Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 3b3138e0af6cec61d82db202ee80ec544d8e1189
https://github.com/WebKit/WebKit/commit/3b3138e0af6cec61d82db202ee80ec544d8e1189
Author: Chris Dumez <[email protected]>
Date: 2026-03-26 (Thu, 26 Mar 2026)
Changed paths:
M Source/WTF/wtf/BitVector.cpp
M Tools/TestWebKitAPI/CMakeLists.txt
M Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj
A Tools/TestWebKitAPI/Tests/WTF/BitVector.cpp
Log Message:
-----------
BitVector::mergeSlow reads out of bounds when `this` is larger than `other`
https://bugs.webkit.org/show_bug.cgi?id=310800
Reviewed by Ryosuke Niwa.
`mergeSlow` iterates using `a.size()` (`this->numWords()`) as the loop bound
but indexes into b (other's word span), which may have fewer words.
This happens when this is already larger than other because
`ensureSize(other.size())` is a no-op in that case, leaving `a.size() >
b.size()`. The out-of-bounds read would hit an assertion in hardened
std::span.
Fix this by iterating up to `b.size()` instead. `std::min(a.size(),
b.size())` is not needed here because `ensureSize(other.size())` guarantees
`a.size() >= b.size()`, so `b.size()` is already the minimum.
Added an API test that merges a small out-of-line BitVector into a
larger one to exercise this code path.
Tests: Tools/TestWebKitAPI/Tests/WTF/BitVector.cpp
* Source/WTF/wtf/BitVector.cpp:
(WTF::BitVector::mergeSlow):
* Tools/TestWebKitAPI/CMakeLists.txt:
* Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
* Tools/TestWebKitAPI/Tests/WTF/BitVector.cpp: Added.
(TestWebKitAPI::TEST(WTF_BitVector, MergeLargerIntoSmaller)):
Canonical link: https://commits.webkit.org/310027@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
