From 2aa01f5ccbf1464b43527c1ffa6b42bafed9ebeb Mon Sep 17 00:00:00 2001 From: Tom Sepez Date: Fri, 6 Apr 2018 17:40:45 +0000 Subject: Avoid uninitialized internal fields in V8 global objects. V8 won't do this for us when it creates a global object under the covers off of a template with a non-zero internal field count, instead just leaving it uninitialized. We were careful to set the iternal fields on the object we explicitly create, but there are these implicitly created ones as part of making a new context that need to be handled as well. BUG: pdfium:1005 Change-Id: Ic40bafc206ec5119cbceb58f0bb725693e7ddf80 Reviewed-on: https://pdfium-review.googlesource.com/29910 Reviewed-by: dsinclair Commit-Queue: Tom Sepez --- fxjs/cfxjs_engine.cpp | 13 +++++++++++++ fxjs/cfxjse_context.cpp | 10 ++++++++++ fxjs/cfxjse_runtimedata.cpp | 9 ++++++++- 3 files changed, 31 insertions(+), 1 deletion(-) diff --git a/fxjs/cfxjs_engine.cpp b/fxjs/cfxjs_engine.cpp index 54aa28cf4b..5def57e992 100644 --- a/fxjs/cfxjs_engine.cpp +++ b/fxjs/cfxjs_engine.cpp @@ -437,6 +437,19 @@ void CFXJS_Engine::InitializeEngine() { v8::Local v8Context = v8::Context::New( GetIsolate(), nullptr, GetGlobalObjectTemplate(GetIsolate())); + + // May not have the internal fields when called from tests. + v8::Local pThisProxy = v8Context->Global(); + if (pThisProxy->InternalFieldCount() == 2) { + pThisProxy->SetAlignedPointerInInternalField(0, nullptr); + pThisProxy->SetAlignedPointerInInternalField(1, nullptr); + } + v8::Local pThis = pThisProxy->GetPrototype().As(); + if (pThis->InternalFieldCount() == 2) { + pThis->SetAlignedPointerInInternalField(0, nullptr); + pThis->SetAlignedPointerInInternalField(1, nullptr); + } + v8::Context::Scope context_scope(v8Context); SetIntoContext(v8Context); diff --git a/fxjs/cfxjse_context.cpp b/fxjs/cfxjse_context.cpp index d12758de2a..03bcc4d6ab 100644 --- a/fxjs/cfxjse_context.cpp +++ b/fxjs/cfxjse_context.cpp @@ -187,6 +187,16 @@ std::unique_ptr CFXJSE_Context::Create( v8::Local hNewContext = v8::Context::New(pIsolate, nullptr, hObjectTemplate); + v8::Local pThisProxy = hNewContext->Global(); + ASSERT(pThisProxy->InternalFieldCount() == 2); + pThisProxy->SetAlignedPointerInInternalField(0, nullptr); + pThisProxy->SetAlignedPointerInInternalField(1, nullptr); + + v8::Local pThis = pThisProxy->GetPrototype().As(); + ASSERT(pThis->InternalFieldCount() == 2); + pThis->SetAlignedPointerInInternalField(0, nullptr); + pThis->SetAlignedPointerInInternalField(1, nullptr); + v8::Local hRootContext = v8::Local::New( pIsolate, CFXJSE_RuntimeData::Get(pIsolate)->m_hRootContext); hNewContext->SetSecurityToken(hRootContext->GetSecurityToken()); diff --git a/fxjs/cfxjse_runtimedata.cpp b/fxjs/cfxjse_runtimedata.cpp index 0153e81a6c..540bcb084e 100644 --- a/fxjs/cfxjse_runtimedata.cpp +++ b/fxjs/cfxjse_runtimedata.cpp @@ -24,6 +24,7 @@ std::unique_ptr CFXJSE_RuntimeData::Create( v8::Local hFuncTemplate = v8::FunctionTemplate::New(pIsolate); + v8::Local hGlobalTemplate = hFuncTemplate->InstanceTemplate(); hGlobalTemplate->Set( @@ -33,8 +34,14 @@ std::unique_ptr CFXJSE_RuntimeData::Create( v8::Local hContext = v8::Context::New(pIsolate, 0, hGlobalTemplate); - hContext->SetSecurityToken(v8::External::New(pIsolate, pIsolate)); + ASSERT(hContext->Global()->InternalFieldCount() == 0); + ASSERT(hContext->Global() + ->GetPrototype() + .As() + ->InternalFieldCount() == 0); + + hContext->SetSecurityToken(v8::External::New(pIsolate, pIsolate)); pRuntimeData->m_hRootContextGlobalTemplate.Reset(pIsolate, hFuncTemplate); pRuntimeData->m_hRootContext.Reset(pIsolate, hContext); return pRuntimeData; -- cgit v1.2.3