Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(261)

Unified Diff: Source/bindings/v8/SerializedScriptValue.cpp

Issue 56973002: Fix memory leak on serializing neutered ArrayBuffer. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: Restore/improve comment Created 7 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: Source/bindings/v8/SerializedScriptValue.cpp
diff --git a/Source/bindings/v8/SerializedScriptValue.cpp b/Source/bindings/v8/SerializedScriptValue.cpp
index 984d5e7388c81401ba571f73baad30d1c1c07b9e..baf8bd6fa4a92bebb9fcb7e8c04b297699e1c309 100644
--- a/Source/bindings/v8/SerializedScriptValue.cpp
+++ b/Source/bindings/v8/SerializedScriptValue.cpp
@@ -739,7 +739,15 @@ public:
}
// Functions used by serialization states.
- StateBase* doSerialize(v8::Handle<v8::Value> value, StateBase* next);
+ StateBase* doSerialize(v8::Handle<v8::Value>, StateBase* next);
+
+ // The serializer workhorse, no stack depth check.
+ StateBase* doSerializeImpl(v8::Handle<v8::Value>, StateBase* next);
+
+ StateBase* doSerializeArrayBuffer(v8::Handle<v8::Value> arrayBuffer, StateBase* next)
+ {
+ return doSerializeImpl(arrayBuffer, next);
+ }
StateBase* checkException(StateBase* state)
{
@@ -1139,16 +1147,18 @@ private:
v8::Handle<v8::Value> underlyingBuffer = toV8(arrayBufferView->buffer(), v8::Handle<v8::Object>(), m_writer.getIsolate());
if (underlyingBuffer.IsEmpty())
return handleError(DataCloneError, next);
- StateBase* stateOut = doSerialize(underlyingBuffer, 0);
+ StateBase* stateOut = doSerializeArrayBuffer(underlyingBuffer, next);
if (stateOut)
- return handleError(DataCloneError, next);
+ return stateOut;
m_writer.writeArrayBufferView(*arrayBufferView);
// This should be safe: we serialize something that we know to be a wrapper (see
- // the toV8 call above), so the call to doSerialize above should neither cause
- // the stack to overflow nor should it have the potential to reach this
- // ArrayBufferView again. We do need to grey the underlying buffer before we grey
- // its view, however; ArrayBuffers may be shared, so they need to be given reference IDs,
- // and an ArrayBufferView cannot be constructed without a corresponding ArrayBuffer
+ // the toV8 call above), so the call to doSerializeArrayBuffer should neither
+ // cause the system stack to overflow nor should it have potential to reach
+ // this ArrayBufferView again.
+ //
+ // We do need to grey the underlying buffer before we grey its view, however;
+ // ArrayBuffers may be shared, so they need to be given reference IDs, and an
+ // ArrayBufferView cannot be constructed without a corresponding ArrayBuffer
// (or without an additional tag that would allow us to do two-stage construction
// like we do for Objects and Arrays).
greyObject(object);
@@ -1233,12 +1243,8 @@ private:
v8::Isolate* m_isolate;
};
-Serializer::StateBase* Serializer::doSerialize(v8::Handle<v8::Value> value, StateBase* next)
+Serializer::StateBase* Serializer::doSerializeImpl(v8::Handle<v8::Value> value, StateBase* next)
{
- if (m_execDepth + (next ? next->execDepth() : 0) > 1) {
- m_writer.writeNull();
- return 0;
- }
m_writer.writeReferenceCount(m_nextObjectReference);
uint32_t objectReference;
uint32_t arrayBufferIndex;
@@ -1316,6 +1322,15 @@ Serializer::StateBase* Serializer::doSerialize(v8::Handle<v8::Value> value, Stat
return 0;
}
+Serializer::StateBase* Serializer::doSerialize(v8::Handle<v8::Value> value, StateBase* next)
+{
+ if (m_execDepth + (next ? next->execDepth() : 0) > 1) {
+ m_writer.writeNull();
+ return 0;
+ }
+ return doSerializeImpl(value, next);
+}
+
// Interface used by Reader to create objects of composite types.
class CompositeCreator {
public:
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698