[webkit-changes] [WebKit/WebKit] 30946a: Use-after-free in `ResourceUsageOverlay::initializ...

Wed Dec 18 19:03:26 PST 2024

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 30946aa4c66c2de8b5768cfe680ca23b01207efd
      https://github.com/WebKit/WebKit/commit/30946aa4c66c2de8b5768cfe680ca23b01207efd
  Author: Charlie Wolfe <charliew at apple.com>
  Date:   2024-12-18 (Wed, 18 Dec 2024)

  Changed paths:
    M Source/WebCore/page/Page.cpp
    M Source/WebCore/page/Page.h
    M Source/WebCore/page/ResourceUsageOverlay.cpp
    M Source/WebCore/page/ResourceUsageOverlay.h

  Log Message:
  -----------
  Use-after-free in `ResourceUsageOverlay::initialize()`
https://bugs.webkit.org/show_bug.cgi?id=282350
rdar://138880313

Reviewed by David Kilzer and Chris Dumez.

The ResourceUsageOverlay constructor uses callOnMainThread to call ResourceUsageOverlay::initialize(),
so the page owning ResourceUsageOverlay may be destroyed when the lambda executes. ResourceUsageOverlay
should hold a WeakPtr to m_page.

ResourceUsageOverlay also needs to be made ref counted to avoid a UAF on `this` in the lambda.

* Source/WebCore/page/Page.cpp:
(WebCore::Page::setResourceUsageOverlayVisible):
* Source/WebCore/page/Page.h:
* Source/WebCore/page/ResourceUsageOverlay.cpp:
(WebCore::ResourceUsageOverlay::create):
(WebCore::ResourceUsageOverlay::ResourceUsageOverlay):
(WebCore::ResourceUsageOverlay::~ResourceUsageOverlay):
(WebCore::ResourceUsageOverlay::initialize):
(WebCore::ResourceUsageOverlay::mouseEvent):
* Source/WebCore/page/ResourceUsageOverlay.h:

Originally-landed-as: 283286.393 at safari-7620-branch (7af554d1d875). rdar://141317969
Canonical link: https://commits.webkit.org/288061@main

  Commit: 2d5e29d47324834c4c9dda041ecb5908e1dfef78
      https://github.com/WebKit/WebKit/commit/2d5e29d47324834c4c9dda041ecb5908e1dfef78
  Author: Daniel Liu <danlliu at umich.edu>
  Date:   2024-12-18 (Wed, 18 Dec 2024)

  Changed paths:
    A JSTests/stress/string-add-conversion-unused.js
    M Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp

  Log Message:
  -----------
  DFG ToString should only care about Other uses when it can be Other
https://bugs.webkit.org/show_bug.cgi?id=282661
rdar://138325184

Reviewed by Yusuke Suzuki.

DFG's ToString should only backpropagate a UseAsOther when the use
has the potential to be Other. Otherwise, we end up with a mismatch
in expected value formats.

* Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp:
(JSC::DFG::BackwardsPropagationPhase::propagate):

Originally-landed-as: 299278ffc3f1. rdar://141317664
Canonical link: https://commits.webkit.org/288062@main

  Commit: 03a094cce550fad6ac8d86e6df06dd04f7640668
      https://github.com/WebKit/WebKit/commit/03a094cce550fad6ac8d86e6df06dd04f7640668
  Author: Keith Miller <keith_miller at apple.com>
  Date:   2024-12-18 (Wed, 18 Dec 2024)

  Changed paths:
    M Source/WTF/wtf/LockAlgorithm.h

  Log Message:
  -----------
  LockAlgorithm::unlockFast is too fast
https://bugs.webkit.org/show_bug.cgi?id=282865
rdar://139548123

Reviewed by Yusuke Suzuki.

Right now it has relaxed ordering but that's not correct since it means writes to the critical section
could happen after the lock is unlocked. This could lead to arbitrary crashes or other general badness.

* Source/WTF/wtf/LockAlgorithm.h:
(WTF::LockAlgorithm::unlockFast):

Originally-landed-as: 4d456933d70e. rdar://141317597
Canonical link: https://commits.webkit.org/288063@main

  Commit: 82abacffb221fb67c7e144a88090fe7fc9208f3a
      https://github.com/WebKit/WebKit/commit/82abacffb221fb67c7e144a88090fe7fc9208f3a
  Author: Daniel Liu <danlliu at umich.edu>
  Date:   2024-12-18 (Wed, 18 Dec 2024)

  Changed paths:
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

  Log Message:
  -----------
  Don't allocate DFG register after a slow path
https://bugs.webkit.org/show_bug.cgi?id=283063
rdar://139747120

Reviewed by Yusuke Suzuki.

Allocating a DFG register after a slow path means that if the slow path
is taken, we end up with an incorrect global state.

* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):

Originally-landed-as: ded4d02c0a93. rdar://141317386
Canonical link: https://commits.webkit.org/288064@main

Compare: https://github.com/WebKit/WebKit/compare/cf8519d4c467...82abacffb221

To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications