callId, const String& script);
private:
PassOwnPtr<ScriptFunctionCall> newFunctionCall(const String& functionName);
void callSimpleFunction(const String& functionName);
InspectorController* m_inspectorController;
ScriptState* m_scriptState;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment