Commit 7929995e authored by abarth@webkit.org's avatar abarth@webkit.org

[v8] Security feature: JavaScript Bindings hardening

https://bugs.webkit.org/show_bug.cgi?id=106608

Source/WebCore: 

The patch adds a check at wrapper creation time to enuse that the
object being wrapped is not already free, to the extent that we know
the information about the type of the object as provided in the IDL.

Patch by Tom Sepez <tsepez@chromium.org> on 2013-01-28
Reviewed by Adam Barth.

Patch is correct if existing tests pass without new crashes.

* bindings/scripts/CodeGeneratorV8.pm:
(GenerateImplementation):
(GenerateToV8Converters):
(GetNativeTypeForConversions):
(GetGnuVTableRefForInterface):
(GetGnuVTableNameForInterface):
(GetGnuMangledNameForInterface):
(GetGnuVTableOffsetForType):
(GetWinVTableRefForInterface):
(GetWinVTableNameForInterface):
(GetWinMangledNameForInterface):
(GetNamespaceForInterface):
(GetImplementationLacksVTableForInterface):
(GetV8SkipVTableValidationForInterface):
Update code generation to add object validity tests under the control
of the ENABLE_BINDING_INTEGRITY option.
        
* Modules/filesystem/DirectoryReader.idl:
* Modules/filesystem/DirectoryReaderSync.idl:
* Modules/filesystem/EntryArray.idl:
* Modules/filesystem/EntryArraySync.idl:
* Modules/filesystem/Metadata.idl:
* Modules/gamepad/Gamepad.idl:
* Modules/gamepad/GamepadList.idl:
* Modules/geolocation/Geoposition.idl:
* Modules/geolocation/PositionError.idl:
* Modules/indexeddb/IDBFactory.idl:
* Modules/indexeddb/IDBIndex.idl:
* Modules/indexeddb/IDBKeyRange.idl:
* Modules/indexeddb/IDBObjectStore.idl:
* Modules/mediastream/RTCStatsElement.idl:
* Modules/mediastream/RTCStatsReport.idl:
* Modules/quota/StorageInfo.idl:
* Modules/speech/SpeechGrammar.idl:
* Modules/speech/SpeechGrammarList.idl:
* Modules/speech/SpeechRecognitionAlternative.idl:
* Modules/speech/SpeechRecognitionResult.idl:
* Modules/speech/SpeechRecognitionResultList.idl:
* Modules/webaudio/AudioBuffer.idl:
* Modules/webaudio/AudioDestinationNode.idl:
* Modules/webaudio/AudioListener.idl:
* Modules/webaudio/AudioSourceNode.idl:
* Modules/webaudio/WaveTable.idl:
* Modules/webdatabase/SQLError.idl:
* Modules/webdatabase/SQLException.idl:
* Modules/webdatabase/SQLResultSet.idl:
* Modules/webdatabase/SQLResultSetRowList.idl:
* Modules/webdatabase/SQLTransaction.idl:
* Modules/webdatabase/SQLTransactionSync.idl:
* bindings/scripts/IDLAttributes.txt:
* css/CSSPrimitiveValue.idl:
* css/CSSRule.idl:
* css/CSSRuleList.idl:
* css/CSSStyleDeclaration.idl:
* css/CSSValue.idl:
* css/CSSValueList.idl:
* css/Counter.idl:
* css/MediaList.idl:
* css/MediaQueryList.idl:
* css/RGBColor.idl:
* css/Rect.idl:
* css/StyleSheetList.idl:
* css/WebKitCSSFilterValue.idl:
* css/WebKitCSSMixFunctionValue.idl:
* css/WebKitCSSTransformValue.idl:
* dom/ClientRect.idl:
* dom/ClientRectList.idl:
* dom/Clipboard.idl:
* dom/DOMCoreException.idl:
* dom/DOMError.idl:
* dom/DOMImplementation.idl:
* dom/DOMNamedFlowCollection.idl:
* dom/DOMStringList.idl:
* dom/DOMStringMap.idl:
* dom/DataTransferItem.idl:
* dom/DataTransferItemList.idl:
* dom/DocumentFragment.idl:
* dom/Element.idl:
* dom/Entity.idl:
* dom/Event.idl:
* dom/EventException.idl:
* dom/MessageChannel.idl:
* dom/MouseEvent.idl:
* dom/MutationObserver.idl:
* dom/MutationRecord.idl:
* dom/NamedNodeMap.idl:
* dom/NodeFilter.idl:
* dom/NodeIterator.idl:
* dom/NodeList.idl:
* dom/Range.idl:
* dom/RangeException.idl:
* dom/Touch.idl:
* dom/TouchList.idl:
* dom/TreeWalker.idl:
* fileapi/FileError.idl:
* fileapi/FileException.idl:
* fileapi/FileList.idl:
* html/DOMFormData.idl:
* html/DOMTokenList.idl:
* html/DOMURL.idl:
* html/HTMLAllCollection.idl:
* html/HTMLCollection.idl:
* html/HTMLDialogElement.idl:
* html/HTMLDivElement.idl:
* html/HTMLDocument.idl:
* html/HTMLElement.idl:
* html/HTMLImageElement.idl:
* html/HTMLInputElement.idl:
* html/HTMLSelectElement.idl:
* html/HTMLSpanElement.idl:
* html/HTMLUnknownElement.idl:
* html/ImageData.idl:
* html/MediaError.idl:
* html/MediaKeyError.idl:
* html/TimeRanges.idl:
* html/ValidityState.idl:
* html/canvas/ArrayBuffer.idl:
* html/canvas/ArrayBufferView.idl:
* html/canvas/CanvasGradient.idl:
* html/canvas/CanvasPattern.idl:
* html/canvas/Float32Array.idl:
* html/canvas/Float64Array.idl:
* html/canvas/Int16Array.idl:
* html/canvas/Int32Array.idl:
* html/canvas/Int8Array.idl:
* html/canvas/Uint16Array.idl:
* html/canvas/Uint32Array.idl:
* html/canvas/Uint8Array.idl:
* html/canvas/Uint8ClampedArray.idl:
* html/canvas/WebGLActiveInfo.idl:
* html/canvas/WebGLShaderPrecisionFormat.idl:
* html/track/TextTrack.idl:
* html/track/TextTrackCue.idl:
* html/track/TextTrackCueList.idl:
* inspector/InjectedScriptHost.idl:
* inspector/InspectorFrontendHost.idl:
* inspector/JavaScriptCallFrame.idl:
* page/Coordinates.idl:
* page/Crypto.idl:
* page/MemoryInfo.idl:
* page/PagePopupController.idl:
* page/PerformanceEntryList.idl:
* page/SpeechInputResult.idl:
* page/SpeechInputResultList.idl:
* page/WebKitPoint.idl:
* svg/SVGAnimatedAngle.idl:
* svg/SVGAnimatedBoolean.idl:
* svg/SVGAnimatedEnumeration.idl:
* svg/SVGAnimatedInteger.idl:
* svg/SVGAnimatedLength.idl:
* svg/SVGAnimatedLengthList.idl:
* svg/SVGAnimatedNumber.idl:
* svg/SVGAnimatedNumberList.idl:
* svg/SVGAnimatedPreserveAspectRatio.idl:
* svg/SVGAnimatedRect.idl:
* svg/SVGAnimatedString.idl:
* svg/SVGAnimatedTransformList.idl:
* svg/SVGColor.idl:
* svg/SVGException.idl:
* svg/SVGPaint.idl:
* svg/SVGPathSeg.idl:
* svg/SVGRenderingIntent.idl:
* svg/SVGUnitTypes.idl:
* svg/SVGZoomAndPan.idl:
* testing/MallocStatistics.idl:
* testing/TypeConversions.idl:
* workers/WorkerLocation.idl:
* xml/DOMParser.idl:
* xml/XMLHttpRequestException.idl:
* xml/XMLSerializer.idl:
* xml/XPathEvaluator.idl:
* xml/XPathException.idl:
* xml/XPathExpression.idl:
* xml/XPathNSResolver.idl:
* xml/XPathResult.idl:
* xml/XSLTProcessor.idl:
Add exceptions to binding integrity checks to IDL.

Source/WebKit/chromium: 

Patch by Tom Sepez <tsepez@chromium.org> on 2013-01-28
Reviewed by Adam Barth.

* features.gypi:
Added ENABLE_BINDING_INTEGRITY option.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@141034 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 49fdc9a5
2013-01-28 Tom Sepez <tsepez@chromium.org>
[v8] Security feature: JavaScript Bindings hardening
https://bugs.webkit.org/show_bug.cgi?id=106608
The patch adds a check at wrapper creation time to enuse that the
object being wrapped is not already free, to the extent that we know
the information about the type of the object as provided in the IDL.
Reviewed by Adam Barth.
Patch is correct if existing tests pass without new crashes.
* bindings/scripts/CodeGeneratorV8.pm:
(GenerateImplementation):
(GenerateToV8Converters):
(GetNativeTypeForConversions):
(GetGnuVTableRefForInterface):
(GetGnuVTableNameForInterface):
(GetGnuMangledNameForInterface):
(GetGnuVTableOffsetForType):
(GetWinVTableRefForInterface):
(GetWinVTableNameForInterface):
(GetWinMangledNameForInterface):
(GetNamespaceForInterface):
(GetImplementationLacksVTableForInterface):
(GetV8SkipVTableValidationForInterface):
Update code generation to add object validity tests under the control
of the ENABLE_BINDING_INTEGRITY option.
* Modules/filesystem/DirectoryReader.idl:
* Modules/filesystem/DirectoryReaderSync.idl:
* Modules/filesystem/EntryArray.idl:
* Modules/filesystem/EntryArraySync.idl:
* Modules/filesystem/Metadata.idl:
* Modules/gamepad/Gamepad.idl:
* Modules/gamepad/GamepadList.idl:
* Modules/geolocation/Geoposition.idl:
* Modules/geolocation/PositionError.idl:
* Modules/indexeddb/IDBFactory.idl:
* Modules/indexeddb/IDBIndex.idl:
* Modules/indexeddb/IDBKeyRange.idl:
* Modules/indexeddb/IDBObjectStore.idl:
* Modules/mediastream/RTCStatsElement.idl:
* Modules/mediastream/RTCStatsReport.idl:
* Modules/quota/StorageInfo.idl:
* Modules/speech/SpeechGrammar.idl:
* Modules/speech/SpeechGrammarList.idl:
* Modules/speech/SpeechRecognitionAlternative.idl:
* Modules/speech/SpeechRecognitionResult.idl:
* Modules/speech/SpeechRecognitionResultList.idl:
* Modules/webaudio/AudioBuffer.idl:
* Modules/webaudio/AudioDestinationNode.idl:
* Modules/webaudio/AudioListener.idl:
* Modules/webaudio/AudioSourceNode.idl:
* Modules/webaudio/WaveTable.idl:
* Modules/webdatabase/SQLError.idl:
* Modules/webdatabase/SQLException.idl:
* Modules/webdatabase/SQLResultSet.idl:
* Modules/webdatabase/SQLResultSetRowList.idl:
* Modules/webdatabase/SQLTransaction.idl:
* Modules/webdatabase/SQLTransactionSync.idl:
* bindings/scripts/IDLAttributes.txt:
* css/CSSPrimitiveValue.idl:
* css/CSSRule.idl:
* css/CSSRuleList.idl:
* css/CSSStyleDeclaration.idl:
* css/CSSValue.idl:
* css/CSSValueList.idl:
* css/Counter.idl:
* css/MediaList.idl:
* css/MediaQueryList.idl:
* css/RGBColor.idl:
* css/Rect.idl:
* css/StyleSheetList.idl:
* css/WebKitCSSFilterValue.idl:
* css/WebKitCSSMixFunctionValue.idl:
* css/WebKitCSSTransformValue.idl:
* dom/ClientRect.idl:
* dom/ClientRectList.idl:
* dom/Clipboard.idl:
* dom/DOMCoreException.idl:
* dom/DOMError.idl:
* dom/DOMImplementation.idl:
* dom/DOMNamedFlowCollection.idl:
* dom/DOMStringList.idl:
* dom/DOMStringMap.idl:
* dom/DataTransferItem.idl:
* dom/DataTransferItemList.idl:
* dom/DocumentFragment.idl:
* dom/Element.idl:
* dom/Entity.idl:
* dom/Event.idl:
* dom/EventException.idl:
* dom/MessageChannel.idl:
* dom/MouseEvent.idl:
* dom/MutationObserver.idl:
* dom/MutationRecord.idl:
* dom/NamedNodeMap.idl:
* dom/NodeFilter.idl:
* dom/NodeIterator.idl:
* dom/NodeList.idl:
* dom/Range.idl:
* dom/RangeException.idl:
* dom/Touch.idl:
* dom/TouchList.idl:
* dom/TreeWalker.idl:
* fileapi/FileError.idl:
* fileapi/FileException.idl:
* fileapi/FileList.idl:
* html/DOMFormData.idl:
* html/DOMTokenList.idl:
* html/DOMURL.idl:
* html/HTMLAllCollection.idl:
* html/HTMLCollection.idl:
* html/HTMLDialogElement.idl:
* html/HTMLDivElement.idl:
* html/HTMLDocument.idl:
* html/HTMLElement.idl:
* html/HTMLImageElement.idl:
* html/HTMLInputElement.idl:
* html/HTMLSelectElement.idl:
* html/HTMLSpanElement.idl:
* html/HTMLUnknownElement.idl:
* html/ImageData.idl:
* html/MediaError.idl:
* html/MediaKeyError.idl:
* html/TimeRanges.idl:
* html/ValidityState.idl:
* html/canvas/ArrayBuffer.idl:
* html/canvas/ArrayBufferView.idl:
* html/canvas/CanvasGradient.idl:
* html/canvas/CanvasPattern.idl:
* html/canvas/Float32Array.idl:
* html/canvas/Float64Array.idl:
* html/canvas/Int16Array.idl:
* html/canvas/Int32Array.idl:
* html/canvas/Int8Array.idl:
* html/canvas/Uint16Array.idl:
* html/canvas/Uint32Array.idl:
* html/canvas/Uint8Array.idl:
* html/canvas/Uint8ClampedArray.idl:
* html/canvas/WebGLActiveInfo.idl:
* html/canvas/WebGLShaderPrecisionFormat.idl:
* html/track/TextTrack.idl:
* html/track/TextTrackCue.idl:
* html/track/TextTrackCueList.idl:
* inspector/InjectedScriptHost.idl:
* inspector/InspectorFrontendHost.idl:
* inspector/JavaScriptCallFrame.idl:
* page/Coordinates.idl:
* page/Crypto.idl:
* page/MemoryInfo.idl:
* page/PagePopupController.idl:
* page/PerformanceEntryList.idl:
* page/SpeechInputResult.idl:
* page/SpeechInputResultList.idl:
* page/WebKitPoint.idl:
* svg/SVGAnimatedAngle.idl:
* svg/SVGAnimatedBoolean.idl:
* svg/SVGAnimatedEnumeration.idl:
* svg/SVGAnimatedInteger.idl:
* svg/SVGAnimatedLength.idl:
* svg/SVGAnimatedLengthList.idl:
* svg/SVGAnimatedNumber.idl:
* svg/SVGAnimatedNumberList.idl:
* svg/SVGAnimatedPreserveAspectRatio.idl:
* svg/SVGAnimatedRect.idl:
* svg/SVGAnimatedString.idl:
* svg/SVGAnimatedTransformList.idl:
* svg/SVGColor.idl:
* svg/SVGException.idl:
* svg/SVGPaint.idl:
* svg/SVGPathSeg.idl:
* svg/SVGRenderingIntent.idl:
* svg/SVGUnitTypes.idl:
* svg/SVGZoomAndPan.idl:
* testing/MallocStatistics.idl:
* testing/TypeConversions.idl:
* workers/WorkerLocation.idl:
* xml/DOMParser.idl:
* xml/XMLHttpRequestException.idl:
* xml/XMLSerializer.idl:
* xml/XPathEvaluator.idl:
* xml/XPathException.idl:
* xml/XPathExpression.idl:
* xml/XPathNSResolver.idl:
* xml/XPathResult.idl:
* xml/XSLTProcessor.idl:
Add exceptions to binding integrity checks to IDL.
2013-01-28 Alpha Lam <hclam@chromium.org>
[chromium] Build fix.
......@@ -30,7 +30,8 @@
[
Conditional=FILE_SYSTEM,
JSNoStaticTables
JSNoStaticTables,
ImplementationLacksVTable
] interface DirectoryReader {
void readEntries(in [Callback] EntriesCallback successCallback, in [Optional, Callback] ErrorCallback errorCallback);
};
......@@ -30,7 +30,8 @@
[
Conditional=FILE_SYSTEM,
JSNoStaticTables
JSNoStaticTables,
ImplementationLacksVTable
] interface DirectoryReaderSync {
EntryArraySync readEntries() raises (FileException);
};
......@@ -31,7 +31,8 @@
[
Conditional=FILE_SYSTEM,
IndexedGetter,
JSNoStaticTables
JSNoStaticTables,
ImplementationLacksVTable
] interface EntryArray {
readonly attribute unsigned long length;
Entry item(in [IsIndex] unsigned long index);
......
......@@ -31,7 +31,8 @@
[
Conditional=FILE_SYSTEM,
IndexedGetter,
JSNoStaticTables
JSNoStaticTables,
ImplementationLacksVTable
] interface EntryArraySync {
readonly attribute unsigned long length;
EntrySync item(in [IsIndex] unsigned long index);
......
......@@ -30,7 +30,8 @@
[
Conditional=FILE_SYSTEM,
JSNoStaticTables
JSNoStaticTables,
ImplementationLacksVTable
] interface Metadata {
readonly attribute Date modificationTime;
readonly attribute unsigned long long size;
......
......@@ -24,7 +24,8 @@
*/
[
Conditional=GAMEPAD
Conditional=GAMEPAD,
ImplementationLacksVTable
] interface Gamepad {
readonly attribute DOMString id;
readonly attribute unsigned long index;
......
......@@ -25,7 +25,8 @@
[
Conditional=GAMEPAD,
IndexedGetter
IndexedGetter,
ImplementationLacksVTable
] interface GamepadList {
readonly attribute unsigned long length;
Gamepad item(in [Optional=DefaultIsUndefined] unsigned long index);
......
......@@ -25,7 +25,8 @@
[
Conditional=GEOLOCATION,
OmitConstructor
OmitConstructor,
ImplementationLacksVTable
] interface Geoposition {
readonly attribute Coordinates coords;
readonly attribute DOMTimeStamp timestamp;
......
......@@ -24,7 +24,8 @@
*/
[
Conditional=GEOLOCATION
Conditional=GEOLOCATION,
ImplementationLacksVTable
] interface PositionError {
readonly attribute unsigned short code;
readonly attribute DOMString message;
......
......@@ -25,7 +25,8 @@
[
Conditional=INDEXED_DATABASE,
JSNoStaticTables
JSNoStaticTables,
ImplementationLacksVTable
] interface IDBFactory {
[CallWith=ScriptExecutionContext, ImplementedAs=getDatabaseNames] IDBRequest webkitGetDatabaseNames();
......
......@@ -25,7 +25,8 @@
[
Conditional=INDEXED_DATABASE,
JSNoStaticTables
JSNoStaticTables,
ImplementationLacksVTable
] interface IDBIndex {
readonly attribute DOMString name;
readonly attribute IDBObjectStore objectStore;
......
......@@ -25,7 +25,8 @@
[
Conditional=INDEXED_DATABASE,
JSNoStaticTables
JSNoStaticTables,
ImplementationLacksVTable
] interface IDBKeyRange {
[ImplementedAs=lowerValue,CallWith=ScriptExecutionContext] readonly attribute any lower;
[ImplementedAs=upperValue,CallWith=ScriptExecutionContext] readonly attribute any upper;
......
......@@ -25,7 +25,8 @@
[
Conditional=INDEXED_DATABASE,
JSNoStaticTables
JSNoStaticTables,
ImplementationLacksVTable
] interface IDBObjectStore {
[TreatReturnedNullStringAs=Null] readonly attribute DOMString name;
[ImplementedAs=keyPathAny] readonly attribute IDBAny keyPath;
......
......@@ -24,6 +24,7 @@
[
Conditional=MEDIA_STREAM,
ImplementationLacksVTable
] interface RTCStatsElement {
readonly attribute Date timestamp;
DOMString stat(in DOMString name);
......
......@@ -23,7 +23,8 @@
*/
[
Conditional=MEDIA_STREAM
Conditional=MEDIA_STREAM,
ImplementationLacksVTable
] interface RTCStatsReport {
readonly attribute RTCStatsElement local;
readonly attribute RTCStatsElement remote;
......
......@@ -25,7 +25,8 @@
[
Conditional=QUOTA,
OmitConstructor
OmitConstructor,
ImplementationLacksVTable
] interface StorageInfo {
const unsigned short TEMPORARY = 0;
const unsigned short PERSISTENT = 1;
......
......@@ -25,7 +25,8 @@
[
Conditional=SCRIPTED_SPEECH,
Constructor
Constructor,
ImplementationLacksVTable
] interface SpeechGrammar {
[URL,CallWith=ScriptExecutionContext] attribute DOMString src;
attribute float weight;
......
......@@ -27,6 +27,7 @@
Conditional=SCRIPTED_SPEECH,
IndexedGetter,
Constructor,
ImplementationLacksVTable
] interface SpeechGrammarList {
readonly attribute unsigned long length;
SpeechGrammar item(in [IsIndex] unsigned long index);
......
......@@ -24,7 +24,8 @@
*/
[
Conditional=SCRIPTED_SPEECH
Conditional=SCRIPTED_SPEECH,
ImplementationLacksVTable
] interface SpeechRecognitionAlternative {
readonly attribute DOMString transcript;
readonly attribute float confidence;
......
......@@ -25,7 +25,8 @@
[
Conditional=SCRIPTED_SPEECH,
IndexedGetter
IndexedGetter,
ImplementationLacksVTable
] interface SpeechRecognitionResult {
readonly attribute unsigned long length;
SpeechRecognitionAlternative item(in [IsIndex] unsigned long index);
......
......@@ -25,7 +25,8 @@
[
Conditional=SCRIPTED_SPEECH,
IndexedGetter
IndexedGetter,
ImplementationLacksVTable
] interface SpeechRecognitionResultList {
readonly attribute unsigned long length;
SpeechRecognitionResult item(in [IsIndex] unsigned long index);
......
......@@ -27,7 +27,8 @@
*/
[
Conditional=WEB_AUDIO
Conditional=WEB_AUDIO,
ImplementationLacksVTable
] interface AudioBuffer {
readonly attribute long length; // in sample-frames
readonly attribute float duration; // in seconds
......
......@@ -24,7 +24,8 @@
[
Conditional=WEB_AUDIO,
JSGenerateToJSObject
JSGenerateToJSObject,
V8SkipVTableValidation
] interface AudioDestinationNode : AudioNode {
readonly attribute long numberOfChannels;
};
......@@ -27,7 +27,8 @@
*/
[
Conditional=WEB_AUDIO
Conditional=WEB_AUDIO,
ImplementationLacksVTable
] interface AudioListener {
attribute float dopplerFactor; // same as OpenAL (default 1.0)
attribute float speedOfSound; // in meters / second (default 343.3)
......
......@@ -27,6 +27,7 @@
*/
[
Conditional=WEB_AUDIO
Conditional=WEB_AUDIO,
ImplementationLacksVTable
] interface AudioSourceNode : AudioNode {
};
......@@ -24,7 +24,8 @@
// WaveTable represents a periodic audio waveform given by its Fourier coefficients.
[
Conditional=WEB_AUDIO
Conditional=WEB_AUDIO,
ImplementationLacksVTable
] interface WaveTable {
};
......@@ -29,7 +29,8 @@
[
Conditional=SQL_DATABASE,
OmitConstructor,
JSNoStaticTables
JSNoStaticTables,
ImplementationLacksVTable
] interface SQLError {
readonly attribute unsigned long code;
readonly attribute DOMString message;
......
......@@ -31,7 +31,8 @@
[
Conditional=SQL_DATABASE,
JSNoStaticTables,
DoNotCheckConstants
DoNotCheckConstants,
ImplementationLacksVTable
] exception SQLException {
readonly attribute unsigned long code;
readonly attribute DOMString message;
......
......@@ -29,7 +29,8 @@
[
Conditional=SQL_DATABASE,
OmitConstructor,
JSNoStaticTables
JSNoStaticTables,
ImplementationLacksVTable
] interface SQLResultSet {
readonly attribute SQLResultSetRowList rows;
......
......@@ -29,7 +29,8 @@
[
Conditional=SQL_DATABASE,
OmitConstructor,
JSNoStaticTables
JSNoStaticTables,
ImplementationLacksVTable
] interface SQLResultSetRowList {
readonly attribute unsigned long length;
[Custom] DOMObject item(in unsigned long index);
......
......@@ -29,7 +29,8 @@
[
Conditional=SQL_DATABASE,
OmitConstructor,
JSNoStaticTables
JSNoStaticTables,
ImplementationLacksVTable
] interface SQLTransaction {
[Custom] void executeSql(in DOMString sqlStatement,
in ObjectArray arguments,
......
......@@ -31,7 +31,8 @@
[
Conditional=SQL_DATABASE,
OmitConstructor,
JSNoStaticTables
JSNoStaticTables,
ImplementationLacksVTable
] interface SQLTransactionSync {
[Custom] SQLResultSet executeSql(in DOMString sqlStatement, in ObjectArray arguments);
};
......@@ -2614,6 +2614,9 @@ sub GenerateImplementation
my $visibleInterfaceName = $codeGenerator->GetVisibleInterfaceName($interface);
my $v8InterfaceName = "V8$interfaceName";
my $nativeType = GetNativeTypeForConversions($interface);
my $vtableNameGnu = GetGnuVTableNameForInterface($interface);
my $vtableRefGnu = GetGnuVTableRefForInterface($interface);
my $vtableRefWin = GetWinVTableRefForInterface($interface);
# - Add default header template
push(@implContentHeader, GenerateImplementationContentHeader($interface));
......@@ -2640,7 +2643,39 @@ sub GenerateImplementation
$parentClassTemplate = $parentClass . "::GetTemplate()";
last;
}
push(@implContentDecls, <<END) if $vtableNameGnu;
#if ENABLE(BINDING_INTEGRITY)
#if defined(OS_WIN)
#pragma warning(disable: 4483)
extern "C" { extern void (*const ${vtableRefWin}[])(); }
#else
extern "C" { extern void* ${vtableNameGnu}[]; }
#endif
#endif // ENABLE(BINDING_INTEGRITY)
END
push(@implContentDecls, "namespace WebCore {\n\n");
push(@implContentDecls, <<END) if $vtableNameGnu;
#if ENABLE(BINDING_INTEGRITY)
inline void checkTypeOrDieTrying(${nativeType}* object)
{
void* actualVTablePointer = *(reinterpret_cast<void**>(object));
#if defined(OS_WIN)
void* expectedVTablePointer = reinterpret_cast<void*>(${vtableRefWin});
#else
void* expectedVTablePointer = ${vtableRefGnu};
#endif
if (actualVTablePointer != expectedVTablePointer)
CRASH();
}
#endif // ENABLE(BINDING_INTEGRITY)
END
my $parentClassInfo = $parentClass ? "&${parentClass}::info" : "0";
my $WrapperTypePrototype = $interface->isException ? "WrapperTypeErrorPrototype" : "WrapperTypeObjectPrototype";
......@@ -3466,6 +3501,8 @@ sub GenerateToV8Converters
return;
}
AddToImplIncludes("Frame.h");
my $createWrapperArgumentType = GetPassRefPtrType($nativeType);
my $baseType = BaseInterfaceName($interface);
......@@ -3476,13 +3513,18 @@ v8::Handle<v8::Object> ${v8InterfaceName}::createWrapper(${createWrapperArgument
ASSERT(impl.get());
ASSERT(DOMDataStore::getWrapper(impl.get(), isolate).IsEmpty());
END
if ($baseType ne $interfaceName) {
push(@implContent, <<END);
ASSERT(static_cast<void*>(static_cast<${baseType}*>(impl.get())) == static_cast<void*>(impl.get()));
my $vtableNameGnu = GetGnuVTableNameForInterface($interface);
push(@implContent, <<END) if $vtableNameGnu;
#if ENABLE(BINDING_INTEGRITY)
checkTypeOrDieTrying(impl.get());
#endif
END
}