[webkit-changes] [WebKit/WebKit] 63ba63: Cherry-pick 261547 at main (d55e642abe03). https://bu...

Chris Dumez noreply at github.com
Thu Mar 16 01:39:43 PDT 2023 

  Branch: refs/heads/webkitglib/2.40
  Home:   https://github.com/WebKit/WebKit
  Commit: 63ba63ebc94974182c56386c69f8f7d9f4dd0b34
      https://github.com/WebKit/WebKit/commit/63ba63ebc94974182c56386c69f8f7d9f4dd0b34
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-03-16 (Thu, 16 Mar 2023)

  Changed paths:
    M Source/WebKit/UIProcess/WebPageProxy.cpp

  Log Message:
  -----------
  Cherry-pick 261547 at main (d55e642abe03). https://bugs.webkit.org/show_bug.cgi?id=253767

    Crash under ProvisionalPageProxy::initializeWebPage()
    https://bugs.webkit.org/show_bug.cgi?id=253767
    rdar://106597341

    Reviewed by David Kilzer.

    receivedNavigationPolicyDecision() calls continueNavigationInNewProcess(), which
    creates a new ProvisionalPageProxy. The ProvisionalPageProxy constructor calls
    ProvisionalPageProxy::initializeWebPage() which accessing m_page.pageClient()
    and crashes with a null dereference.

    receivedNavigationPolicyDecision() early returns if Page::isClosed() is true,
    which should indicate that the pageClient couldn't have been null initially.
    This means the pageClient must have been nulled out in between the isClosed()
    check and the ProvisionalPageProxy::initializeWebPage() call. To protect
    against this, I am adding a PageClientProtector to this code path, right after
    the isClosed() check.

    * Source/WebKit/UIProcess/WebPageProxy.cpp:
    (WebKit::WebPageProxy::receivedNavigationPolicyDecision):

    Canonical link: https://commits.webkit.org/261547@main


  Commit: 352a0cdf56fb0b719eaf4e6682214b8d52155ca8
      https://github.com/WebKit/WebKit/commit/352a0cdf56fb0b719eaf4e6682214b8d52155ca8
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-03-16 (Thu, 16 Mar 2023)

  Changed paths:
    M Source/WebCore/css/CSSPrimitiveValue.cpp

  Log Message:
  -----------
  Cherry-pick 261527 at main (fa8dddf7984e). https://bugs.webkit.org/show_bug.cgi?id=253720

    Fix undefined behavior in valueFromPool(Span<LazyNeverDestroyed<CSSPrimitiveValue>>, double)
    https://bugs.webkit.org/show_bug.cgi?id=253720
    rdar://106522324

    Reviewed by Darin Adler.

    Fix undefined behavior in valueFromPool(). This appeared to be the cause of
    the crashes we started seeing on production builds yesterday. Alexey P. found
    the issue with a UBSan build.

    * Source/WebCore/css/CSSPrimitiveValue.cpp:
    (WebCore::valueFromPool):
    Fix undefined behavior by casting the double to a signed integer because
    casting it to an unsigned one. Casting a negative double to an unsigned
    integer is UB.

    * Source/WebCore/dom/StyledElement.cpp:
    (WebCore::StyledElement::setInlineStyleProperty):
    Revert temporary workaround I had landed in 261490 at main.

    Canonical link: https://commits.webkit.org/261527@main


Compare: https://github.com/WebKit/WebKit/compare/4bdaccd3d57e...352a0cdf56fb

More information about the webkit-changes mailing list