From 199ac39b26520a7b8240ce5db81ce26004595b6e Mon Sep 17 00:00:00 2001
From: "commit-queue@webkit.org"
 <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Thu, 22 Sep 2011 17:36:03 +0000
Subject: [PATCH] Ref protect shaders in
 V8WebGLRenderingContext::getAttachedShadersCallback
 https://bugs.webkit.org/show_bug.cgi?id=68630

Patch by Sergey Glazunov <serg.glazunov@gmail.com> on 2011-09-22
Reviewed by Adam Barth.

Source/WebCore:

Test: fast/canvas/webgl/shader-deleted-by-accessor.html

* bindings/js/JSWebGLRenderingContextCustom.cpp:
(WebCore::JSWebGLRenderingContext::getAttachedShaders):
* bindings/v8/custom/V8WebGLRenderingContextCustom.cpp:
(WebCore::V8WebGLRenderingContext::getAttachedShadersCallback):
* html/canvas/WebGLRenderingContext.cpp:
(WebCore::WebGLRenderingContext::getAttachedShaders):
* html/canvas/WebGLRenderingContext.h:

LayoutTests:

* fast/canvas/webgl/shader-deleted-by-accessor-expected.txt: Added.
* fast/canvas/webgl/shader-deleted-by-accessor.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@95728 268f45cc-cd09-0410-ab3c-d52691b4dbfc
---
 LayoutTests/ChangeLog                              | 10 +++++
 .../webgl/shader-deleted-by-accessor-expected.txt  |  8 ++++
 .../canvas/webgl/shader-deleted-by-accessor.html   | 51 ++++++++++++++++++++++
 Source/WebCore/ChangeLog                           | 17 ++++++++
 .../bindings/js/JSWebGLRenderingContextCustom.cpp  |  4 +-
 .../v8/custom/V8WebGLRenderingContextCustom.cpp    |  4 +-
 .../WebCore/html/canvas/WebGLRenderingContext.cpp  |  2 +-
 Source/WebCore/html/canvas/WebGLRenderingContext.h |  2 +-
 8 files changed, 92 insertions(+), 6 deletions(-)
 create mode 100644 LayoutTests/fast/canvas/webgl/shader-deleted-by-accessor-expected.txt
 create mode 100644 LayoutTests/fast/canvas/webgl/shader-deleted-by-accessor.html

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 8ec6273..4ffff59 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2011-09-22  Sergey Glazunov  <serg.glazunov@gmail.com>
+
+        Ref protect shaders in V8WebGLRenderingContext::getAttachedShadersCallback
+        https://bugs.webkit.org/show_bug.cgi?id=68630
+
+        Reviewed by Adam Barth.
+
+        * fast/canvas/webgl/shader-deleted-by-accessor-expected.txt: Added.
+        * fast/canvas/webgl/shader-deleted-by-accessor.html: Added.
+
 2011-09-22  Robert Hogan  <robert@webkit.org>
 
         Unreviewed, platform-specific results for r95721. 
diff --git a/LayoutTests/fast/canvas/webgl/shader-deleted-by-accessor-expected.txt b/LayoutTests/fast/canvas/webgl/shader-deleted-by-accessor-expected.txt
new file mode 100644
index 0000000..af0c0c2
--- /dev/null
+++ b/LayoutTests/fast/canvas/webgl/shader-deleted-by-accessor-expected.txt
@@ -0,0 +1,8 @@
+Verifies that WebGLRenderingContext::getAttachedShaders doesn't crash when an accessor property is defined on Array.prototype.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/fast/canvas/webgl/shader-deleted-by-accessor.html b/LayoutTests/fast/canvas/webgl/shader-deleted-by-accessor.html
new file mode 100644
index 0000000..6bfc2c9
--- /dev/null
+++ b/LayoutTests/fast/canvas/webgl/shader-deleted-by-accessor.html
@@ -0,0 +1,51 @@
+<html>
+<head>
+<link rel="stylesheet" href="../../js/resources/js-test-style.css"/>
+<script src="../../js/resources/js-test-pre.js"></script>
+<script src="resources/webgl-test.js"></script>
+<script src="resources/webgl-test-utils.js"></script>
+</head>
+<body>
+<div id="description"></div>
+<div id="console"></div>
+
+<script>
+function gc()
+{
+    if (window.GCController)
+        return GCController.collect();
+
+    for (var i = 0; i < 10000; ++i)
+        var s = new String("AAAA");
+}
+
+description("Verifies that WebGLRenderingContext::getAttachedShaders doesn't crash when an accessor property is defined on Array.prototype.");
+
+context = create3DContext();
+program = context.createProgram();
+
+shader1 = context.createShader(context.VERTEX_SHADER);
+context.attachShader(program, shader1);
+
+for (var i = 0; i < 10; ++i) {
+    shader2 = context.createShader(context.FRAGMENT_SHADER);
+    context.attachShader(program, shader2);
+
+    Array.prototype.__defineSetter__(0, function() {
+        context.detachShader(program, shader2);
+        context.deleteShader(shader2);
+        shader2 = null;
+        gc();
+    });
+
+    shaders = context.getAttachedShaders(program);
+    context.getShaderParameter(shaders[1], 0);
+}
+
+successfullyParsed = true;
+</script>
+
+<script src="../../js/resources/js-test-post.js"></script>
+</body>
+</html>
+
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 6b3d1d0..2f25da2 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,20 @@
+2011-09-22  Sergey Glazunov  <serg.glazunov@gmail.com>
+
+        Ref protect shaders in V8WebGLRenderingContext::getAttachedShadersCallback
+        https://bugs.webkit.org/show_bug.cgi?id=68630
+
+        Reviewed by Adam Barth.
+
+        Test: fast/canvas/webgl/shader-deleted-by-accessor.html
+
+        * bindings/js/JSWebGLRenderingContextCustom.cpp:
+        (WebCore::JSWebGLRenderingContext::getAttachedShaders):
+        * bindings/v8/custom/V8WebGLRenderingContextCustom.cpp:
+        (WebCore::V8WebGLRenderingContext::getAttachedShadersCallback):
+        * html/canvas/WebGLRenderingContext.cpp:
+        (WebCore::WebGLRenderingContext::getAttachedShaders):
+        * html/canvas/WebGLRenderingContext.h:
+
 2011-09-05  Robert Hogan  <robert@webkit.org>
 
         CSS 2.1 failure: abspos-non-replaced-width-margin-000, abspos-replaced-width-margin-000
diff --git a/Source/WebCore/bindings/js/JSWebGLRenderingContextCustom.cpp b/Source/WebCore/bindings/js/JSWebGLRenderingContextCustom.cpp
index 59b6392..cd55284 100644
--- a/Source/WebCore/bindings/js/JSWebGLRenderingContextCustom.cpp
+++ b/Source/WebCore/bindings/js/JSWebGLRenderingContextCustom.cpp
@@ -212,7 +212,7 @@ JSValue JSWebGLRenderingContext::getAttachedShaders(ExecState* exec)
     WebGLProgram* program = toWebGLProgram(exec->argument(0));
     if (exec->hadException())
         return jsNull();
-    Vector<WebGLShader*> shaders;
+    Vector<RefPtr<WebGLShader> > shaders;
     bool succeed = context->getAttachedShaders(program, shaders, ec);
     if (ec) {
         setDOMException(exec, ec);
@@ -222,7 +222,7 @@ JSValue JSWebGLRenderingContext::getAttachedShaders(ExecState* exec)
         return jsNull();
     MarkedArgumentBuffer list;
     for (size_t ii = 0; ii < shaders.size(); ++ii)
-        list.append(toJS(exec, globalObject(), shaders[ii]));
+        list.append(toJS(exec, globalObject(), shaders[ii].get()));
     return constructArray(exec, globalObject(), list);
 }
 
diff --git a/Source/WebCore/bindings/v8/custom/V8WebGLRenderingContextCustom.cpp b/Source/WebCore/bindings/v8/custom/V8WebGLRenderingContextCustom.cpp
index 386e310..d9e1fd9 100644
--- a/Source/WebCore/bindings/v8/custom/V8WebGLRenderingContextCustom.cpp
+++ b/Source/WebCore/bindings/v8/custom/V8WebGLRenderingContextCustom.cpp
@@ -260,7 +260,7 @@ v8::Handle<v8::Value> V8WebGLRenderingContext::getAttachedShadersCallback(const
         return notHandledByInterceptor();
     }
     WebGLProgram* program = V8WebGLProgram::HasInstance(args[0]) ? V8WebGLProgram::toNative(v8::Handle<v8::Object>::Cast(args[0])) : 0;
-    Vector<WebGLShader*> shaders;
+    Vector<RefPtr<WebGLShader> > shaders;
     bool succeed = context->getAttachedShaders(program, shaders, ec);
     if (ec) {
         V8Proxy::setDOMException(ec);
@@ -270,7 +270,7 @@ v8::Handle<v8::Value> V8WebGLRenderingContext::getAttachedShadersCallback(const
         return v8::Null();
     v8::Local<v8::Array> array = v8::Array::New(shaders.size());
     for (size_t ii = 0; ii < shaders.size(); ++ii)
-        array->Set(v8::Integer::New(ii), toV8(shaders[ii]));
+        array->Set(v8::Integer::New(ii), toV8(shaders[ii].get()));
     return array;
 }
 
diff --git a/Source/WebCore/html/canvas/WebGLRenderingContext.cpp b/Source/WebCore/html/canvas/WebGLRenderingContext.cpp
index 2a3b1fc..9b9fe97 100644
--- a/Source/WebCore/html/canvas/WebGLRenderingContext.cpp
+++ b/Source/WebCore/html/canvas/WebGLRenderingContext.cpp
@@ -1900,7 +1900,7 @@ PassRefPtr<WebGLActiveInfo> WebGLRenderingContext::getActiveUniform(WebGLProgram
     return WebGLActiveInfo::create(info.name, info.type, info.size);
 }
 
-bool WebGLRenderingContext::getAttachedShaders(WebGLProgram* program, Vector<WebGLShader*>& shaderObjects, ExceptionCode& ec)
+bool WebGLRenderingContext::getAttachedShaders(WebGLProgram* program, Vector<RefPtr<WebGLShader> >& shaderObjects, ExceptionCode& ec)
 {
     UNUSED_PARAM(ec);
     shaderObjects.clear();
diff --git a/Source/WebCore/html/canvas/WebGLRenderingContext.h b/Source/WebCore/html/canvas/WebGLRenderingContext.h
index 17a4699..9c4774e 100644
--- a/Source/WebCore/html/canvas/WebGLRenderingContext.h
+++ b/Source/WebCore/html/canvas/WebGLRenderingContext.h
@@ -143,7 +143,7 @@ public:
 
     PassRefPtr<WebGLActiveInfo> getActiveAttrib(WebGLProgram*, GC3Duint index, ExceptionCode&);
     PassRefPtr<WebGLActiveInfo> getActiveUniform(WebGLProgram*, GC3Duint index, ExceptionCode&);
-    bool getAttachedShaders(WebGLProgram*, Vector<WebGLShader*>&, ExceptionCode&);
+    bool getAttachedShaders(WebGLProgram*, Vector<RefPtr<WebGLShader> >&, ExceptionCode&);
     GC3Dint getAttribLocation(WebGLProgram*, const String& name);
     WebGLGetInfo getBufferParameter(GC3Denum target, GC3Denum pname, ExceptionCode&);
     PassRefPtr<WebGLContextAttributes> getContextAttributes();
-- 
2.7.4