Merge WebKit at r70209: Initial merge by Git

Change-Id: Id23a68efa36e9d1126bcce0b137872db00892c8e

1 files changed, 46 insertions, 15 deletions

diff --git a/WebCore/bindings/js/SerializedScriptValue.cpp b/WebCore/bindings/js/SerializedScriptValue.cpp
index 8ccaf9c..c9ad0e6 100644
--- a/WebCore/bindings/js/SerializedScriptValue.cpp
+++ b/WebCore/bindings/js/SerializedScriptValue.cpp
@@ -781,6 +781,25 @@ private:
         JSValue m_jsString;
     };
 
+    struct CachedStringRef {
+        CachedStringRef()
+            : m_base(0)
+            , m_index(0)
+        {
+        }
+        CachedStringRef(Vector<CachedString>* base, size_t index)
+            : m_base(base)
+            , m_index(index)
+        {
+        }
+        
+        CachedString* operator->() { ASSERT(m_base); return &m_base->at(m_index); }
+        
+    private:
+        Vector<CachedString>* m_base;
+        size_t m_index;
+    };
+
     CloneDeserializer(ExecState* exec, JSGlobalObject* globalObject, const Vector<uint8_t>& buffer)
         : CloneBase(exec)
         , m_globalObject(globalObject)
@@ -819,7 +838,12 @@ private:
         if (sizeof(T) == 1)
             value = *ptr++;
         else {
-            value = *reinterpret_cast_ptr<const T*>(ptr);
+#if CPU(ARMV5_OR_LOWER)
+            // To protect misaligned memory access.
+            memcpy(&value, ptr, sizeof(T));
+#else
+            value = *reinterpret_cast<const T*>(ptr);
+#endif
             ptr += sizeof(T);
         }
         return true;
@@ -907,7 +931,14 @@ private:
             return false;
 
 #if ASSUME_LITTLE_ENDIAN
-        str = UString(reinterpret_cast_ptr<const UChar*>(ptr), length);
+#if CPU(ARMV5_OR_LOWER)
+        // To protect misaligned memory access.
+        Vector<UChar> alignedBuffer(length);
+        memcpy(alignedBuffer.data(), ptr, length * sizeof(UChar));
+        str = UString::adopt(alignedBuffer);
+#else
+        str = UString(reinterpret_cast<const UChar*>(ptr), length);
+#endif
         ptr += length * sizeof(UChar);
 #else
         Vector<UChar> buffer;
@@ -922,13 +953,13 @@ private:
         return true;
     }
 
-    bool readStringData(CachedString*& cachedString)
+    bool readStringData(CachedStringRef& cachedString)
     {
         bool scratch;
         return readStringData(cachedString, scratch);
     }
 
-    bool readStringData(CachedString*& cachedString, bool& wasTerminator)
+    bool readStringData(CachedStringRef& cachedString, bool& wasTerminator)
     {
         if (m_failed)
             return false;
@@ -949,7 +980,7 @@ private:
                 fail();
                 return false;
             }
-            cachedString = &m_constantPool[index];
+            cachedString = CachedStringRef(&m_constantPool, index);
             return true;
         }
         UString str;
@@ -958,7 +989,7 @@ private:
             return false;
         }
         m_constantPool.append(str);
-        cachedString = &m_constantPool.last();
+        cachedString = CachedStringRef(&m_constantPool, m_constantPool.size() - 1);
         return true;
     }
 
@@ -984,13 +1015,13 @@ private:
 
     bool readFile(RefPtr<File>& file)
     {
-        CachedString* path = 0;
+        CachedStringRef path;
         if (!readStringData(path))
             return 0;
-        CachedString* url = 0;
+        CachedStringRef url;
         if (!readStringData(url))
             return 0;
-        CachedString* type = 0;
+        CachedStringRef type;
         if (!readStringData(type))
             return 0;
         if (m_isDOMGlobalObject)
@@ -1080,10 +1111,10 @@ private:
             return toJS(m_exec, static_cast<JSDOMGlobalObject*>(m_globalObject), result.get());
         }
         case BlobTag: {
-            CachedString* url = 0;
+            CachedStringRef url;
             if (!readStringData(url))
                 return JSValue();
-            CachedString* type = 0;
+            CachedStringRef type;
             if (!readStringData(type))
                 return JSValue();
             unsigned long long size = 0;
@@ -1094,7 +1125,7 @@ private:
             return toJS(m_exec, static_cast<JSDOMGlobalObject*>(m_globalObject), Blob::create(KURL(KURL(), url->ustring().impl()), String(type->ustring().impl()), size));
         }
         case StringTag: {
-            CachedString* cachedString = 0;
+            CachedStringRef cachedString;
             if (!readStringData(cachedString))
                 return JSValue();
             return cachedString->jsString(m_exec);
@@ -1102,10 +1133,10 @@ private:
         case EmptyStringTag:
             return jsEmptyString(&m_exec->globalData());
         case RegExpTag: {
-            CachedString* pattern = 0;
+            CachedStringRef pattern;
             if (!readStringData(pattern))
                 return JSValue();
-            CachedString* flags = 0;
+            CachedStringRef flags;
             if (!readStringData(flags))
                 return JSValue();
             RefPtr<RegExp> regExp = RegExp::create(&m_exec->globalData(), pattern->ustring(), flags->ustring());
@@ -1211,7 +1242,7 @@ JSValue CloneDeserializer::deserialize()
                 tickCount = ticksUntilNextCheck();
             }
 
-            CachedString* cachedString = 0;
+            CachedStringRef cachedString;
             bool wasTerminator = false;
             if (!readStringData(cachedString, wasTerminator)) {
                 if (!wasTerminator)