[webkit-reviews] review granted: [Bug 87417] (Unrepro) Crashes saving session state in WebBackForwardList : [Attachment 143897] Patch v4 - Hopefully last iteration - remove some unnecessary if (m_page) checks.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu May 24 14:53:52 PDT 2012 

Darin Adler <darin at apple.com> has granted Brady Eidson <beidson at apple.com>'s
request for review:
Bug 87417: (Unrepro) Crashes saving session state in WebBackForwardList
https://bugs.webkit.org/show_bug.cgi?id=87417

Attachment 143897: Patch v4 - Hopefully last iteration - remove some
unnecessary if (m_page) checks.
https://bugs.webkit.org/attachment.cgi?id=143897&action=review

------- Additional Comments from Darin Adler <darin at apple.com>
View in context: https://bugs.webkit.org/attachment.cgi?id=143897&action=review


I’m OK with this as is, but it might be worth putting together a patch that is
even more conservative and doesn’t change things that don’t need to change. We
were going to follow up with a patch that makes a bigger impact.

> Source/WebKit2/UIProcess/WebBackForwardList.cpp:102
> +    m_entries.insert(m_current, newItem);

Where’s the guarantee that m_current is <= m_entries.size()? Wasn’t that one of
the things we were worried about? I thought we were going to put a check for
that close to here to make us safer against logic mistakes.

> Source/WebKit2/UIProcess/WebBackForwardList.cpp:-150
> -    // Do range checks without doing math on index to avoid overflow.

I like that comment. Why remove it?

> Source/WebKit2/UIProcess/cf/WebBackForwardListCF.cpp:129
> +    uint32_t currentIndex = currentCFIndex == -1 ? NoCurrentItemIndex :
currentCFIndex;

This can chop off currentCFIndex, which might be a large number that won’t fit
in a uint32_t. Maybe better to do this after checking currentCFIndex against
the size?

> Source/WebKit2/UIProcess/cf/WebBackForwardListCF.cpp:187
> -    // Perform a sanity check: in case we're out of range, we reset.
> -    if (m_current != NoCurrentItemIndex && m_current >= newEntries.size())
> -	   m_current = NoCurrentItemIndex;
> +
> +    ASSERT(m_current == NoCurrentItemIndex || m_current < m_entries.size());


I agree with this change, but perhaps it can be left to later. Not sure it
helps prevent the bug.

More information about the webkit-reviews mailing list