[Chromium] Protect message ports from being deleted in V8MessageEvent::portsAccessorG...

https://bugs.webkit.org/show_bug.cgi?id=68584

Patch by Sergey Glazunov <serg.glazunov@gmail.com> on 2011-09-21
Reviewed by Adam Barth.

Source/WebCore:

Test: fast/dom/message-port-deleted-by-accessor.html

* bindings/v8/custom/V8MessageEventCustom.cpp:
(WebCore::V8MessageEvent::portsAccessorGetter):

LayoutTests:

* fast/dom/message-port-deleted-by-accessor-expected.txt: Added.
* fast/dom/message-port-deleted-by-accessor.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@95689 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index c89e1bc..d610a29 100644 (file)
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2011-09-21  Sergey Glazunov  <serg.glazunov@gmail.com>
+
+        [Chromium] Protect message ports from being deleted in V8MessageEvent::portsAccessorGetter
+        https://bugs.webkit.org/show_bug.cgi?id=68584
+
+        Reviewed by Adam Barth.
+
+        * fast/dom/message-port-deleted-by-accessor-expected.txt: Added.
+        * fast/dom/message-port-deleted-by-accessor.html: Added.
+
 2011-09-21  David Levin  <levin@chromium.org>
 
         [chromium] Rebaselines for passing tests and expectation updates/narrowing.

diff --git a/LayoutTests/fast/dom/message-port-deleted-by-accessor-expected.txt b/LayoutTests/fast/dom/message-port-deleted-by-accessor-expected.txt
new file mode 100644 (file)
index 0000000..730ebf6
--- /dev/null
+++ b/LayoutTests/fast/dom/message-port-deleted-by-accessor-expected.txt
@@ -0,0 +1 @@
+This test passes if it doesn't crash.

diff --git a/LayoutTests/fast/dom/message-port-deleted-by-accessor.html b/LayoutTests/fast/dom/message-port-deleted-by-accessor.html
new file mode 100644 (file)
index 0000000..9a6f495
--- /dev/null
+++ b/LayoutTests/fast/dom/message-port-deleted-by-accessor.html
@@ -0,0 +1,25 @@
+<html>
+<head>
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+window.onload = function()
+{
+    channel = new MessageChannel;
+    event = document.createEvent("MessageEvent");
+
+    event.initMessageEvent(0, 0, 0, 0, 0, 0, 0, [channel.port1, channel.port2]);
+
+    Array.prototype.__defineSetter__(0, function() {
+        event.initMessageEvent(0, 0, 0, 0, 0, 0, 0, [ ]);
+    });
+
+    event.ports;
+}
+</script>
+</head>
+<body>
+This test passes if it doesn't crash.
+</body>
+</html>

diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index c48917f..f3ba2b9 100644 (file)
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,15 @@
+2011-09-21  Sergey Glazunov  <serg.glazunov@gmail.com>
+
+        [Chromium] Protect message ports from being deleted in V8MessageEvent::portsAccessorGetter
+        https://bugs.webkit.org/show_bug.cgi?id=68584
+
+        Reviewed by Adam Barth.
+
+        Test: fast/dom/message-port-deleted-by-accessor.html
+
+        * bindings/v8/custom/V8MessageEventCustom.cpp:
+        (WebCore::V8MessageEvent::portsAccessorGetter):
+
 2011-09-21  Anders Carlsson  <andersca@apple.com>
 
         Add back protection against the NSView going away while handling mouseDown

diff --git a/Source/WebCore/bindings/v8/custom/V8MessageEventCustom.cpp b/Source/WebCore/bindings/v8/custom/V8MessageEventCustom.cpp
index b99672d..6047cdd 100644 (file)
--- a/Source/WebCore/bindings/v8/custom/V8MessageEventCustom.cpp
+++ b/Source/WebCore/bindings/v8/custom/V8MessageEventCustom.cpp
@@ -88,10 +88,12 @@ v8::Handle<v8::Value> V8MessageEvent::portsAccessorGetter(v8::Local<v8::String>
     MessagePortArray* ports = event->ports();
     if (!ports)
         return v8::Array::New(0);
+    
+    MessagePortArray portsCopy(*ports);
 
-    v8::Local<v8::Array> portArray = v8::Array::New(ports->size());
-    for (size_t i = 0; i < ports->size(); ++i)
-        portArray->Set(v8::Integer::New(i), toV8((*ports)[i].get()));
+    v8::Local<v8::Array> portArray = v8::Array::New(portsCopy.size());
+    for (size_t i = 0; i < portsCopy.size(); ++i)
+        portArray->Set(v8::Integer::New(i), toV8(portsCopy[i].get()));
 
     return portArray;
 }