<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" /><style type="text/css"><!--
#msg dl { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre, #msg p { overflow: auto; background: #ffc; border: 1px #fc0 solid; padding: 6px; }
#msg ul { overflow: auto; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<title>[28500] trunk/WebCore</title>
</head>
<body>

<div id="msg">
<dl>
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/28500">28500</a></dd>
<dt>Author</dt> <dd>sfalken@apple.com</dd>
<dt>Date</dt> <dd>2007-12-06 15:31:46 -0800 (Thu, 06 Dec 2007)</dd>
</dl>

<h3>Log Message</h3>
<pre>        &lt;rdar://problem/5614257&gt; Crash in timer / hashtable code due to uncaught exception
        
        Don't use callback-based timers, since these cause Windows to eat Windows crashes
        in code the timers call.
        
        Windows appears to be defending against &quot;shatter&quot; attacks partially by setting
        up a structured exception block while dispatching callback-based WM_TIMERs.
        
        I verified this by adding a divide by zero into some timer callback code.
        In the case where the timer was dispatched via a callback, the divide by zero
        exception was silently handled and ignored, with execution continuing after
        our call to DispatchMessage.  When processed via the WNDPROC, no SEH
        block was established by Windows, and our divide by zero generated a real
        crash (which is what we wanted).
        
        Windows handling our crashes for us led us to leave the timer data structures
        in an invalid state so the next time a timer was set, we'd crash accessing an
        invalid HashMap of timer data.
        
        Reviewed by Hyatt.

        * platform/win/SharedTimerWin.cpp:
        (WebCore::TimerWindowWndProc):
        (WebCore::setSharedTimerFireTime):</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkWebCoreChangeLog">trunk/WebCore/ChangeLog</a></li>
<li><a href="#trunkWebCoreplatformwinSharedTimerWincpp">trunk/WebCore/platform/win/SharedTimerWin.cpp</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/WebCore/ChangeLog (28499 => 28500)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/WebCore/ChangeLog        2007-12-06 22:36:10 UTC (rev 28499)
+++ trunk/WebCore/ChangeLog        2007-12-06 23:31:46 UTC (rev 28500)
</span><span class="lines">@@ -1,3 +1,30 @@
</span><ins>+2007-12-06  Steve Falkenburg  &lt;sfalken@apple.com&gt;
+
+        &lt;rdar://problem/5614257&gt; Crash in timer / hashtable code due to uncaught exception
+        
+        Don't use callback-based timers, since these cause Windows to eat Windows crashes
+        in code the timers call.
+        
+        Windows appears to be defending against &quot;shatter&quot; attacks partially by setting
+        up a structured exception block while dispatching callback-based WM_TIMERs.
+        
+        I verified this by adding a divide by zero into some timer callback code.
+        In the case where the timer was dispatched via a callback, the divide by zero
+        exception was silently handled and ignored, with execution continuing after
+        our call to DispatchMessage.  When processed via the WNDPROC, no SEH
+        block was established by Windows, and our divide by zero generated a real
+        crash (which is what we wanted).
+        
+        Windows handling our crashes for us led us to leave the timer data structures
+        in an invalid state so the next time a timer was set, we'd crash accessing an
+        invalid HashMap of timer data.
+        
+        Reviewed by Hyatt.
+
+        * platform/win/SharedTimerWin.cpp:
+        (WebCore::TimerWindowWndProc):
+        (WebCore::setSharedTimerFireTime):
+
</ins><span class="cx"> 2007-12-06  Adam Roben  &lt;aroben@apple.com&gt;
</span><span class="cx"> 
</span><span class="cx">         Fix &lt;rdar://5108390&gt; Feed title is too low in blue banner
</span></span></pre></div>
<a id="trunkWebCoreplatformwinSharedTimerWincpp"></a>
<div class="modfile"><h4>Modified: trunk/WebCore/platform/win/SharedTimerWin.cpp (28499 => 28500)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/WebCore/platform/win/SharedTimerWin.cpp        2007-12-06 22:36:10 UTC (rev 28499)
+++ trunk/WebCore/platform/win/SharedTimerWin.cpp        2007-12-06 23:31:46 UTC (rev 28500)
</span><span class="lines">@@ -41,10 +41,11 @@
</span><span class="cx"> static UINT timerFiredMessage = 0;
</span><span class="cx"> const LPCWSTR kTimerWindowClassName = L&quot;TimerWindowClass&quot;;
</span><span class="cx"> static bool processingCustomTimerMessage = false;
</span><ins>+const int sharedTimerID = 1000;
</ins><span class="cx"> 
</span><span class="cx"> LRESULT CALLBACK TimerWindowWndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam)
</span><span class="cx"> {
</span><del>-    if (message == timerFiredMessage) {
</del><ins>+    if (message == timerFiredMessage || (message == WM_TIMER &amp;&amp; wParam == sharedTimerID)) {
</ins><span class="cx">         processingCustomTimerMessage = true;
</span><span class="cx">         sharedTimerFiredFunction();
</span><span class="cx">         processingCustomTimerMessage = false;
</span><span class="lines">@@ -76,11 +77,6 @@
</span><span class="cx">     sharedTimerFiredFunction = f;
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-static void CALLBACK timerFired(HWND, UINT, UINT_PTR, DWORD)
-{
-    sharedTimerFiredFunction();
-}
-
</del><span class="cx"> void setSharedTimerFireTime(double fireTime)
</span><span class="cx"> {
</span><span class="cx">     ASSERT(sharedTimerFiredFunction);
</span><span class="lines">@@ -107,13 +103,13 @@
</span><span class="cx">     // user input &gt; WM_PAINT/WM_TIMER.)
</span><span class="cx">     // In addition, if the queue contains input events that have been there since the last call to
</span><span class="cx">     // GetQueueStatus, PeekMessage or GetMessage we favor timers.
</span><ins>+    initializeOffScreenTimerWindow();
</ins><span class="cx">     if (intervalInMS &lt; USER_TIMER_MINIMUM &amp;&amp; !processingCustomTimerMessage &amp;&amp; 
</span><span class="cx">         !LOWORD(::GetQueueStatus(QS_ALLINPUT))) {
</span><span class="cx">         // Windows SetTimer does not allow timeouts smaller than 10ms (USER_TIMER_MINIMUM)
</span><del>-        initializeOffScreenTimerWindow();
</del><span class="cx">         PostMessage(timerWindowHandle, timerFiredMessage, 0, 0);
</span><span class="cx">     } else
</span><del>-        timerID = SetTimer(0, 0, intervalInMS, timerFired);
</del><ins>+        timerID = SetTimer(timerWindowHandle, sharedTimerID, intervalInMS, 0);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void stopSharedTimer()
</span></span></pre>
</div>
</div>

</body>
</html>