Title: [233521] trunk/Source/WebCore
- Revision
- 233521
- Author
- [email protected]
- Date
- 2018-07-05 09:05:26 -0700 (Thu, 05 Jul 2018)
Log Message
ASSERT(m_dictionaryStack.size() == 1) assertion hit in ~KeyedDecoderCF() when decoding fails
https://bugs.webkit.org/show_bug.cgi?id=187152
Reviewed by Brent Fulgham.
Whenever a call to KeyedDecoderCF::beginArrayElement() succeeds (returns true), it
appends an item to m_dictionaryStack which is expected to get popped later on via
a matching call to KeyedDecoderCF::endArrayElement(). The ASSERT(m_dictionaryStack.size() == 1)
assertion in the destructor protects against a begin / end mismatch.
However, there was a bug in KeyedDecoder::decodeObjects(), which would cause us to return early
after a call to beginArrayElement() when the lambda function call returns false, causing us
not to call the matching endArrayElement() in this case. This patch addresses the issue by
calling endArrayElement() before returning early.
This bug was uncovered by r233309 which slightly changed the ITP encoding / decoding format.
Because empty HashCountedSets are now expected to be encoded as empty array, decoding of old
data fails and we hit the buggy code path.
* platform/KeyedCoding.h:
(WebCore::KeyedDecoder::decodeObjects):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (233520 => 233521)
--- trunk/Source/WebCore/ChangeLog 2018-07-05 15:46:25 UTC (rev 233520)
+++ trunk/Source/WebCore/ChangeLog 2018-07-05 16:05:26 UTC (rev 233521)
@@ -1,3 +1,27 @@
+2018-07-05 Chris Dumez <[email protected]>
+
+ ASSERT(m_dictionaryStack.size() == 1) assertion hit in ~KeyedDecoderCF() when decoding fails
+ https://bugs.webkit.org/show_bug.cgi?id=187152
+
+ Reviewed by Brent Fulgham.
+
+ Whenever a call to KeyedDecoderCF::beginArrayElement() succeeds (returns true), it
+ appends an item to m_dictionaryStack which is expected to get popped later on via
+ a matching call to KeyedDecoderCF::endArrayElement(). The ASSERT(m_dictionaryStack.size() == 1)
+ assertion in the destructor protects against a begin / end mismatch.
+
+ However, there was a bug in KeyedDecoder::decodeObjects(), which would cause us to return early
+ after a call to beginArrayElement() when the lambda function call returns false, causing us
+ not to call the matching endArrayElement() in this case. This patch addresses the issue by
+ calling endArrayElement() before returning early.
+
+ This bug was uncovered by r233309 which slightly changed the ITP encoding / decoding format.
+ Because empty HashCountedSets are now expected to be encoded as empty array, decoding of old
+ data fails and we hit the buggy code path.
+
+ * platform/KeyedCoding.h:
+ (WebCore::KeyedDecoder::decodeObjects):
+
2018-07-05 Antti Koivisto <[email protected]>
Move CSSParserContext to a file of its own
Modified: trunk/Source/WebCore/platform/KeyedCoding.h (233520 => 233521)
--- trunk/Source/WebCore/platform/KeyedCoding.h 2018-07-05 15:46:25 UTC (rev 233520)
+++ trunk/Source/WebCore/platform/KeyedCoding.h 2018-07-05 16:05:26 UTC (rev 233521)
@@ -115,6 +115,7 @@
typename ContainerType::ValueType element;
if (!function(*this, element)) {
result = false;
+ endArrayElement();
break;
}
objects.append(WTFMove(element));
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
