[webkit-changes] [WebKit/WebKit] 9c6472: REGRESSION(255600@main): [ iOS ] ASSERTION FAILED:...

Fri, 21 Oct 2022 10:11:55 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 9c64727f1f366960f1d56d31a68a190b8c03d85a
      
https://github.com/WebKit/WebKit/commit/9c64727f1f366960f1d56d31a68a190b8c03d85a
  Author: Aditya Keerthi <[email protected]>
  Date:   2022-10-21 (Fri, 21 Oct 2022)

  Changed paths:
    M Source/WebKit/Shared/WebFoundTextRange.cpp
    M Source/WebKit/Shared/WebFoundTextRange.h

  Log Message:
  -----------
  REGRESSION(255600@main): [ iOS ] ASSERTION FAILED: 
threadLikeAssertion.isCurrent() hit by 
TestWebKitAPI.WebKit.RequestRectForFoundTextRange every time
https://bugs.webkit.org/show_bug.cgi?id=246656
rdar://101266728

Reviewed by Darin Adler.

The deleted value of a `WebFoundTextRange` is currently constructed using copy
assignment. This is incorrect as the deleted value is intended to be written
into an uninitialized storage buffer. The use of copy assignment results in
the destruction of an uninitialized StringImpl, followed by an OOB write in
`StringImpl::deref()`.

Note that 255600@main is not the root cause of the issue. However, after
255600@main, the OOB write results in the address of the `completionHandler`
passed into `WebFoundTextRangeController::requestRectForFoundTextRange` being
modified. Consequently, `completionHandler.m_callThread.m_uid` is set to a
garbage value, and the assertion is hit as there is now a mismatch between the
calling thread and stored initialization thread.

To fix, use operator new to construct the deleted value. Additionally, use
`HashTableDeletedValue` when contructed the deleted AtomString for correctness.

* Source/WebKit/Shared/WebFoundTextRange.cpp:
(WebKit::WebFoundTextRange::operator== const):
(WebKit::WebFoundTextRange::decode):
* Source/WebKit/Shared/WebFoundTextRange.h:
(WTF::HashTraits<WebKit::WebFoundTextRange>::emptyValue):
(WTF::HashTraits<WebKit::WebFoundTextRange>::constructDeletedValue):
(WTF::HashTraits<WebKit::WebFoundTextRange>::isDeletedValue):
(WTF::HashTraits<WebKit::WebFoundTextRange>::deletedValue): Deleted.

Canonical link: https://commits.webkit.org/255832@main


_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to