[webkit-changes] [WebKit/WebKit] 82eeb0: Crash in NetworkManager::onGatheredNetworks() unde...
Chris Dumez
noreply at github.com
Wed Sep 11 04:09:48 PDT 2024
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 82eeb087cdbf9fcc12ed1d0134c325689c24f11d
https://github.com/WebKit/WebKit/commit/82eeb087cdbf9fcc12ed1d0134c325689c24f11d
Author: Chris Dumez <cdumez at apple.com>
Date: 2024-09-11 (Wed, 11 Sep 2024)
Changed paths:
M Source/WebKit/NetworkProcess/webrtc/NetworkRTCMonitor.cpp
Log Message:
-----------
Crash in NetworkManager::onGatheredNetworks() under std::sort
https://bugs.webkit.org/show_bug.cgi?id=279487
rdar://133707018
Reviewed by Youenn Fablet and Darin Adler.
The `compare` function passed to std::sort() needs to satisfy the strict weak ordering
rule:
- https://en.wikipedia.org/wiki/Weak_ordering#Strict_weak_orderings
```
Input: Test: Result
a is equivalent to b: a < b false
a is equivalent to b b < a false
a is less than b a < b true
a is less than b b < a false
b is less than a a < b false
b is less than a b < a true
```
If the function doesn't satisfy this rule, the behavior is undefined and he can lead
to crashes.
The function we are passing to std::sort() is `sortNetworks()`. The first issue is that
it returns an `int` instead of a `bool`, which means that std::sort() will implicitly
convert the return value to a bool internally.
Then the implementation would rely on codePointCompare() internally which would return:
-1 if a < b, 0 if a == b, and 1 if a > b.
For both `a < b` and `b < a`, the result value (-1 and 1) would get implicitly converted
to `true` and thus the sortNetworks() did NOT obey the strict weak ordering rule.
* Source/WebKit/NetworkProcess/webrtc/NetworkRTCMonitor.cpp:
(WebKit::sortNetworks):
Canonical link: https://commits.webkit.org/283477@main
To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications
More information about the webkit-changes
mailing list