Remove mutation foot-gun from CSSPrimitiveValue

Misuse of this method could easily cause memory leaks and UAFs. It wasn't actually doing anything in the one place it was called, so I removed it. I also fixed another FIXME about how unsigned/signed constructors are confusing. At least now we'll ASSERT if you got the wrong one. Review URL: https://codereview.chromium.org/209353004 git-svn-id: svn://svn.chromium.org/blink/trunk@170029 bbb929c8-8fbe-4397-9dbb-9b2b20218538

Remove mutation foot-gun from CSSPrimitiveValue
Misuse of this method could easily cause memory leaks and UAFs. It wasn't actually doing anything in the one place it was called, so I removed it. I also fixed another FIXME about how unsigned/signed constructors are confusing. At least now we'll ASSERT if you got the wrong one. Review URL: https://codereview.chromium.org/209353004 git-svn-id: svn://svn.chromium.org/blink/trunk@170029 bbb929c8-8fbe-4397-9dbb-9b2b20218538
bf7694ac · eseidel@chromium.org · 3dab5c1b · bf7694ac · bf7694ac · bf7694ac
Commit bf7694ac authored Mar 26, 2014 by eseidel@chromium.org
3 changed files
--- a/third_party/WebKit/Source/core/css/CSSParserValues.cpp
+++ b/third_party/WebKit/Source/core/css/CSSParserValues.cpp
@@ -87,14 +87,10 @@ PassRefPtrWillBeRawPtr<CSSValue> CSSParserValue::createCSSValue()
    if (id)
        return CSSPrimitiveValue::createIdentifier(id);
-    if (unit == CSSParserValue::Operator) {
+    if (unit == CSSParserValue::Operator)
-        RefPtrWillBeRawPtr<CSSPrimitiveValue> primitiveValue = CSSPrimitiveValue::createParserOperator(iValue);
+        return CSSPrimitiveValue::createParserOperator(iValue);
-        primitiveValue->setPrimitiveType(CSSPrimitiveValue::CSS_PARSER_OPERATOR);
+    if (unit == CSSParserValue::Function)
-        return primitiveValue;
-    }
-    if (unit == CSSParserValue::Function) {
        return CSSFunctionValue::create(function);
-    }
    if (unit == CSSParserValue::ValueList)
        return CSSValueList::createFromParserValueList(valueList);
    if (unit >= CSSParserValue::Q_EMS)
@@ -148,9 +144,9 @@ PassRefPtrWillBeRawPtr<CSSValue> CSSParserValue::createCSSValue()
    case CSSPrimitiveValue::CSS_DPCM:
    case CSSPrimitiveValue::CSS_PAIR:
    case CSSPrimitiveValue::CSS_UNICODE_RANGE:
-    case CSSPrimitiveValue::CSS_PARSER_OPERATOR:
    case CSSPrimitiveValue::CSS_PARSER_INTEGER:
    case CSSPrimitiveValue::CSS_PARSER_IDENTIFIER:
+    case CSSPrimitiveValue::CSS_PARSER_OPERATOR:
    case CSSPrimitiveValue::CSS_COUNTER_NAME:
    case CSSPrimitiveValue::CSS_SHAPE:
    case CSSPrimitiveValue::CSS_QUAD:

--- a/third_party/WebKit/Source/core/css/CSSPrimitiveValue.cpp
+++ b/third_party/WebKit/Source/core/css/CSSPrimitiveValue.cpp
@@ -268,9 +268,10 @@ CSSPrimitiveValue::CSSPrimitiveValue(CSSPropertyID propertyID)
    m_value.propertyID = propertyID;
 }
-CSSPrimitiveValue::CSSPrimitiveValue(int parserOperator)
+CSSPrimitiveValue::CSSPrimitiveValue(int parserOperator, UnitTypes type)
    : CSSValue(PrimitiveClass)
 {
+    ASSERT(type == CSS_PARSER_OPERATOR);
    m_primitiveUnitType = CSS_PARSER_OPERATOR;
    m_value.parserOperator = parserOperator;
 }
@@ -297,9 +298,10 @@ CSSPrimitiveValue::CSSPrimitiveValue(const LengthSize& lengthSize)
    init(lengthSize);
 }
-CSSPrimitiveValue::CSSPrimitiveValue(RGBA32 color)
+CSSPrimitiveValue::CSSPrimitiveValue(RGBA32 color, UnitTypes type)
    : CSSValue(PrimitiveClass)
 {
+    ASSERT(type == CSS_RGBCOLOR);
    m_primitiveUnitType = CSS_RGBCOLOR;
    m_value.rgbcolor = color;
 }

--- a/third_party/WebKit/Source/core/css/CSSPrimitiveValue.h
+++ b/third_party/WebKit/Source/core/css/CSSPrimitiveValue.h
@@ -65,6 +65,10 @@ template<> inline float roundForImpreciseConversion(double value)
    return static_cast<float>(value);
 }
+// CSSPrimitiveValues are immutable. This class has manual ref-counting
+// of unioned types and does not have the code necessary
+// to handle any kind of mutations. All DOM-exposed "setters" just throw
+// exceptions.
 class CSSPrimitiveValue : public CSSValue {
 public:
    enum UnitTypes {
@@ -209,11 +213,11 @@ public:
    }
    static PassRefPtrWillBeRawPtr<CSSPrimitiveValue> createParserOperator(int parserOperator)
    {
-        return adoptRefWillBeRefCountedGarbageCollected(new CSSPrimitiveValue(parserOperator));
+        return adoptRefWillBeRefCountedGarbageCollected(new CSSPrimitiveValue(parserOperator, CSS_PARSER_OPERATOR));
    }
    static PassRefPtrWillBeRawPtr<CSSPrimitiveValue> createColor(unsigned rgbValue)
    {
-        return adoptRefWillBeRefCountedGarbageCollected(new CSSPrimitiveValue(rgbValue));
+        return adoptRefWillBeRefCountedGarbageCollected(new CSSPrimitiveValue(rgbValue, CSS_RGBCOLOR));
    }
    static PassRefPtrWillBeRawPtr<CSSPrimitiveValue> create(double value, UnitTypes type)
    {
@@ -284,9 +288,6 @@ public:
    // Converts to a Length, mapping various unit types appropriately.
    template<int> Length convertToLength(const CSSToLengthConversionData&);
-    // use with care!!!
-    void setPrimitiveType(unsigned short type) { m_primitiveUnitType = type; }
    double getDoubleValue(unsigned short unitType, ExceptionState&) const;
    double getDoubleValue(unsigned short unitType) const;
    double getDoubleValue() const;
@@ -349,9 +350,9 @@ public:
 private:
    CSSPrimitiveValue(CSSValueID);
    CSSPrimitiveValue(CSSPropertyID);
-    // FIXME: int vs. unsigned overloading is too subtle to distinguish the color and operator cases.
+    // int vs. unsigned is too subtle to distinguish types, so require a UnitType.
-    CSSPrimitiveValue(int parserOperator);
+    CSSPrimitiveValue(int parserOperator, UnitTypes);
-    CSSPrimitiveValue(unsigned color); // RGB value
+    CSSPrimitiveValue(unsigned color, UnitTypes); // RGB value
    CSSPrimitiveValue(const Length& length)
        : CSSValue(PrimitiveClass)
    {