Revert "Fix potential use-after-free of V8TrackArrayBuffer (fixes issue #3074)"

This reverts commit 64a1612b70.
This commit is contained in:
Marshall Greenblatt 2021-03-22 19:44:42 -04:00
parent 288366c96d
commit 96404f1fd9
1 changed files with 6 additions and 22 deletions

View File

@ -322,8 +322,7 @@ class V8TrackArrayBuffer : public CefTrackNode {
CefRefPtr<CefV8ArrayBufferReleaseCallback> release_callback)
: isolate_(isolate),
buffer_(buffer),
release_callback_(release_callback),
weak_ptr_factory_(this) {
release_callback_(release_callback) {
DCHECK(isolate_);
isolate_->AdjustAmountOfExternalAllocatedMemory(
static_cast<int>(sizeof(V8TrackArrayBuffer)));
@ -366,16 +365,10 @@ class V8TrackArrayBuffer : public CefTrackNode {
return nullptr;
}
base::WeakPtr<V8TrackArrayBuffer> GetWeakPtr() const {
return weak_ptr_factory_.GetWeakPtr();
}
private:
v8::Isolate* isolate_;
void* buffer_;
CefRefPtr<CefV8ArrayBufferReleaseCallback> release_callback_;
base::WeakPtrFactory<V8TrackArrayBuffer> weak_ptr_factory_;
};
// Object wrapped in a v8::External and passed as the Data argument to
@ -1423,24 +1416,15 @@ CefRefPtr<CefV8Value> CefV8Value::CreateArrayBuffer(
V8TrackArrayBuffer* tracker =
new V8TrackArrayBuffer(isolate, buffer, release_callback);
struct WeakPtrWrapper {
WeakPtrWrapper(V8TrackArrayBuffer* tracker) {
weak_ptr_ = tracker->GetWeakPtr();
}
base::WeakPtr<V8TrackArrayBuffer> weak_ptr_;
};
auto deleter = [](void* data, size_t length, void* deleter_data) {
auto* wrapper = reinterpret_cast<WeakPtrWrapper*>(deleter_data);
if (wrapper) {
if (wrapper->weak_ptr_)
wrapper->weak_ptr_->ReleaseBuffer();
delete wrapper;
auto* tracker = reinterpret_cast<V8TrackArrayBuffer*>(deleter_data);
if (tracker) {
tracker->ReleaseBuffer();
}
};
std::unique_ptr<v8::BackingStore> backing = v8::ArrayBuffer::NewBackingStore(
buffer, length, deleter, new WeakPtrWrapper(tracker));
std::unique_ptr<v8::BackingStore> backing =
v8::ArrayBuffer::NewBackingStore(buffer, length, deleter, tracker);
v8::Local<v8::ArrayBuffer> ab =
v8::ArrayBuffer::New(isolate, std::move(backing));