[webkit-changes] [WebKit/WebKit] 63ba63: Cherry-pick 261547 at main (d55e642abe03). https://bu...
Chris Dumez
noreply at github.com
Thu Mar 16 01:39:43 PDT 2023
Branch: refs/heads/webkitglib/2.40
Home: https://github.com/WebKit/WebKit
Commit: 63ba63ebc94974182c56386c69f8f7d9f4dd0b34
https://github.com/WebKit/WebKit/commit/63ba63ebc94974182c56386c69f8f7d9f4dd0b34
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-03-16 (Thu, 16 Mar 2023)
Changed paths:
M Source/WebKit/UIProcess/WebPageProxy.cpp
Log Message:
-----------
Cherry-pick 261547 at main (d55e642abe03). https://bugs.webkit.org/show_bug.cgi?id=253767
Crash under ProvisionalPageProxy::initializeWebPage()
https://bugs.webkit.org/show_bug.cgi?id=253767
rdar://106597341
Reviewed by David Kilzer.
receivedNavigationPolicyDecision() calls continueNavigationInNewProcess(), which
creates a new ProvisionalPageProxy. The ProvisionalPageProxy constructor calls
ProvisionalPageProxy::initializeWebPage() which accessing m_page.pageClient()
and crashes with a null dereference.
receivedNavigationPolicyDecision() early returns if Page::isClosed() is true,
which should indicate that the pageClient couldn't have been null initially.
This means the pageClient must have been nulled out in between the isClosed()
check and the ProvisionalPageProxy::initializeWebPage() call. To protect
against this, I am adding a PageClientProtector to this code path, right after
the isClosed() check.
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::receivedNavigationPolicyDecision):
Canonical link: https://commits.webkit.org/261547@main
Commit: 352a0cdf56fb0b719eaf4e6682214b8d52155ca8
https://github.com/WebKit/WebKit/commit/352a0cdf56fb0b719eaf4e6682214b8d52155ca8
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-03-16 (Thu, 16 Mar 2023)
Changed paths:
M Source/WebCore/css/CSSPrimitiveValue.cpp
Log Message:
-----------
Cherry-pick 261527 at main (fa8dddf7984e). https://bugs.webkit.org/show_bug.cgi?id=253720
Fix undefined behavior in valueFromPool(Span<LazyNeverDestroyed<CSSPrimitiveValue>>, double)
https://bugs.webkit.org/show_bug.cgi?id=253720
rdar://106522324
Reviewed by Darin Adler.
Fix undefined behavior in valueFromPool(). This appeared to be the cause of
the crashes we started seeing on production builds yesterday. Alexey P. found
the issue with a UBSan build.
* Source/WebCore/css/CSSPrimitiveValue.cpp:
(WebCore::valueFromPool):
Fix undefined behavior by casting the double to a signed integer because
casting it to an unsigned one. Casting a negative double to an unsigned
integer is UB.
* Source/WebCore/dom/StyledElement.cpp:
(WebCore::StyledElement::setInlineStyleProperty):
Revert temporary workaround I had landed in 261490 at main.
Canonical link: https://commits.webkit.org/261527@main
Compare: https://github.com/WebKit/WebKit/compare/4bdaccd3d57e...352a0cdf56fb
More information about the webkit-changes
mailing list