<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[181946] releases/WebKitGTK/webkit-2.8/Source</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/181946">181946</a></dd>
<dt>Author</dt> <dd>carlosgc@webkit.org</dd>
<dt>Date</dt> <dd>2015-03-25 04:06:41 -0700 (Wed, 25 Mar 2015)</dd>
</dl>
<h3>Log Message</h3>
<pre>Merge <a href="http://trac.webkit.org/projects/webkit/changeset/181814">r181814</a> - REGRESSION (<a href="http://trac.webkit.org/projects/webkit/changeset/179429">r179429</a>): Potential Use after free in JavaScriptCore`WTF::StringImpl::ref + 83
https://bugs.webkit.org/show_bug.cgi?id=142410
Reviewed by Geoffrey Garen.
Source/JavaScriptCore:
Before this patch, added function JSValue::toPropertyKey returns PropertyName.
Since PropertyName doesn't have AtomicStringImpl ownership,
if Identifier is implicitly converted to PropertyName and Identifier is destructed,
PropertyName may refer freed AtomicStringImpl*.
This patch changes the result type of JSValue::toPropertyName from PropertyName to Identifier,
to keep AtomicStringImpl* ownership after the toPropertyName call is done.
And receive the result value as Identifier type to keep ownership in the caller side.
To catch the result of toPropertyKey as is, we catch the result of toPropertyName as auto.
However, now we don't need to have both Identifier and PropertyName.
So we'll merge PropertyName to Identifier in the subsequent patch.
* dfg/DFGOperations.cpp:
(JSC::DFG::operationPutByValInternal):
* jit/JITOperations.cpp:
(JSC::getByVal):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::getByVal):
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/CommonSlowPaths.h:
(JSC::CommonSlowPaths::opIn):
* runtime/JSCJSValue.h:
* runtime/JSCJSValueInlines.h:
(JSC::JSValue::toPropertyKey):
* runtime/ObjectConstructor.cpp:
(JSC::objectConstructorGetOwnPropertyDescriptor):
(JSC::objectConstructorDefineProperty):
* runtime/ObjectPrototype.cpp:
(JSC::objectProtoFuncPropertyIsEnumerable):
Source/WebCore:
The same issues are found in the existing code; PropertyName does not have ownership.
This patch rewrite the point that should have ownership to Identifier.
* bindings/js/JSDOMWindowCustom.cpp:
(WebCore::JSDOMWindow::getOwnPropertySlotByIndex):
(WebCore::JSDOMWindow::putByIndex):
* bindings/js/ReadableStreamJSSource.cpp:
(WebCore::getInternalSlotFromObject):
* bindings/scripts/CodeGeneratorJS.pm:
(GenerateImplementation):
* bindings/scripts/test/JS/JSTestCustomNamedGetter.cpp:
(WebCore::JSTestCustomNamedGetter::getOwnPropertySlotByIndex):
* bindings/scripts/test/JS/JSTestEventTarget.cpp:
(WebCore::JSTestEventTarget::getOwnPropertySlotByIndex):
* bindings/scripts/test/JS/JSTestInterface.cpp:
(WebCore::JSTestInterface::putByIndex):</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit28SourceJavaScriptCoreChangeLog">releases/WebKitGTK/webkit-2.8/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit28SourceJavaScriptCoredfgDFGOperationscpp">releases/WebKitGTK/webkit-2.8/Source/JavaScriptCore/dfg/DFGOperations.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit28SourceJavaScriptCorejitJITOperationscpp">releases/WebKitGTK/webkit-2.8/Source/JavaScriptCore/jit/JITOperations.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit28SourceJavaScriptCorellintLLIntSlowPathscpp">releases/WebKitGTK/webkit-2.8/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit28SourceJavaScriptCoreruntimeCommonSlowPathscpp">releases/WebKitGTK/webkit-2.8/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit28SourceJavaScriptCoreruntimeCommonSlowPathsh">releases/WebKitGTK/webkit-2.8/Source/JavaScriptCore/runtime/CommonSlowPaths.h</a></li>
<li><a href="#releasesWebKitGTKwebkit28SourceJavaScriptCoreruntimeJSCJSValueh">releases/WebKitGTK/webkit-2.8/Source/JavaScriptCore/runtime/JSCJSValue.h</a></li>
<li><a href="#releasesWebKitGTKwebkit28SourceJavaScriptCoreruntimeJSCJSValueInlinesh">releases/WebKitGTK/webkit-2.8/Source/JavaScriptCore/runtime/JSCJSValueInlines.h</a></li>
<li><a href="#releasesWebKitGTKwebkit28SourceJavaScriptCoreruntimeObjectConstructorcpp">releases/WebKitGTK/webkit-2.8/Source/JavaScriptCore/runtime/ObjectConstructor.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit28SourceJavaScriptCoreruntimeObjectPrototypecpp">releases/WebKitGTK/webkit-2.8/Source/JavaScriptCore/runtime/ObjectPrototype.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit28SourceWebCoreChangeLog">releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit28SourceWebCorebindingsjsJSDOMWindowCustomcpp">releases/WebKitGTK/webkit-2.8/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit28SourceWebCorebindingsscriptsCodeGeneratorJSpm">releases/WebKitGTK/webkit-2.8/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm</a></li>
<li><a href="#releasesWebKitGTKwebkit28SourceWebCorebindingsscriptstestJSJSTestCustomNamedGettercpp">releases/WebKitGTK/webkit-2.8/Source/WebCore/bindings/scripts/test/JS/JSTestCustomNamedGetter.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit28SourceWebCorebindingsscriptstestJSJSTestEventTargetcpp">releases/WebKitGTK/webkit-2.8/Source/WebCore/bindings/scripts/test/JS/JSTestEventTarget.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit28SourceWebCorebindingsscriptstestJSJSTestInterfacecpp">releases/WebKitGTK/webkit-2.8/Source/WebCore/bindings/scripts/test/JS/JSTestInterface.cpp</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="releasesWebKitGTKwebkit28SourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/Source/JavaScriptCore/ChangeLog (181945 => 181946)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.8/Source/JavaScriptCore/ChangeLog 2015-03-25 10:36:19 UTC (rev 181945)
+++ releases/WebKitGTK/webkit-2.8/Source/JavaScriptCore/ChangeLog 2015-03-25 11:06:41 UTC (rev 181946)
</span><span class="lines">@@ -1,3 +1,44 @@
</span><ins>+2015-03-20 Yusuke Suzuki <utatane.tea@gmail.com>
+
+ REGRESSION (r179429): Potential Use after free in JavaScriptCore`WTF::StringImpl::ref + 83
+ https://bugs.webkit.org/show_bug.cgi?id=142410
+
+ Reviewed by Geoffrey Garen.
+
+ Before this patch, added function JSValue::toPropertyKey returns PropertyName.
+ Since PropertyName doesn't have AtomicStringImpl ownership,
+ if Identifier is implicitly converted to PropertyName and Identifier is destructed,
+ PropertyName may refer freed AtomicStringImpl*.
+
+ This patch changes the result type of JSValue::toPropertyName from PropertyName to Identifier,
+ to keep AtomicStringImpl* ownership after the toPropertyName call is done.
+ And receive the result value as Identifier type to keep ownership in the caller side.
+
+ To catch the result of toPropertyKey as is, we catch the result of toPropertyName as auto.
+
+ However, now we don't need to have both Identifier and PropertyName.
+ So we'll merge PropertyName to Identifier in the subsequent patch.
+
+ * dfg/DFGOperations.cpp:
+ (JSC::DFG::operationPutByValInternal):
+ * jit/JITOperations.cpp:
+ (JSC::getByVal):
+ * llint/LLIntSlowPaths.cpp:
+ (JSC::LLInt::getByVal):
+ (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+ * runtime/CommonSlowPaths.cpp:
+ (JSC::SLOW_PATH_DECL):
+ * runtime/CommonSlowPaths.h:
+ (JSC::CommonSlowPaths::opIn):
+ * runtime/JSCJSValue.h:
+ * runtime/JSCJSValueInlines.h:
+ (JSC::JSValue::toPropertyKey):
+ * runtime/ObjectConstructor.cpp:
+ (JSC::objectConstructorGetOwnPropertyDescriptor):
+ (JSC::objectConstructorDefineProperty):
+ * runtime/ObjectPrototype.cpp:
+ (JSC::objectProtoFuncPropertyIsEnumerable):
+
</ins><span class="cx"> 2015-03-19 Andreas Kling <akling@apple.com>
</span><span class="cx">
</span><span class="cx"> JSCallee unnecessarily overrides a bunch of things in the method table.
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit28SourceJavaScriptCoredfgDFGOperationscpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/Source/JavaScriptCore/dfg/DFGOperations.cpp (181945 => 181946)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.8/Source/JavaScriptCore/dfg/DFGOperations.cpp 2015-03-25 10:36:19 UTC (rev 181945)
+++ releases/WebKitGTK/webkit-2.8/Source/JavaScriptCore/dfg/DFGOperations.cpp 2015-03-25 11:06:41 UTC (rev 181946)
</span><span class="lines">@@ -111,7 +111,7 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> // Don't put to an object if toString throws an exception.
</span><del>- PropertyName propertyName = property.toPropertyKey(exec);
</del><ins>+ auto propertyName = property.toPropertyKey(exec);
</ins><span class="cx"> if (!vm->exception()) {
</span><span class="cx"> PutPropertySlot slot(baseValue, strict);
</span><span class="cx"> if (direct) {
</span><span class="lines">@@ -296,7 +296,7 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><del>- PropertyName propertyName = property.toPropertyKey(exec);
</del><ins>+ auto propertyName = property.toPropertyKey(exec);
</ins><span class="cx"> return JSValue::encode(baseValue.get(exec, propertyName));
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -324,7 +324,7 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><del>- PropertyName propertyName = property.toPropertyKey(exec);
</del><ins>+ auto propertyName = property.toPropertyKey(exec);
</ins><span class="cx"> return JSValue::encode(JSValue(base).get(exec, propertyName));
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit28SourceJavaScriptCorejitJITOperationscpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/Source/JavaScriptCore/jit/JITOperations.cpp (181945 => 181946)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.8/Source/JavaScriptCore/jit/JITOperations.cpp 2015-03-25 10:36:19 UTC (rev 181945)
+++ releases/WebKitGTK/webkit-2.8/Source/JavaScriptCore/jit/JITOperations.cpp 2015-03-25 11:06:41 UTC (rev 181946)
</span><span class="lines">@@ -467,7 +467,7 @@
</span><span class="cx"> } else
</span><span class="cx"> baseValue.putByIndex(callFrame, i, value, callFrame->codeBlock()->isStrictMode());
</span><span class="cx"> } else {
</span><del>- PropertyName property = subscript.toPropertyKey(callFrame);
</del><ins>+ auto property = subscript.toPropertyKey(callFrame);
</ins><span class="cx"> if (!callFrame->vm().exception()) { // Don't put to an object if toString threw an exception.
</span><span class="cx"> PutPropertySlot slot(baseValue, callFrame->codeBlock()->isStrictMode());
</span><span class="cx"> baseValue.put(callFrame, property, value, slot);
</span><span class="lines">@@ -481,7 +481,7 @@
</span><span class="cx"> uint32_t i = subscript.asUInt32();
</span><span class="cx"> baseObject->putDirectIndex(callFrame, i, value);
</span><span class="cx"> } else {
</span><del>- PropertyName property = subscript.toPropertyKey(callFrame);
</del><ins>+ auto property = subscript.toPropertyKey(callFrame);
</ins><span class="cx"> if (!callFrame->vm().exception()) { // Don't put to an object if toString threw an exception.
</span><span class="cx"> PutPropertySlot slot(baseObject, callFrame->codeBlock()->isStrictMode());
</span><span class="cx"> baseObject->putDirect(callFrame->vm(), property, value, slot);
</span><span class="lines">@@ -1429,7 +1429,7 @@
</span><span class="cx"> return baseValue.get(exec, i);
</span><span class="cx"> }
</span><span class="cx">
</span><del>- PropertyName property = subscript.toPropertyKey(exec);
</del><ins>+ auto property = subscript.toPropertyKey(exec);
</ins><span class="cx"> return baseValue.get(exec, property);
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -1565,7 +1565,7 @@
</span><span class="cx"> ctiPatchCallByReturnAddress(exec->codeBlock(), ReturnAddressPtr(OUR_RETURN_ADDRESS), FunctionPtr(operationGetByValDefault));
</span><span class="cx"> }
</span><span class="cx"> } else {
</span><del>- PropertyName property = subscript.toPropertyKey(exec);
</del><ins>+ auto property = subscript.toPropertyKey(exec);
</ins><span class="cx"> result = baseValue.get(exec, property);
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit28SourceJavaScriptCorellintLLIntSlowPathscpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp (181945 => 181946)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.8/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp 2015-03-25 10:36:19 UTC (rev 181945)
+++ releases/WebKitGTK/webkit-2.8/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp 2015-03-25 11:06:41 UTC (rev 181946)
</span><span class="lines">@@ -745,7 +745,7 @@
</span><span class="cx"> return baseValue.get(exec, i);
</span><span class="cx"> }
</span><span class="cx">
</span><del>- PropertyName property = subscript.toPropertyKey(exec);
</del><ins>+ auto property = subscript.toPropertyKey(exec);
</ins><span class="cx"> return baseValue.get(exec, property);
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -795,7 +795,7 @@
</span><span class="cx"> LLINT_END();
</span><span class="cx"> }
</span><span class="cx">
</span><del>- PropertyName property = subscript.toPropertyKey(exec);
</del><ins>+ auto property = subscript.toPropertyKey(exec);
</ins><span class="cx"> LLINT_CHECK_EXCEPTION();
</span><span class="cx"> PutPropertySlot slot(baseValue, exec->codeBlock()->isStrictMode());
</span><span class="cx"> baseValue.put(exec, property, value, slot);
</span><span class="lines">@@ -815,7 +815,7 @@
</span><span class="cx"> uint32_t i = subscript.asUInt32();
</span><span class="cx"> baseObject->putDirectIndex(exec, i, value);
</span><span class="cx"> } else {
</span><del>- PropertyName property = subscript.toPropertyKey(exec);
</del><ins>+ auto property = subscript.toPropertyKey(exec);
</ins><span class="cx"> if (!exec->vm().exception()) { // Don't put to an object if toString threw an exception.
</span><span class="cx"> PutPropertySlot slot(baseObject, exec->codeBlock()->isStrictMode());
</span><span class="cx"> baseObject->putDirect(exec->vm(), property, value, slot);
</span><span class="lines">@@ -839,7 +839,7 @@
</span><span class="cx"> couldDelete = baseObject->methodTable()->deletePropertyByIndex(baseObject, exec, i);
</span><span class="cx"> else {
</span><span class="cx"> LLINT_CHECK_EXCEPTION();
</span><del>- PropertyName property = subscript.toPropertyKey(exec);
</del><ins>+ auto property = subscript.toPropertyKey(exec);
</ins><span class="cx"> LLINT_CHECK_EXCEPTION();
</span><span class="cx"> couldDelete = baseObject->methodTable()->deleteProperty(baseObject, exec, property);
</span><span class="cx"> }
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit28SourceJavaScriptCoreruntimeCommonSlowPathscpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp (181945 => 181946)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.8/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp 2015-03-25 10:36:19 UTC (rev 181945)
+++ releases/WebKitGTK/webkit-2.8/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp 2015-03-25 11:06:41 UTC (rev 181946)
</span><span class="lines">@@ -488,7 +488,7 @@
</span><span class="cx"> couldDelete = baseObject->methodTable()->deletePropertyByIndex(baseObject, exec, i);
</span><span class="cx"> else {
</span><span class="cx"> CHECK_EXCEPTION();
</span><del>- PropertyName property = subscript.toPropertyKey(exec);
</del><ins>+ auto property = subscript.toPropertyKey(exec);
</ins><span class="cx"> CHECK_EXCEPTION();
</span><span class="cx"> couldDelete = baseObject->methodTable()->deleteProperty(baseObject, exec, property);
</span><span class="cx"> }
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit28SourceJavaScriptCoreruntimeCommonSlowPathsh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/Source/JavaScriptCore/runtime/CommonSlowPaths.h (181945 => 181946)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.8/Source/JavaScriptCore/runtime/CommonSlowPaths.h 2015-03-25 10:36:19 UTC (rev 181945)
+++ releases/WebKitGTK/webkit-2.8/Source/JavaScriptCore/runtime/CommonSlowPaths.h 2015-03-25 11:06:41 UTC (rev 181946)
</span><span class="lines">@@ -82,7 +82,7 @@
</span><span class="cx"> if (propName.getUInt32(i))
</span><span class="cx"> return baseObj->hasProperty(exec, i);
</span><span class="cx">
</span><del>- PropertyName property = propName.toPropertyKey(exec);
</del><ins>+ auto property = propName.toPropertyKey(exec);
</ins><span class="cx"> if (exec->vm().exception())
</span><span class="cx"> return false;
</span><span class="cx"> return baseObj->hasProperty(exec, property);
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit28SourceJavaScriptCoreruntimeJSCJSValueh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/Source/JavaScriptCore/runtime/JSCJSValue.h (181945 => 181946)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.8/Source/JavaScriptCore/runtime/JSCJSValue.h 2015-03-25 10:36:19 UTC (rev 181945)
+++ releases/WebKitGTK/webkit-2.8/Source/JavaScriptCore/runtime/JSCJSValue.h 2015-03-25 11:06:41 UTC (rev 181946)
</span><span class="lines">@@ -46,6 +46,7 @@
</span><span class="cx"> class JSGlobalObject;
</span><span class="cx"> class JSObject;
</span><span class="cx"> class JSString;
</span><ins>+class Identifier;
</ins><span class="cx"> class PropertyName;
</span><span class="cx"> class PropertySlot;
</span><span class="cx"> class PutPropertySlot;
</span><span class="lines">@@ -243,7 +244,7 @@
</span><span class="cx"> // been set in the ExecState already.
</span><span class="cx"> double toNumber(ExecState*) const;
</span><span class="cx"> JSString* toString(ExecState*) const;
</span><del>- PropertyName toPropertyKey(ExecState*) const;
</del><ins>+ Identifier toPropertyKey(ExecState*) const;
</ins><span class="cx"> WTF::String toWTFString(ExecState*) const;
</span><span class="cx"> WTF::String toWTFStringInline(ExecState*) const;
</span><span class="cx"> JSObject* toObject(ExecState*) const;
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit28SourceJavaScriptCoreruntimeJSCJSValueInlinesh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/Source/JavaScriptCore/runtime/JSCJSValueInlines.h (181945 => 181946)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.8/Source/JavaScriptCore/runtime/JSCJSValueInlines.h 2015-03-25 10:36:19 UTC (rev 181945)
+++ releases/WebKitGTK/webkit-2.8/Source/JavaScriptCore/runtime/JSCJSValueInlines.h 2015-03-25 11:06:41 UTC (rev 181946)
</span><span class="lines">@@ -610,14 +610,14 @@
</span><span class="cx"> return false;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-ALWAYS_INLINE PropertyName JSValue::toPropertyKey(ExecState* exec) const
</del><ins>+ALWAYS_INLINE Identifier JSValue::toPropertyKey(ExecState* exec) const
</ins><span class="cx"> {
</span><span class="cx"> if (isString())
</span><span class="cx"> return asString(*this)->toIdentifier(exec);
</span><span class="cx">
</span><span class="cx"> JSValue primitive = toPrimitive(exec, PreferString);
</span><span class="cx"> if (primitive.isSymbol())
</span><del>- return asSymbol(primitive)->privateName();
</del><ins>+ return Identifier::from(asSymbol(primitive)->privateName());
</ins><span class="cx"> return primitive.toString(exec)->toIdentifier(exec);
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit28SourceJavaScriptCoreruntimeObjectConstructorcpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/Source/JavaScriptCore/runtime/ObjectConstructor.cpp (181945 => 181946)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.8/Source/JavaScriptCore/runtime/ObjectConstructor.cpp 2015-03-25 10:36:19 UTC (rev 181945)
+++ releases/WebKitGTK/webkit-2.8/Source/JavaScriptCore/runtime/ObjectConstructor.cpp 2015-03-25 11:06:41 UTC (rev 181946)
</span><span class="lines">@@ -173,7 +173,7 @@
</span><span class="cx"> {
</span><span class="cx"> if (!exec->argument(0).isObject())
</span><span class="cx"> return throwVMError(exec, createTypeError(exec, ASCIILiteral("Requested property descriptor of a value that is not an object.")));
</span><del>- PropertyName propertyName = exec->argument(1).toPropertyKey(exec);
</del><ins>+ auto propertyName = exec->argument(1).toPropertyKey(exec);
</ins><span class="cx"> if (exec->hadException())
</span><span class="cx"> return JSValue::encode(jsNull());
</span><span class="cx"> JSObject* object = asObject(exec->argument(0));
</span><span class="lines">@@ -316,7 +316,7 @@
</span><span class="cx"> if (!exec->argument(0).isObject())
</span><span class="cx"> return throwVMError(exec, createTypeError(exec, ASCIILiteral("Properties can only be defined on Objects.")));
</span><span class="cx"> JSObject* O = asObject(exec->argument(0));
</span><del>- PropertyName propertyName = exec->argument(1).toPropertyKey(exec);
</del><ins>+ auto propertyName = exec->argument(1).toPropertyKey(exec);
</ins><span class="cx"> if (exec->hadException())
</span><span class="cx"> return JSValue::encode(jsNull());
</span><span class="cx"> PropertyDescriptor descriptor;
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit28SourceJavaScriptCoreruntimeObjectPrototypecpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/Source/JavaScriptCore/runtime/ObjectPrototype.cpp (181945 => 181946)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.8/Source/JavaScriptCore/runtime/ObjectPrototype.cpp 2015-03-25 10:36:19 UTC (rev 181945)
+++ releases/WebKitGTK/webkit-2.8/Source/JavaScriptCore/runtime/ObjectPrototype.cpp 2015-03-25 11:06:41 UTC (rev 181946)
</span><span class="lines">@@ -182,7 +182,7 @@
</span><span class="cx"> EncodedJSValue JSC_HOST_CALL objectProtoFuncPropertyIsEnumerable(ExecState* exec)
</span><span class="cx"> {
</span><span class="cx"> JSObject* thisObject = exec->thisValue().toThis(exec, StrictMode).toObject(exec);
</span><del>- PropertyName propertyName = exec->argument(0).toPropertyKey(exec);
</del><ins>+ auto propertyName = exec->argument(0).toPropertyKey(exec);
</ins><span class="cx">
</span><span class="cx"> PropertyDescriptor descriptor;
</span><span class="cx"> bool enumerable = thisObject->getOwnPropertyDescriptor(exec, propertyName, descriptor) && descriptor.enumerable();
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit28SourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog (181945 => 181946)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog 2015-03-25 10:36:19 UTC (rev 181945)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog 2015-03-25 11:06:41 UTC (rev 181946)
</span><span class="lines">@@ -1,3 +1,27 @@
</span><ins>+2015-03-20 Yusuke Suzuki <utatane.tea@gmail.com>
+
+ REGRESSION (r179429): Potential Use after free in JavaScriptCore`WTF::StringImpl::ref + 83
+ https://bugs.webkit.org/show_bug.cgi?id=142410
+
+ Reviewed by Geoffrey Garen.
+
+ The same issues are found in the existing code; PropertyName does not have ownership.
+ This patch rewrite the point that should have ownership to Identifier.
+
+ * bindings/js/JSDOMWindowCustom.cpp:
+ (WebCore::JSDOMWindow::getOwnPropertySlotByIndex):
+ (WebCore::JSDOMWindow::putByIndex):
+ * bindings/js/ReadableStreamJSSource.cpp:
+ (WebCore::getInternalSlotFromObject):
+ * bindings/scripts/CodeGeneratorJS.pm:
+ (GenerateImplementation):
+ * bindings/scripts/test/JS/JSTestCustomNamedGetter.cpp:
+ (WebCore::JSTestCustomNamedGetter::getOwnPropertySlotByIndex):
+ * bindings/scripts/test/JS/JSTestEventTarget.cpp:
+ (WebCore::JSTestEventTarget::getOwnPropertySlotByIndex):
+ * bindings/scripts/test/JS/JSTestInterface.cpp:
+ (WebCore::JSTestInterface::putByIndex):
+
</ins><span class="cx"> 2015-03-19 Enrica Casucci <enrica@apple.com>
</span><span class="cx">
</span><span class="cx"> REGRESSION (r109593): Clicking after last inline element could cause a crash.
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit28SourceWebCorebindingsjsJSDOMWindowCustomcpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp (181945 => 181946)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.8/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp 2015-03-25 10:36:19 UTC (rev 181945)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp 2015-03-25 11:06:41 UTC (rev 181946)
</span><span class="lines">@@ -263,7 +263,7 @@
</span><span class="cx"> if (allowsAccess && JSGlobalObject::getOwnPropertySlotByIndex(thisObject, exec, index, slot))
</span><span class="cx"> return true;
</span><span class="cx">
</span><del>- PropertyName propertyName = Identifier::from(exec, index);
</del><ins>+ Identifier propertyName = Identifier::from(exec, index);
</ins><span class="cx">
</span><span class="cx"> // Check for child frames by name before built-in properties to
</span><span class="cx"> // match Mozilla. This does not match IE, but some sites end up
</span><span class="lines">@@ -308,7 +308,7 @@
</span><span class="cx"> // Allow shortcuts like 'Image1' instead of document.images.Image1
</span><span class="cx"> Document* document = thisObject->impl().frame()->document();
</span><span class="cx"> if (is<HTMLDocument>(*document)) {
</span><del>- AtomicStringImpl* atomicPropertyName = propertyName.publicName();
</del><ins>+ AtomicStringImpl* atomicPropertyName = propertyName.impl();
</ins><span class="cx"> if (atomicPropertyName && downcast<HTMLDocument>(*document).hasWindowNamedItem(*atomicPropertyName)) {
</span><span class="cx"> slot.setCustom(thisObject, ReadOnly | DontDelete | DontEnum, namedItemGetter);
</span><span class="cx"> return true;
</span><span class="lines">@@ -344,7 +344,7 @@
</span><span class="cx"> if (!thisObject->impl().frame())
</span><span class="cx"> return;
</span><span class="cx">
</span><del>- PropertyName propertyName = Identifier::from(exec, index);
</del><ins>+ Identifier propertyName = Identifier::from(exec, index);
</ins><span class="cx">
</span><span class="cx"> // Optimization: access JavaScript global variables directly before involving the DOM.
</span><span class="cx"> if (thisObject->JSGlobalObject::hasOwnPropertyForWrite(exec, propertyName)) {
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit28SourceWebCorebindingsscriptsCodeGeneratorJSpm"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm (181945 => 181946)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.8/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm 2015-03-25 10:36:19 UTC (rev 181945)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm 2015-03-25 11:06:41 UTC (rev 181946)
</span><span class="lines">@@ -2107,7 +2107,7 @@
</span><span class="cx"> if ($generatedPropertyName) {
</span><span class="cx"> return;
</span><span class="cx"> }
</span><del>- push(@implContent, " PropertyName propertyName = Identifier::from(exec, index);\n");
</del><ins>+ push(@implContent, " Identifier propertyName = Identifier::from(exec, index);\n");
</ins><span class="cx"> $generatedPropertyName = 1;
</span><span class="cx"> };
</span><span class="cx">
</span><span class="lines">@@ -2483,7 +2483,7 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> if ($interface->extendedAttributes->{"CustomNamedSetter"}) {
</span><del>- push(@implContent, " PropertyName propertyName = Identifier::from(exec, index);\n");
</del><ins>+ push(@implContent, " Identifier propertyName = Identifier::from(exec, index);\n");
</ins><span class="cx"> push(@implContent, " PutPropertySlot slot(thisObject, shouldThrow);\n");
</span><span class="cx"> push(@implContent, " if (thisObject->putDelegate(exec, propertyName, value, slot))\n");
</span><span class="cx"> push(@implContent, " return;\n");
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit28SourceWebCorebindingsscriptstestJSJSTestCustomNamedGettercpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/bindings/scripts/test/JS/JSTestCustomNamedGetter.cpp (181945 => 181946)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.8/Source/WebCore/bindings/scripts/test/JS/JSTestCustomNamedGetter.cpp 2015-03-25 10:36:19 UTC (rev 181945)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/bindings/scripts/test/JS/JSTestCustomNamedGetter.cpp 2015-03-25 11:06:41 UTC (rev 181946)
</span><span class="lines">@@ -174,7 +174,7 @@
</span><span class="cx"> {
</span><span class="cx"> JSTestCustomNamedGetter* thisObject = jsCast<JSTestCustomNamedGetter*>(object);
</span><span class="cx"> ASSERT_GC_OBJECT_INHERITS(thisObject, info());
</span><del>- PropertyName propertyName = Identifier::from(exec, index);
</del><ins>+ Identifier propertyName = Identifier::from(exec, index);
</ins><span class="cx"> if (canGetItemsForName(exec, &thisObject->impl(), propertyName)) {
</span><span class="cx"> slot.setCustom(thisObject, ReadOnly | DontDelete | DontEnum, thisObject->nameGetter);
</span><span class="cx"> return true;
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit28SourceWebCorebindingsscriptstestJSJSTestEventTargetcpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/bindings/scripts/test/JS/JSTestEventTarget.cpp (181945 => 181946)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.8/Source/WebCore/bindings/scripts/test/JS/JSTestEventTarget.cpp 2015-03-25 10:36:19 UTC (rev 181945)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/bindings/scripts/test/JS/JSTestEventTarget.cpp 2015-03-25 11:06:41 UTC (rev 181946)
</span><span class="lines">@@ -202,7 +202,7 @@
</span><span class="cx"> slot.setValue(thisObject, attributes, toJS(exec, thisObject->globalObject(), thisObject->impl().item(index)));
</span><span class="cx"> return true;
</span><span class="cx"> }
</span><del>- PropertyName propertyName = Identifier::from(exec, index);
</del><ins>+ Identifier propertyName = Identifier::from(exec, index);
</ins><span class="cx"> if (canGetItemsForName(exec, &thisObject->impl(), propertyName)) {
</span><span class="cx"> slot.setCustom(thisObject, ReadOnly | DontDelete | DontEnum, thisObject->nameGetter);
</span><span class="cx"> return true;
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit28SourceWebCorebindingsscriptstestJSJSTestInterfacecpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/bindings/scripts/test/JS/JSTestInterface.cpp (181945 => 181946)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.8/Source/WebCore/bindings/scripts/test/JS/JSTestInterface.cpp 2015-03-25 10:36:19 UTC (rev 181945)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/bindings/scripts/test/JS/JSTestInterface.cpp 2015-03-25 11:06:41 UTC (rev 181946)
</span><span class="lines">@@ -654,7 +654,7 @@
</span><span class="cx"> {
</span><span class="cx"> JSTestInterface* thisObject = jsCast<JSTestInterface*>(cell);
</span><span class="cx"> ASSERT_GC_OBJECT_INHERITS(thisObject, info());
</span><del>- PropertyName propertyName = Identifier::from(exec, index);
</del><ins>+ Identifier propertyName = Identifier::from(exec, index);
</ins><span class="cx"> PutPropertySlot slot(thisObject, shouldThrow);
</span><span class="cx"> if (thisObject->putDelegate(exec, propertyName, value, slot))
</span><span class="cx"> return;
</span></span></pre>
</div>
</div>
</body>
</html>