[Webkit-unassigned] [Bug 82090] ArrayBufferView and its ArrayBuffer are appended to object pool in wrong order
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Mar 26 12:44:29 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=82090
--- Comment #12 from Dmitry Lomov <dslomov at google.com> 2012-03-26 12:44:29 PST ---
(From update of attachment 133858)
View in context: https://bugs.webkit.org/attachment.cgi?id=133858&action=review
Thanks for fishing out the root cause! It is a bug indeed!
However I do not think that your fix is correct.
> Source/WebCore/bindings/js/SerializedScriptValue.cpp:1499
> + m_gcBuffer.removeLast();
I do not understand this. There is no guarantee that m_gcBuffer.last() is in fact a slot for ArrayBuffer. Here is the object serialization of which will fail:
{ new DataView(arrayBuffer), intermediateDataObject, new DataView(arrayBuffer) }
By the second DataView is deserialized, m_gcBuffer.last() will be a slot for intermediateDataObject.
The real fix would be to synchronize index allocation for serialization and deserialization, the easiest way to do this is on serialization time - first allocate id fot ArrayBuffer and only then allocate id for ArrayBufferView.
I can prep a fix for that if you want (will be today later in the day)
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list