Workaround dubious casting between CXFA_Object and void* in FXJSE
This is just a crock to get things working until we fix the
underlying issue.
When there's single-inheritance, it may often work in practice
to C-style (reinterpret) cast a Derived* ptr to void* and then
back to a Base* ptr. One place where this blows up is if
Derived has virtual functions but Base does not, in which case
the world will be offset by the size of a vtable ptr.
Because of the use of void* types in FXJSE, the above was happening
when setting a CXFA_ThisProxy (Derived, virtual) to be a global
object (void*). This would then be cast back to a CFXA_Object
(Base, non-virtual) and chaos is ensured.
Not sure how far back this goes.
Along the way, pick up some tidying which was necessary for
simplicity while tracking this down.
BUG=613607
Review-Url: https://codereview.chromium.org/2015143005
diff --git a/BUILD.gn b/BUILD.gn
index 1550209..580bc57 100644
--- a/BUILD.gn
+++ b/BUILD.gn
@@ -1578,7 +1578,6 @@
"xfa/fxjse/runtime.cpp",
"xfa/fxjse/runtime.h",
"xfa/fxjse/scope_inline.h",
- "xfa/fxjse/util_inline.h",
"xfa/fxjse/value.cpp",
"xfa/fxjse/value.h",
]
diff --git a/xfa.gyp b/xfa.gyp
index 14a8130..82b88c9 100644
--- a/xfa.gyp
+++ b/xfa.gyp
@@ -722,7 +722,6 @@
"xfa/fxjse/runtime.cpp",
"xfa/fxjse/runtime.h",
"xfa/fxjse/scope_inline.h",
- "xfa/fxjse/util_inline.h",
"xfa/fxjse/value.cpp",
"xfa/fxjse/value.h"
],
diff --git a/xfa/fxfa/fm2js/xfa_fm2jscontext.cpp b/xfa/fxfa/fm2js/xfa_fm2jscontext.cpp
index 40d8bcf..2c8a362 100644
--- a/xfa/fxfa/fm2js/xfa_fm2jscontext.cpp
+++ b/xfa/fxfa/fm2js/xfa_fm2jscontext.cpp
@@ -3347,7 +3347,8 @@
XFA_FM2JS_Translate(
CFX_WideString::FromUTF8(utf8ScriptString.AsStringC()).AsStringC(),
wsJavaScriptBuf, wsError);
- CFXJSE_Context* pContext = FXJSE_Context_Create(pIsolate);
+ CFXJSE_Context* pContext =
+ FXJSE_Context_Create(pIsolate, nullptr, nullptr);
CFXJSE_Value* returnValue = FXJSE_Value_Create(pIsolate);
javaScript = wsJavaScriptBuf.AsStringC();
FXJSE_ExecuteScript(
diff --git a/xfa/fxfa/parser/xfa_object.h b/xfa/fxfa/parser/xfa_object.h
index 28d4712..8fc074c 100644
--- a/xfa/fxfa/parser/xfa_object.h
+++ b/xfa/fxfa/parser/xfa_object.h
@@ -41,9 +41,12 @@
XFA_NODEFLAG_UnusedNode = 0x08000,
XFA_NODEFLAG_LayoutGeneratedNode = 0x10000,
};
+
class CXFA_Object {
public:
CXFA_Object(CXFA_Document* pDocument, uint32_t uFlags);
+ virtual ~CXFA_Object() {}
+
CXFA_Document* GetDocument() const { return m_pDocument; }
uint32_t GetFlag() const { return m_uFlags; }
XFA_OBJECTTYPE GetObjectType() const {
@@ -590,7 +593,7 @@
protected:
CXFA_Node(CXFA_Document* pDoc, uint16_t ePacket, XFA_ELEMENT eElement);
- ~CXFA_Node();
+ ~CXFA_Node() override;
friend class CXFA_Document;
CXFA_Node* Deprecated_GetPrevSibling();
FX_BOOL SetValue(XFA_ATTRIBUTE eAttr,
@@ -669,7 +672,7 @@
m_pThisNode = pThisNode;
m_pScriptNode = pScriptNode;
}
- virtual ~CXFA_ThisProxy() {}
+ ~CXFA_ThisProxy() override {}
CXFA_Node* GetThisNode() { return m_pThisNode; }
CXFA_Node* GetScriptNode() { return m_pScriptNode; }
diff --git a/xfa/fxjse/class.cpp b/xfa/fxjse/class.cpp
index dcc3703..d49bafb 100644
--- a/xfa/fxjse/class.cpp
+++ b/xfa/fxjse/class.cpp
@@ -9,7 +9,6 @@
#include "xfa/fxjse/cfxjse_arguments.h"
#include "xfa/fxjse/context.h"
#include "xfa/fxjse/scope_inline.h"
-#include "xfa/fxjse/util_inline.h"
#include "xfa/fxjse/value.h"
static void FXJSE_V8ConstructorCallback_Wrapper(
diff --git a/xfa/fxjse/context.cpp b/xfa/fxjse/context.cpp
index 333b2ab..49d0b44 100644
--- a/xfa/fxjse/context.cpp
+++ b/xfa/fxjse/context.cpp
@@ -8,9 +8,48 @@
#include "xfa/fxjse/class.h"
#include "xfa/fxjse/scope_inline.h"
-#include "xfa/fxjse/util_inline.h"
#include "xfa/fxjse/value.h"
+v8::Local<v8::Object> FXJSE_GetGlobalObjectFromContext(
+ const v8::Local<v8::Context>& hContext) {
+ return hContext->Global()->GetPrototype().As<v8::Object>();
+}
+
+void FXJSE_UpdateObjectBinding(v8::Local<v8::Object>& hObject,
+ void* lpNewBinding) {
+ ASSERT(!hObject.IsEmpty());
+ ASSERT(hObject->InternalFieldCount() > 0);
+ hObject->SetAlignedPointerInInternalField(0, lpNewBinding);
+}
+
+void* FXJSE_RetrieveObjectBinding(const v8::Local<v8::Object>& hJSObject,
+ CFXJSE_Class* lpClass) {
+ ASSERT(!hJSObject.IsEmpty());
+ if (!hJSObject->IsObject()) {
+ return NULL;
+ }
+ v8::Local<v8::Object> hObject = hJSObject;
+ if (hObject->InternalFieldCount() == 0) {
+ v8::Local<v8::Value> hProtoObject = hObject->GetPrototype();
+ if (hProtoObject.IsEmpty() || !hProtoObject->IsObject()) {
+ return NULL;
+ }
+ hObject = hProtoObject.As<v8::Object>();
+ if (hObject->InternalFieldCount() == 0) {
+ return NULL;
+ }
+ }
+ if (lpClass) {
+ v8::Local<v8::FunctionTemplate> hClass =
+ v8::Local<v8::FunctionTemplate>::New(
+ lpClass->GetContext()->GetRuntime(), lpClass->GetTemplate());
+ if (!hClass->HasInstance(hObject)) {
+ return NULL;
+ }
+ }
+ return hObject->GetAlignedPointerFromInternalField(0);
+}
+
CFXJSE_Context* FXJSE_Context_Create(
v8::Isolate* pIsolate,
const FXJSE_CLASS_DESCRIPTOR* lpGlobalClass,
diff --git a/xfa/fxjse/context.h b/xfa/fxjse/context.h
index 96b93fa..79e5e0a 100644
--- a/xfa/fxjse/context.h
+++ b/xfa/fxjse/context.h
@@ -50,4 +50,13 @@
v8::Local<v8::Object> FXJSE_CreateReturnValue(v8::Isolate* pIsolate,
v8::TryCatch& trycatch);
+v8::Local<v8::Object> FXJSE_GetGlobalObjectFromContext(
+ const v8::Local<v8::Context>& hContext);
+
+void FXJSE_UpdateObjectBinding(v8::Local<v8::Object>& hObject,
+ void* lpNewBinding = nullptr);
+
+void* FXJSE_RetrieveObjectBinding(const v8::Local<v8::Object>& hJSObject,
+ CFXJSE_Class* lpClass = nullptr);
+
#endif // XFA_FXJSE_CONTEXT_H_
diff --git a/xfa/fxjse/include/fxjse.h b/xfa/fxjse/include/fxjse.h
index d2d0bd9..e278935 100644
--- a/xfa/fxjse/include/fxjse.h
+++ b/xfa/fxjse/include/fxjse.h
@@ -72,8 +72,8 @@
CFXJSE_Context* FXJSE_Context_Create(
v8::Isolate* pIsolate,
- const FXJSE_CLASS_DESCRIPTOR* lpGlobalClass = nullptr,
- void* lpGlobalObject = nullptr);
+ const FXJSE_CLASS_DESCRIPTOR* lpGlobalClass,
+ void* lpGlobalObject);
void FXJSE_Context_Release(CFXJSE_Context* pContext);
CFXJSE_Value* FXJSE_Context_GetGlobalObject(CFXJSE_Context* pContext);
diff --git a/xfa/fxjse/util_inline.h b/xfa/fxjse/util_inline.h
deleted file mode 100644
index e61dc6a..0000000
--- a/xfa/fxjse/util_inline.h
+++ /dev/null
@@ -1,51 +0,0 @@
-// Copyright 2014 PDFium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com
-
-#ifndef XFA_FXJSE_UTIL_INLINE_H_
-#define XFA_FXJSE_UTIL_INLINE_H_
-
-#include "xfa/fxjse/context.h"
-
-static V8_INLINE v8::Local<v8::Object> FXJSE_GetGlobalObjectFromContext(
- const v8::Local<v8::Context>& hContext) {
- return hContext->Global()->GetPrototype().As<v8::Object>();
-}
-static V8_INLINE void FXJSE_UpdateObjectBinding(v8::Local<v8::Object>& hObject,
- void* lpNewBinding) {
- ASSERT(!hObject.IsEmpty());
- ASSERT(hObject->InternalFieldCount() > 0);
- hObject->SetAlignedPointerInInternalField(0, lpNewBinding);
-}
-static V8_INLINE void* FXJSE_RetrieveObjectBinding(
- const v8::Local<v8::Object>& hJSObject,
- CFXJSE_Class* lpClass = NULL) {
- ASSERT(!hJSObject.IsEmpty());
- if (!hJSObject->IsObject()) {
- return NULL;
- }
- v8::Local<v8::Object> hObject = hJSObject;
- if (hObject->InternalFieldCount() == 0) {
- v8::Local<v8::Value> hProtoObject = hObject->GetPrototype();
- if (hProtoObject.IsEmpty() || !hProtoObject->IsObject()) {
- return NULL;
- }
- hObject = hProtoObject.As<v8::Object>();
- if (hObject->InternalFieldCount() == 0) {
- return NULL;
- }
- }
- if (lpClass) {
- v8::Local<v8::FunctionTemplate> hClass =
- v8::Local<v8::FunctionTemplate>::New(
- lpClass->GetContext()->GetRuntime(), lpClass->GetTemplate());
- if (!hClass->HasInstance(hObject)) {
- return NULL;
- }
- }
- return hObject->GetAlignedPointerFromInternalField(0);
-}
-
-#endif // XFA_FXJSE_UTIL_INLINE_H_
diff --git a/xfa/fxjse/value.cpp b/xfa/fxjse/value.cpp
index e7a3463..ecd88b0 100644
--- a/xfa/fxjse/value.cpp
+++ b/xfa/fxjse/value.cpp
@@ -9,7 +9,7 @@
#include <math.h>
#include "xfa/fxjse/class.h"
-#include "xfa/fxjse/util_inline.h"
+#include "xfa/fxjse/context.h"
FX_BOOL FXJSE_Value_IsUndefined(CFXJSE_Value* pValue) {
return pValue && pValue->IsUndefined();
