From 2334e9e583799a8cb2dfefb3c7e15c5a7da8ead0 Mon Sep 17 00:00:00 2001 From: tsepez Date: Thu, 9 Jun 2016 09:32:44 -0700 Subject: Fix crash in CXFA_Node::TryUserData() (speculative) Fix is speculative because I can't repro locally, but I know the current code is wrong. I fixed this intially in https://codereview.chromium.org/2015143005/ I then broke it again in https://codereview.chromium.org/2019333006/ There is another spot where we are still casting through void*, and the CXFA_Node*'s alignment is getting messed up when it fails to adjust for it's vtable. Using CFXJSE_HostObject consistently avoids the issue. Adding a virtual dtor to CFXJSE_HostObject might skirt the issue, but I want to be able to wrap simple objects without that penalty if desired. BUG=616339 Review-Url: https://codereview.chromium.org/2055473004 --- xfa/fxjse/cfxjse_arguments.h | 3 ++- xfa/fxjse/class.cpp | 3 ++- xfa/fxjse/include/fxjse.h | 6 +++++- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/xfa/fxjse/cfxjse_arguments.h b/xfa/fxjse/cfxjse_arguments.h index fd83f8e7f4..7091f8dea6 100644 --- a/xfa/fxjse/cfxjse_arguments.h +++ b/xfa/fxjse/cfxjse_arguments.h @@ -26,7 +26,8 @@ class CFXJSE_Arguments { int32_t GetInt32(int32_t index) const; FX_FLOAT GetFloat(int32_t index) const; CFX_ByteString GetUTF8String(int32_t index) const; - void* GetObject(int32_t index, CFXJSE_Class* pClass = nullptr) const; + CFXJSE_HostObject* GetObject(int32_t index, + CFXJSE_Class* pClass = nullptr) const; CFXJSE_Value* GetReturnValue(); private: diff --git a/xfa/fxjse/class.cpp b/xfa/fxjse/class.cpp index bd589453f2..e9d67d8cda 100644 --- a/xfa/fxjse/class.cpp +++ b/xfa/fxjse/class.cpp @@ -147,7 +147,8 @@ CFX_ByteString CFXJSE_Arguments::GetUTF8String(int32_t index) const { return CFX_ByteString(*szStringVal); } -void* CFXJSE_Arguments::GetObject(int32_t index, CFXJSE_Class* pClass) const { +CFXJSE_HostObject* CFXJSE_Arguments::GetObject(int32_t index, + CFXJSE_Class* pClass) const { v8::Local hValue = (*m_pInfo)[index]; ASSERT(!hValue.IsEmpty()); if (!hValue->IsObject()) diff --git a/xfa/fxjse/include/fxjse.h b/xfa/fxjse/include/fxjse.h index d7c85f54e8..8f30faac30 100644 --- a/xfa/fxjse/include/fxjse.h +++ b/xfa/fxjse/include/fxjse.h @@ -14,7 +14,11 @@ class CFXJSE_Arguments; class CFXJSE_Value; -class CFXJSE_HostObject {}; // C++ object which can be wrapped by CFXJSE_value. +// C++ object which can be wrapped by CFXJSE_value. +class CFXJSE_HostObject { + public: + virtual ~CFXJSE_HostObject() {} +}; typedef void (*FXJSE_FuncCallback)(CFXJSE_Value* pThis, const CFX_ByteStringC& szFuncName, -- cgit v1.2.3