[Webkit-unassigned] [Bug 89753] New: V8 bindings inheritance mechanism relies on the inheritance structure of the wrapped C++ classes

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Jun 22 03:55:14 PDT 2012 

https://bugs.webkit.org/show_bug.cgi?id=89753

           Summary: V8 bindings inheritance mechanism relies on the
                    inheritance structure of the wrapped C++ classes
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: yurys at chromium.org
                CC: abarth at webkit.org, dglazkov at chromium.org,
                    pfeldman at chromium.org, antonm at chromium.org,
                    loislo at chromium.org


In V8 bindings toNative conversion of a v8 handle to the wrapped native object is implemented as a reinterpret_cast<> to the exact type of the wrapped object, e.g.:

class V8Element {
...
    static Element* toNative(v8::Handle<v8::Object> object)
    {
        return reinterpret_cast<Element*>(object->GetPointerFromInternalField(v8DOMWrapperObjectIndex));
    }

this is true for all wrapper classes in the prototype chain that cast the pointer stored in v8DOMWrapperObjectIndex internal field to the type they require. Given that wrapSlow method will always store Node* pointer, toNative method assumes that the pointer to the wrapped object cast to Node* will point to the same address as the original one. This assumption may easily be broken if we have some classes with virtual methods in the ancestors list before the Node(see attached patch for example). This can be fixed by changing the toNative method to something like this:
    static Element* toNative(v8::Handle<v8::Object> object)
    {
        return static_cast<Element*>(static_cast<Node*>(object->GetPointerFromInternalField(v8DOMWrapperObjectIndex)));
    }


There is a worse problem in case of external arrays(and probably something else) where we first store pointer to Int32Array into the field and later may reinterpret_cast it to ArrayBufferView*

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list