WebKit Bugzilla
Attachment 343836 Details for
Bug 187152
: ASSERT(m_dictionaryStack.size() == 1) assertion hit in ~KeyedDecoderCF() when decoding fails
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-187152-20180628125703.patch (text/plain), 2.95 KB, created by
Chris Dumez
on 2018-06-28 12:56:39 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Chris Dumez
Created:
2018-06-28 12:56:39 PDT
Size:
2.95 KB
patch
obsolete
>Subversion Revision: 233311 >diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog >index 469e7ea40c4f551e2ac82695b8448077495476b8..0881177b273513958c60a76789515dd0238e4824 100644 >--- a/Source/WebCore/ChangeLog >+++ b/Source/WebCore/ChangeLog >@@ -1,3 +1,29 @@ >+2018-06-28 Chris Dumez <cdumez@apple.com> >+ >+ ASSERT(m_dictionaryStack.size() == 1) assertion hit in ~KeyedDecoderCF() when decoding fails >+ https://bugs.webkit.org/show_bug.cgi?id=187152 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Whenever a call to KeyedDecoderCF::beginArrayElement() succeeds (returns true), it >+ appends an item to m_dictionaryStack which is expected to get popped later on via >+ a matching call to KeyedDecoderCF::endArrayElement(). The ASSERT(m_dictionaryStack.size() == 1) >+ assertion in the destructor protects against a begin / end mismatch. >+ >+ However, there was a bug in KeyedDecoder::decodeObjects(), which would cause us to return early >+ after a call to beginArrayElement() when the lambda function call returns false, causing us >+ not to call the matching endArrayElement() in this case. This patch addresses the issue by >+ calling endArrayElement() before returning early. >+ >+ This bug was uncovered by r233309 which slightly changed the ITP encoding / decoding format. >+ Because empty HashCountedSets are now expected to be encoded as empty array, decoding of old >+ data fails and we hit the buggy code path. >+ >+ * platform/KeyedCoding.h: >+ (WebCore::KeyedDecoder::decodeObjects): >+ * platform/cf/KeyedDecoderCF.cpp: >+ (WebCore::KeyedDecoderCF::~KeyedDecoderCF): >+ > 2018-06-28 Aditya Keerthi <akeerthi@apple.com> > > REGRESSION (r232040): Cursor jumping in Safari text fields >diff --git a/Source/WebCore/platform/KeyedCoding.h b/Source/WebCore/platform/KeyedCoding.h >index 918401aa4dd3622e08f4e193077139f27c00251d..5e9e959325f8857ca2a4caf02d63cc98ad9f0552 100644 >--- a/Source/WebCore/platform/KeyedCoding.h >+++ b/Source/WebCore/platform/KeyedCoding.h >@@ -115,6 +115,7 @@ public: > typename ContainerType::ValueType element; > if (!function(*this, element)) { > result = false; >+ endArrayElement(); > break; > } > objects.append(WTFMove(element)); >diff --git a/Source/WebCore/platform/cf/KeyedDecoderCF.cpp b/Source/WebCore/platform/cf/KeyedDecoderCF.cpp >index 0569031e514f790a18a99294017e32ee08c40491..cd689601e86108dd7b656b53574aa28fda63787b 100644 >--- a/Source/WebCore/platform/cf/KeyedDecoderCF.cpp >+++ b/Source/WebCore/platform/cf/KeyedDecoderCF.cpp >@@ -50,6 +50,7 @@ KeyedDecoderCF::KeyedDecoderCF(const uint8_t* data, size_t size) > > KeyedDecoderCF::~KeyedDecoderCF() > { >+ WTFLogAlways("m_dictionaryStack size is %lu", m_dictionaryStack.size()); > ASSERT(m_dictionaryStack.size() == 1); > ASSERT(m_dictionaryStack.last() == m_rootDictionary); > ASSERT(m_arrayStack.isEmpty());
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=343836">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 187152
:
343836
|
343889
|
344329