[webkit-changes] [WebKit/WebKit] 9c6472: REGRESSION(255600 at main): [ iOS ] ASSERTION FAILED:...
Aditya Keerthi
noreply at github.com
Fri Oct 21 10:11:15 PDT 2022
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 9c64727f1f366960f1d56d31a68a190b8c03d85a
https://github.com/WebKit/WebKit/commit/9c64727f1f366960f1d56d31a68a190b8c03d85a
Author: Aditya Keerthi <akeerthi at apple.com>
Date: 2022-10-21 (Fri, 21 Oct 2022)
Changed paths:
M Source/WebKit/Shared/WebFoundTextRange.cpp
M Source/WebKit/Shared/WebFoundTextRange.h
Log Message:
-----------
REGRESSION(255600 at main): [ iOS ] ASSERTION FAILED: threadLikeAssertion.isCurrent() hit by TestWebKitAPI.WebKit.RequestRectForFoundTextRange every time
https://bugs.webkit.org/show_bug.cgi?id=246656
rdar://101266728
Reviewed by Darin Adler.
The deleted value of a `WebFoundTextRange` is currently constructed using copy
assignment. This is incorrect as the deleted value is intended to be written
into an uninitialized storage buffer. The use of copy assignment results in
the destruction of an uninitialized StringImpl, followed by an OOB write in
`StringImpl::deref()`.
Note that 255600 at main is not the root cause of the issue. However, after
255600 at main, the OOB write results in the address of the `completionHandler`
passed into `WebFoundTextRangeController::requestRectForFoundTextRange` being
modified. Consequently, `completionHandler.m_callThread.m_uid` is set to a
garbage value, and the assertion is hit as there is now a mismatch between the
calling thread and stored initialization thread.
To fix, use operator new to construct the deleted value. Additionally, use
`HashTableDeletedValue` when contructed the deleted AtomString for correctness.
* Source/WebKit/Shared/WebFoundTextRange.cpp:
(WebKit::WebFoundTextRange::operator== const):
(WebKit::WebFoundTextRange::decode):
* Source/WebKit/Shared/WebFoundTextRange.h:
(WTF::HashTraits<WebKit::WebFoundTextRange>::emptyValue):
(WTF::HashTraits<WebKit::WebFoundTextRange>::constructDeletedValue):
(WTF::HashTraits<WebKit::WebFoundTextRange>::isDeletedValue):
(WTF::HashTraits<WebKit::WebFoundTextRange>::deletedValue): Deleted.
Canonical link: https://commits.webkit.org/255832@main
More information about the webkit-changes
mailing list