[webkit-reviews] review denied: [Bug 182975] Fix std::make_unique / new[] using system malloc : [Attachment 334564] Patch

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Mar 2 10:33:32 PST 2018 

JF Bastien <jfbastien at apple.com> has denied Yusuke Suzuki
<utatane.tea at gmail.com>'s request for review:
Bug 182975: Fix std::make_unique / new[] using system malloc
https://bugs.webkit.org/show_bug.cgi?id=182975

Attachment 334564: Patch

https://bugs.webkit.org/attachment.cgi?id=334564&action=review




--- Comment #20 from JF Bastien <jfbastien at apple.com> ---
Comment on attachment 334564
  --> https://bugs.webkit.org/attachment.cgi?id=334564
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=334564&action=review

> Source/JavaScriptCore/runtime/StructureIDTable.cpp:36
> +    , m_table(makeUniqueArray<StructureOrOffset>(s_initialSize))

Seems like a vector would be better here since we realloc below.

> Source/WTF/wtf/UniqueArray.h:46
> +	   using U = typename std::remove_extent<T>::type;

Why remove_extent? We don't use UniqueArray<T[]> right? Should it be an error
to do so?

> Source/WTF/wtf/UniqueArray.h:96
> +    return UniqueArrayMaker<std::is_trivially_destructible<typename
std::remove_extent<T>::type>::value, T>::make(size);

Same here. You also remove_extent and it seems like it should just be an error
to get it. So you need std::is_same<T, remove_extent<T>>

> Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp:5933
> +    i = std::min(m_buffers.size() - 1, i);

Can m_buffers.size() be 0?

> Source/WebCore/platform/graphics/FormatConverter.h:49
> +	   m_unpackedIntermediateSrcData = makeUniqueArray<uint8_t>(m_width *
MaxNumberOfComponents * MaxBytesPerComponent);

Can this overflow?

> Source/WebCore/platform/graphics/cg/GraphicsContext3DCG.cpp:481
> +	   m_formalizedRGBA8Data = makeUniqueArray<uint8_t>(m_imageWidth *
m_imageHeight * 4);

Can this overflow?

> Source/WebKit/Platform/IPC/unix/ConnectionUnix.cpp:149
> +	   memcpy(attachmentInfo.data(), messageData, sizeof(AttachmentInfo) *
attachmentCount);

Can this overflow?

> Tools/TestWebKitAPI/Tests/WTF/UniqueArray.cpp:33
> +static unsigned numberOfConstrucions { 0 };

typo "constructions"

> Tools/TestWebKitAPI/Tests/WTF/UniqueArray.cpp:44
> +    }

This isn't trivial?

More information about the webkit-reviews mailing list