[webkit-changes] [WebKit/WebKit] fa8ddd: Fix undefined behavior in valueFromPool(Span<LazyN...
Chris Dumez
noreply at github.com
Fri Mar 10 13:21:42 PST 2023
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: fa8dddf7984e4d3f5035805df6dfb6e075287267
https://github.com/WebKit/WebKit/commit/fa8dddf7984e4d3f5035805df6dfb6e075287267
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-03-10 (Fri, 10 Mar 2023)
Changed paths:
M Source/WebCore/css/CSSPrimitiveValue.cpp
M Source/WebCore/dom/StyledElement.cpp
Log Message:
-----------
Fix undefined behavior in valueFromPool(Span<LazyNeverDestroyed<CSSPrimitiveValue>>, double)
https://bugs.webkit.org/show_bug.cgi?id=253720
rdar://106522324
Reviewed by Darin Adler.
Fix undefined behavior in valueFromPool(). This appeared to be the cause of
the crashes we started seeing on production builds yesterday. Alexey P. found
the issue with a UBSan build.
* Source/WebCore/css/CSSPrimitiveValue.cpp:
(WebCore::valueFromPool):
Fix undefined behavior by casting the double to a signed integer because
casting it to an unsigned one. Casting a negative double to an unsigned
integer is UB.
* Source/WebCore/dom/StyledElement.cpp:
(WebCore::StyledElement::setInlineStyleProperty):
Revert temporary workaround I had landed in 261490 at main.
Canonical link: https://commits.webkit.org/261527@main
More information about the webkit-changes
mailing list