jsc_fuz/wktr: crash with new XRReferenceSpaceEvent('', {referenceSpace})
https://bugs.webkit.org/show_bug.cgi?id=235456
Patch by Gabriel Nava Marino <gnavamarino@apple.com> on 2022-01-27
Reviewed by Chris Dumez.
Source/WebCore:
FastMalloc.h specifies that each derived class needs to be annotated as well with WTF_MAKE_ISO_ALLOCATED
if the base class is annotated with WTF_MAKE_ISO_ALLOCATED.
After doing this, the crash in WebCore::Event::operator new(unsigned long) is no longer reproducible.
However, this caused ASSERT(m_transform) to be hit in debug builds with the attached test case.
The XRReferenceSpaceEvent spec specifies the transform attribute as nullable
(https://immersive-web.github.io/webxr/#dictdef-xrreferencespaceeventinit), so this patch updates the
XRReferenceSpaceEvent IDL and implementation to match the spec, and removes the ASSERT accordingly.
Test: webxr/xr-reference-space-event-crash.html
* Modules/webxr/XRReferenceSpaceEvent.cpp:
(WebCore::XRReferenceSpaceEvent::XRReferenceSpaceEvent):
(WebCore::XRReferenceSpaceEvent::transform const):
* Modules/webxr/XRReferenceSpaceEvent.h:
* Modules/webxr/XRReferenceSpaceEvent.idl:
LayoutTests:
* webxr/xr-reference-space-event-crash.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@288672 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 44e1da4..97c894a 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,12 @@
+2022-01-27 Gabriel Nava Marino <gnavamarino@apple.com>
+
+ jsc_fuz/wktr: crash with new XRReferenceSpaceEvent('', {referenceSpace})
+ https://bugs.webkit.org/show_bug.cgi?id=235456
+
+ Reviewed by Chris Dumez.
+
+ * webxr/xr-reference-space-event-crash.html: Added.
+
2022-01-27 Kimmo Kinnunen <kkinnunen@apple.com>
Update WebGL conformance test suite to 2022-01-12
diff --git a/LayoutTests/webxr/xr-reference-space-event-crash-expected.txt b/LayoutTests/webxr/xr-reference-space-event-crash-expected.txt
new file mode 100644
index 0000000..c34331e
--- /dev/null
+++ b/LayoutTests/webxr/xr-reference-space-event-crash-expected.txt
@@ -0,0 +1,11 @@
+Makes sure that constructing a XRReferenceSpaceEvent without a transform member doesn't crash
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS event.referenceSpace is referenceSpace
+PASS event.transform is null
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/webxr/xr-reference-space-event-crash.html b/LayoutTests/webxr/xr-reference-space-event-crash.html
new file mode 100644
index 0000000..6bd9fa3
--- /dev/null
+++ b/LayoutTests/webxr/xr-reference-space-event-crash.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="../resources/js-test.js"></script>
+</head>
+<body>
+<script>
+ description("Makes sure that constructing a XRReferenceSpaceEvent without a transform member doesn't crash");
+ jsTestIsAsync = true;
+
+ navigator.xr.requestSession('inline')
+ .then(s => s.requestReferenceSpace('viewer'))
+ .then(_referenceSpace => {
+ referenceSpace = _referenceSpace;
+ event = new XRReferenceSpaceEvent('', { referenceSpace });
+ shouldBe("event.referenceSpace", "referenceSpace");
+ shouldBeNull("event.transform");
+ finishJSTest();
+ });
+</script>
+</body>
+</html>
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 43fd952..276dba4 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,28 @@
+2022-01-27 Gabriel Nava Marino <gnavamarino@apple.com>
+
+ jsc_fuz/wktr: crash with new XRReferenceSpaceEvent('', {referenceSpace})
+ https://bugs.webkit.org/show_bug.cgi?id=235456
+
+ Reviewed by Chris Dumez.
+
+ FastMalloc.h specifies that each derived class needs to be annotated as well with WTF_MAKE_ISO_ALLOCATED
+ if the base class is annotated with WTF_MAKE_ISO_ALLOCATED.
+
+ After doing this, the crash in WebCore::Event::operator new(unsigned long) is no longer reproducible.
+ However, this caused ASSERT(m_transform) to be hit in debug builds with the attached test case.
+
+ The XRReferenceSpaceEvent spec specifies the transform attribute as nullable
+ (https://immersive-web.github.io/webxr/#dictdef-xrreferencespaceeventinit), so this patch updates the
+ XRReferenceSpaceEvent IDL and implementation to match the spec, and removes the ASSERT accordingly.
+
+ Test: webxr/xr-reference-space-event-crash.html
+
+ * Modules/webxr/XRReferenceSpaceEvent.cpp:
+ (WebCore::XRReferenceSpaceEvent::XRReferenceSpaceEvent):
+ (WebCore::XRReferenceSpaceEvent::transform const):
+ * Modules/webxr/XRReferenceSpaceEvent.h:
+ * Modules/webxr/XRReferenceSpaceEvent.idl:
+
2022-01-27 Antoine Quint <graouts@webkit.org>
<model> should only be draggable on iOS
diff --git a/Source/WebCore/Modules/webxr/XRReferenceSpaceEvent.cpp b/Source/WebCore/Modules/webxr/XRReferenceSpaceEvent.cpp
index f7899b3..97df200 100644
--- a/Source/WebCore/Modules/webxr/XRReferenceSpaceEvent.cpp
+++ b/Source/WebCore/Modules/webxr/XRReferenceSpaceEvent.cpp
@@ -33,6 +33,8 @@
namespace WebCore {
+WTF_MAKE_ISO_ALLOCATED_IMPL(XRReferenceSpaceEvent);
+
Ref<XRReferenceSpaceEvent> XRReferenceSpaceEvent::create(const AtomString& type, const Init& initializer, IsTrusted isTrusted)
{
return adoptRef(*new XRReferenceSpaceEvent(type, initializer, isTrusted));
@@ -44,7 +46,6 @@
, m_transform(initializer.transform)
{
ASSERT(m_referenceSpace);
- ASSERT(m_transform);
}
XRReferenceSpaceEvent::~XRReferenceSpaceEvent() = default;
@@ -54,9 +55,9 @@
return *m_referenceSpace;
}
-const WebXRRigidTransform& XRReferenceSpaceEvent::transform() const
+WebXRRigidTransform* XRReferenceSpaceEvent::transform() const
{
- return *m_transform;
+ return m_transform.get();
}
} // namespace WebCore
diff --git a/Source/WebCore/Modules/webxr/XRReferenceSpaceEvent.h b/Source/WebCore/Modules/webxr/XRReferenceSpaceEvent.h
index ac520a7..7e151a1e 100644
--- a/Source/WebCore/Modules/webxr/XRReferenceSpaceEvent.h
+++ b/Source/WebCore/Modules/webxr/XRReferenceSpaceEvent.h
@@ -37,6 +37,7 @@
class WebXRRigidTransform;
class XRReferenceSpaceEvent : public Event {
+ WTF_MAKE_ISO_ALLOCATED(XRReferenceSpaceEvent);
public:
struct Init : EventInit {
RefPtr<WebXRReferenceSpace> referenceSpace;
@@ -47,7 +48,7 @@
virtual ~XRReferenceSpaceEvent();
const WebXRReferenceSpace& referenceSpace() const;
- const WebXRRigidTransform& transform() const;
+ WebXRRigidTransform* transform() const;
private:
XRReferenceSpaceEvent(const AtomString&, const Init&, IsTrusted);
diff --git a/Source/WebCore/Modules/webxr/XRReferenceSpaceEvent.idl b/Source/WebCore/Modules/webxr/XRReferenceSpaceEvent.idl
index cdc549d..350d66d 100644
--- a/Source/WebCore/Modules/webxr/XRReferenceSpaceEvent.idl
+++ b/Source/WebCore/Modules/webxr/XRReferenceSpaceEvent.idl
@@ -29,7 +29,7 @@
Conditional=WEBXR,
] dictionary XRReferenceSpaceEventInit : EventInit {
required WebXRReferenceSpace referenceSpace;
- WebXRRigidTransform transform;
+ WebXRRigidTransform? transform;
};
// https://immersive-web.github.io/webxr/#xrreferencespaceevent
@@ -41,5 +41,5 @@
] interface XRReferenceSpaceEvent : Event {
constructor(DOMString type, XRReferenceSpaceEventInit eventInitDict);
[SameObject] readonly attribute WebXRReferenceSpace referenceSpace;
- [SameObject] readonly attribute WebXRRigidTransform transform;
+ [SameObject] readonly attribute WebXRRigidTransform? transform;
};
