284408 2024-12-10 14:30:53 -0800 OOB crash under WebKit::dataProviderGetBytesAtPositionCallback during off-main-thread incremental PDF loading 2025-01-31 17:14:49 -0800 1 1 1 Unclassified WebKit PDF WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 a_protyasha jbedard a_protyasha webkit-bug-importer oldest_to_newest 2080636 0 a_protyasha 2024-12-10 14:30:53 -0800 rdar://131110151 2080639 1 a_protyasha 2024-12-10 14:34:03 -0800 Representative crash: ``` Thread 4 Crashed:: Dispatch queue: LinearizedPagePreload 0 _platform_memmove + 96 1 void WTF::memcpySpan<unsigned char, 18446744073709551615ul, unsigned char const, 18446744073709551615ul>(std::__1::span<unsigned char, 18446744073709551615ul>, std::__1::span<unsigned char const, 18446744073709551615ul>) + 16 2 WebKit::PDFIncrementalLoader::dataProviderGetBytesAtPosition(std::__1::span<unsigned char, 18446744073709551615ul>, long long) + 52 3 WebKit::dataProviderGetBytesAtPositionCallback(void*, void*, long long, unsigned long) + 308 4 provider_get_bytes_at_position + 84 5 CGDataProviderDirectGetBytesAtPositionInternal + 308 ``` My current leading hypothesis is that the source buffer for the memcpy is nulled out before using it but after fetching it from the plugin. We should guard this work behind the data lock used for the buffer, too. 2080643 2 a_protyasha 2024-12-10 15:04:01 -0800 Pull request: https://github.com/apple/WebKit/pull/2388 2080767 3 ews-feeder 2024-12-11 00:01:45 -0800 Committed 283286.578@safari-7620-branch (de6e83ab1f4d): <https://commits.webkit.org/283286.578@safari-7620-branch> Reviewed commits have been landed. Closing PR #2388 and removing active labels. 2082036 4 jbedard 2024-12-16 07:59:08 -0800 <rdar://problem/141548517> 2082039 5 jbedard 2024-12-16 08:04:00 -0800 Re-opening for pull request https://github.com/apple/WebKit/pull/2406 2082056 6 ews-feeder 2024-12-16 09:15:32 -0800 Committed 283286.595@safari-7620-branch (0053acf9bc55): <https://commits.webkit.org/283286.595@safari-7620-branch> Reviewed commits have been landed. Closing PR #2406 and removing active labels. 2090494 7 jenner 2025-01-29 12:21:31 -0800 <rdar://problem/143592990> 2091131 8 ews-feeder 2025-01-31 17:14:49 -0800 Committed 289647@main (1c283c67a9c0): <https://commits.webkit.org/289647@main> Reviewed commits have been landed. Closing PR #39706 and removing active labels.