[webkit-changes] [WebKit/WebKit] cacc9a: Undefined behavior in HashSet<CSSSelector::PseudoC...

Fri Jun 30 18:48:37 PDT 2023

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: cacc9a183c3e854c7478221014706a45dfcdbfe3
      https://github.com/WebKit/WebKit/commit/cacc9a183c3e854c7478221014706a45dfcdbfe3
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-06-30 (Fri, 30 Jun 2023)

  Changed paths:
    M Source/WebCore/css/CSSSelector.cpp
    M Source/WebCore/css/CSSSelector.h
    M Source/WebCore/css/SelectorChecker.cpp
    M Source/WebCore/css/SelectorChecker.h
    M Source/WebCore/css/SelectorCheckerTestFunctions.h
    M Source/WebCore/css/SelectorFilter.cpp
    M Source/WebCore/css/SelectorPseudoClassAndCompatibilityElementMap.in
    M Source/WebCore/css/makeSelectorPseudoClassAndCompatibilityElementMap.py
    M Source/WebCore/css/parser/CSSParserSelector.cpp
    M Source/WebCore/css/parser/CSSSelectorParser.cpp
    M Source/WebCore/cssjit/SelectorCompiler.cpp
    M Source/WebCore/dom/Document.cpp
    M Source/WebCore/dom/Element.cpp
    M Source/WebCore/dom/FullscreenManager.cpp
    M Source/WebCore/editing/FrameSelection.cpp
    M Source/WebCore/html/HTMLDialogElement.cpp
    M Source/WebCore/html/HTMLElement.cpp
    M Source/WebCore/html/HTMLFieldSetElement.cpp
    M Source/WebCore/html/HTMLFormControlElement.cpp
    M Source/WebCore/html/HTMLFormElement.cpp
    M Source/WebCore/html/HTMLInputElement.cpp
    M Source/WebCore/html/HTMLMediaElement.cpp
    M Source/WebCore/html/HTMLOptGroupElement.cpp
    M Source/WebCore/html/HTMLOptionElement.cpp
    M Source/WebCore/html/HTMLProgressElement.cpp
    M Source/WebCore/html/HTMLTextFormControlElement.cpp
    M Source/WebCore/html/InputType.cpp
    M Source/WebCore/html/ValidatedFormListedElement.cpp
    M Source/WebCore/inspector/agents/InspectorCSSAgent.cpp
    M Source/WebCore/page/EventHandler.cpp
    M Source/WebCore/page/InteractionRegion.cpp
    M Source/WebCore/style/ChildChangeInvalidation.cpp
    M Source/WebCore/style/HasSelectorFilter.cpp
    M Source/WebCore/style/RuleFeature.cpp
    M Source/WebCore/style/RuleSet.cpp
    M Source/WebCore/style/StyleResolver.cpp

  Log Message:
  -----------
  Undefined behavior in HashSet<CSSSelector::PseudoClassType>
https://bugs.webkit.org/show_bug.cgi?id=258755

Reviewed by Ryosuke Niwa.

Undefined behavior in HashSet<CSSSelector::PseudoClassType>:
```
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/local/include/wtf/RefPtr.h:75:82 in
/usr/local/include/wtf/HashTable.h:301:114: runtime error: load of value 4294967295, which is not a valid value for type 'const WebCore::CSSSelector::PseudoClassType'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/local/include/wtf/HashTable.h:301:114 in
/usr/local/include/wtf/HashFunctions.h:104:46: runtime error: load of value 4294967295, which is not a valid value for type 'WebCore::CSSSelector::PseudoClassType'
```

The issue is that CSSSelector is not a scoped enumeration but we use
`StrongEnumHashTraits<CSSSelector::PseudoClassType>` for HashSets (in
RuleFeature.h for example). This means we end up using
`std::underlying_type<CSSSelector::PseudoClassType>::max()` and
`std::underlying_type<CSSSelector::PseudoClassType>::max() -1` as special
HashMap values. Casting values outside the enum value range to an enumeration
that is not scoped is undefined behavior.

To address the issue, I am converting CSSSelector::PseudoClassType to a scoped
enumeration.

* Source/WebCore/css/CSSSelector.cpp:
(WebCore::simpleSelectorSpecificity):
(WebCore::appendPseudoClassFunctionTail):
(WebCore::CSSSelector::selectorText const):
(WebCore::CSSSelector::resolveNestingParentSelectors):
(WebCore::CSSSelector::replaceNestingParentByPseudoClassScope):
* Source/WebCore/css/CSSSelector.h:
(WebCore::pseudoClassIsRelativeToSiblings):
(WebCore::isTreeStructuralPseudoClass):
(WebCore::isLogicalCombinationPseudoClass):
(WebCore::CSSSelector::setPseudoClassType):
* Source/WebCore/css/SelectorChecker.cpp:
(WebCore::localContextForParent):
(WebCore::canMatchHoverOrActiveInQuirksMode):
(WebCore::SelectorChecker::checkOne const):
(WebCore::SelectorChecker::checkScrollbarPseudoClass const):
(WebCore::SelectorChecker::determineLinkMatchType):
* Source/WebCore/css/SelectorChecker.h:
(WebCore::SelectorChecker::isCommonPseudoClassSelector):
* Source/WebCore/css/SelectorCheckerTestFunctions.h:
(WebCore::matchesLegacyDirectFocusPseudoClass):
(WebCore::matchesFocusPseudoClass):
(WebCore::matchesFocusVisiblePseudoClass):
(WebCore::matchesFocusWithinPseudoClass):
* Source/WebCore/css/SelectorFilter.cpp:
(WebCore::SelectorFilter::collectSimpleSelectorHash):
* Source/WebCore/css/SelectorPseudoClassAndCompatibilityElementMap.in:
* Source/WebCore/css/makeSelectorPseudoClassAndCompatibilityElementMap.py:
(enumerablePseudoType):
* Source/WebCore/css/parser/CSSParserSelector.cpp:
(WebCore::CSSParserSelector::parsePseudoClassSelector):
(WebCore::CSSParserSelector::isHostPseudoSelector const):
* Source/WebCore/css/parser/CSSSelectorParser.cpp:
(WebCore::CSSSelectorParser::consumeRelativeScopeSelector):
(WebCore::isScrollbarPseudoClass):
(WebCore::isUserActionPseudoClass):
(WebCore::isPseudoClassValidAfterPseudoElement):
(WebCore::isOnlyPseudoClassFunction):
(WebCore::CSSSelectorParser::consumePseudo):
(WebCore::CSSSelectorParser::resolveNestingParent):
* Source/WebCore/cssjit/SelectorCompiler.cpp:
(WebCore::SelectorCompiler::addNthChildType):
(WebCore::SelectorCompiler::addPseudoClassType):
(WebCore::SelectorCompiler::pseudoClassOnlyMatchesLinksInQuirksMode):
(WebCore::SelectorCompiler::SelectorCodeGenerator::generateElementMatching):
(WebCore::SelectorCompiler::SelectorCodeGenerator::generateElementLinkMatching):
(WebCore::SelectorCompiler::JSC_DEFINE_JIT_OPERATION):
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::setCSSTarget):
(WebCore::Document::updateHoverActiveState):
(WebCore::Document::setPictureInPictureElement):
* Source/WebCore/dom/Element.cpp:
(WebCore::Element::setActive):
(WebCore::Element::setFocus):
(WebCore::Element::setHasFocusWithin):
(WebCore::Element::setHovered):
(WebCore::Element::setBeingDragged):
(WebCore::Element::updateEffectiveLangStateAndPropagateToDescendants):
(WebCore::Node::setCustomElementState):
(WebCore::Element::setFullscreenFlag):
* Source/WebCore/dom/FullscreenManager.cpp:
(WebCore::FullscreenManager::setAnimatingFullscreen):
(WebCore::FullscreenManager::setFullscreenControlsHidden):
* Source/WebCore/editing/FrameSelection.cpp:
(WebCore::invalidateFocusedElementAndShadowIncludingAncestors):
* Source/WebCore/html/HTMLDialogElement.cpp:
(WebCore::HTMLDialogElement::setIsModal):
* Source/WebCore/html/HTMLElement.cpp:
(WebCore::HTMLElement::updateEffectiveDirectionality):
(WebCore::HTMLElement::showPopover):
(WebCore::HTMLElement::hidePopoverInternal):
(WebCore::HTMLElement::popoverAttributeChanged):
* Source/WebCore/html/HTMLFieldSetElement.cpp:
(WebCore::HTMLFieldSetElement::addInvalidDescendant):
(WebCore::HTMLFieldSetElement::removeInvalidDescendant):
* Source/WebCore/html/HTMLFormControlElement.cpp:
(WebCore::HTMLFormControlElement::attributeChanged):
* Source/WebCore/html/HTMLFormElement.cpp:
(WebCore::HTMLFormElement::addInvalidFormControl):
(WebCore::HTMLFormElement::removeInvalidFormControlIfNeeded):
* Source/WebCore/html/HTMLInputElement.cpp:
(WebCore::HTMLInputElement::updateType):
(WebCore::HTMLInputElement::setChecked):
(WebCore::HTMLInputElement::setIndeterminate):
(WebCore::HTMLInputElement::setAutoFilled):
(WebCore::HTMLInputElement::setAutoFilledAndViewable):
(WebCore::HTMLInputElement::setAutoFilledAndObscured):
* Source/WebCore/html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::setSeeking):
(WebCore::HTMLMediaElement::setPaused):
(WebCore::HTMLMediaElement::setMuted):
(WebCore::HTMLMediaElement::setVolumeLocked):
(WebCore::HTMLMediaElement::updateBufferingState):
(WebCore::HTMLMediaElement::updateStalledState):
* Source/WebCore/html/HTMLOptGroupElement.cpp:
(WebCore::HTMLOptGroupElement::attributeChanged):
* Source/WebCore/html/HTMLOptionElement.cpp:
(WebCore::HTMLOptionElement::attributeChanged):
(WebCore::HTMLOptionElement::setSelectedState):
* Source/WebCore/html/HTMLProgressElement.cpp:
(WebCore::HTMLProgressElement::updateDeterminateState):
* Source/WebCore/html/HTMLTextFormControlElement.cpp:
(WebCore::HTMLTextFormControlElement::updatePlaceholderVisibility):
* Source/WebCore/html/InputType.cpp:
(WebCore::InputType::setValue):
* Source/WebCore/html/ValidatedFormListedElement.cpp:
(WebCore::ValidatedFormListedElement::setDisabledInternal):
(WebCore::ValidatedFormListedElement::updateValidity):
(WebCore::ValidatedFormListedElement::parseReadOnlyAttribute):
(WebCore::ValidatedFormListedElement::setInteractedWithSinceLastFormSubmitEvent):
* Source/WebCore/inspector/agents/InspectorCSSAgent.cpp:
(WebCore::InspectorCSSAgent::forcePseudoState):
* Source/WebCore/page/EventHandler.cpp:
(WebCore::EventHandler::internalKeyEvent):
* Source/WebCore/page/InteractionRegion.cpp:
(WebCore::elementMatchesHoverRules):
* Source/WebCore/style/ChildChangeInvalidation.cpp:
(WebCore::Style::ChildChangeInvalidation::invalidateForChangedElement):
* Source/WebCore/style/HasSelectorFilter.cpp:
(WebCore::Style::HasSelectorFilter::makeKey):
* Source/WebCore/style/RuleFeature.cpp:
(WebCore::Style::computeSubSelectorMatchElement):
(WebCore::Style::RuleFeatureSet::recursivelyCollectFeaturesFromSelector):
(WebCore::Style::makePseudoClassInvalidationKey):
(WebCore::Style::RuleFeatureSet::collectFeatures):
* Source/WebCore/style/RuleSet.cpp:
(WebCore::Style::isHostSelectorMatchingInShadowTree):
(WebCore::Style::RuleSet::addRule):
* Source/WebCore/style/StyleResolver.cpp:
(WebCore::Style::Resolver::styleForElement):

Canonical link: https://commits.webkit.org/265679@main