Harden ScriptWrappable against ref count bugs

BUG=358854 R=haraken@chromium.org,dcarney@chromium.org Review URL: https://codereview.chromium.org/220473013 git-svn-id: svn://svn.chromium.org/blink/trunk@170658 bbb929c8-8fbe-4397-9dbb-9b2b20218538

Harden ScriptWrappable against ref count bugs
BUG=358854 R=haraken@chromium.org,dcarney@chromium.org Review URL: https://codereview.chromium.org/220473013 git-svn-id: svn://svn.chromium.org/blink/trunk@170658 bbb929c8-8fbe-4397-9dbb-9b2b20218538
d8d1f6de · jochen@chromium.org · ce068664 · d8d1f6de
Commit d8d1f6de authored Apr 02, 2014 by jochen@chromium.org
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 0 deletions

third_party/WebKit/Source/bindings/v8/ScriptWrappable.h third_party/WebKit/Source/bindings/v8/ScriptWrappable.h +3 -0

No files found.
--- a/third_party/WebKit/Source/bindings/v8/ScriptWrappable.h
+++ b/third_party/WebKit/Source/bindings/v8/ScriptWrappable.h
@@ -146,6 +146,9 @@ public:
 protected:
    ~ScriptWrappable()
    {
+        // We must not get deleted as long as we contain a wrapper. If this happens, we screwed up ref
+        // counting somewhere. Crash here instead of crashing during a later gc cycle.
+        RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(!containsWrapper());
        ASSERT(m_wrapperOrTypeInfo);  // Assert initialization via init() even if not subsequently wrapped.
        m_wrapperOrTypeInfo = 0;      // Break UAF attempts to wrap.
    }