37973 2010-04-21 23:25:57 -0700 REGRESSION(58040): TextIterator may use freed memory 2010-04-22 21:51:57 -0700 1 1 1 Unclassified WebKit HTML Editing 528+ (Nightly build) All All RESOLVED FIXED P2 Normal --- 1 hamaji webkit-unassigned yuzo oldest_to_newest 215718 0 hamaji 2010-04-21 23:25:57 -0700 http://trac.webkit.org/changeset/58040 modified TextIterator::emitText and it uses RenderText::textWithoutTranscoding which may return String with refcnt==1 . TextIterator::emitText doesn't increment the refcnt of the returned String so the String created by textWithoutTranscoding() will be freed when emitString() finishes. This means we will touch the freed buffer. The test I added in r58040 happened to work for most platforms except chromium-win-debug (maybe because the iterator uses the freed buffer soon after the buffer is freed). My apologies for this bug. 215719 1 54028 hamaji 2010-04-21 23:28:32 -0700 Created attachment 54028 Patch v1 215721 2 hamaji 2010-04-21 23:29:33 -0700 *** Bug 37907 has been marked as a duplicate of this bug. *** 216038 3 54028 darin 2010-04-22 12:56:05 -0700 Comment on attachment 54028 Patch v1 WebCore/editing/TextIterator.h:130 + // Prevent m_textCharacters from being freed. + String m_text; I think this comment is not as clear as it could be, but I don't have any specific suggestions for improving it. 216273 4 hamaji 2010-04-22 21:51:57 -0700 Committed r58149: <http://trac.webkit.org/changeset/58149> 54028 2010-04-21 23:28:32 -0700 2010-04-22 12:56:05 -0700 Patch v1 bug-37973-20100421232830.patch text/plain 3742 hamaji ZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL0NoYW5nZUxvZyBiL0xheW91dFRlc3RzL0NoYW5nZUxv ZwppbmRleCAxY2VmNDMxLi45ODdhZGIxIDEwMDY0NAotLS0gYS9MYXlvdXRUZXN0cy9DaGFuZ2VM b2cKKysrIGIvTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMTIgQEAKKzIwMTAtMDQt MjEgIFNoaW5pY2hpcm8gSGFtYWppICA8aGFtYWppQGNocm9taXVtLm9yZz4KKworICAgICAgICBS ZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBSRUdSRVNTSU9OOiBUZXh0SXRl cmF0b3IgbWF5IHVzZSBmcmVlZCBtZW1vcnkKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5v cmcvc2hvd19idWcuY2dpP2lkPTM3OTczCisKKyAgICAgICAgKiBwbGF0Zm9ybS9jaHJvbWl1bS90 ZXN0X2V4cGVjdGF0aW9ucy50eHQ6CisKIDIwMTAtMDQtMjEgIE1PUklUQSBIYWppbWUgIDxtb3Jy aXRhQGdvb2dsZS5jb20+CiAKICAgICAgICAgUmV2aWV3ZWQgYnkgU2hpbmljaGlybyBIYW1hamku CmRpZmYgLS1naXQgYS9MYXlvdXRUZXN0cy9wbGF0Zm9ybS9jaHJvbWl1bS90ZXN0X2V4cGVjdGF0 aW9ucy50eHQgYi9MYXlvdXRUZXN0cy9wbGF0Zm9ybS9jaHJvbWl1bS90ZXN0X2V4cGVjdGF0aW9u cy50eHQKaW5kZXggYWM2NWUyZi4uMGQyNGI3MSAxMDA2NDQKLS0tIGEvTGF5b3V0VGVzdHMvcGxh dGZvcm0vY2hyb21pdW0vdGVzdF9leHBlY3RhdGlvbnMudHh0CisrKyBiL0xheW91dFRlc3RzL3Bs YXRmb3JtL2Nocm9taXVtL3Rlc3RfZXhwZWN0YXRpb25zLnR4dApAQCAtMjc1MCw5ICsyNzUwLDYg QEAgQlVHSkFNRVNSIDogc3ZnL2ZpbHRlcnMvZmlsdGVyLXNvdXJjZS1wb3NpdGlvbi5zdmcgPSBJ TUFHRQogQlVHSkFNRVNSIFdJTiBMSU5VWCA6IHN2Zy9XM0MtU1ZHLTEuMS9hbmltYXRlLWVsZW0t NDEtdC5zdmcgPSBJTUFHRStURVhUCiBCVUdKQU1FU1IgQlVHMzAwNDggQlVHMjk3MzcgOiBzdmcv ZmlsdGVycy9zaGFkb3ctb24tcmVjdC13aXRoLWZpbHRlci5zdmcgPSBJTUFHRQogCi0vLyBCcm9r ZSBhdCByNTc5NDAKLUJVR1dLMzc5MDcgV0lOIDogZWRpdGluZy9wYXN0ZWJvYXJkL2NvcHktYmFj a3NsYXNoLXdpdGgtZXVjLmh0bWwgPSBGQUlMCi0KIC8vIE5ldyBsYXlvdXRUZXN0Q29udHJvbGxl ciBmdW5jdGlvbiBhZGRlZCBhdCByNTc5ODYKIEJVR0pBTUVTUiA6IGZhc3QvbGlzdHMvb2wtbmVz dGVkLWl0ZW1zLWR5bmFtaWMtaW5zZXJ0Lmh0bWwgPSBURVhUCiBCVUdKQU1FU1IgOiBmYXN0L2xp c3RzL29sLW5lc3RlZC1pdGVtcy1keW5hbWljLXJlbW92ZS5odG1sID0gVEVYVApkaWZmIC0tZ2l0 IGEvV2ViQ29yZS9DaGFuZ2VMb2cgYi9XZWJDb3JlL0NoYW5nZUxvZwppbmRleCA2NDRkZTdiLi41 N2EyNWI5IDEwMDY0NAotLS0gYS9XZWJDb3JlL0NoYW5nZUxvZworKysgYi9XZWJDb3JlL0NoYW5n ZUxvZwpAQCAtMSwzICsxLDE2IEBACisyMDEwLTA0LTIxICBTaGluaWNoaXJvIEhhbWFqaSAgPGhh bWFqaUBjaHJvbWl1bS5vcmc+CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISku CisKKyAgICAgICAgUkVHUkVTU0lPTjogVGV4dEl0ZXJhdG9yIG1heSB1c2UgZnJlZWQgbWVtb3J5 CisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0zNzk3Mwor CisgICAgICAgIEFkZGVkIFRleHRJdGVyYXRvcjo6bV90ZXh0IHRvIGhvbGQgdGhlIHJldHVybmVk IFN0cmluZy4KKworICAgICAgICAqIGVkaXRpbmcvVGV4dEl0ZXJhdG9yLmNwcDoKKyAgICAgICAg KFdlYkNvcmU6OlRleHRJdGVyYXRvcjo6ZW1pdFRleHQpOgorICAgICAgICAqIGVkaXRpbmcvVGV4 dEl0ZXJhdG9yLmg6CisKIDIwMTAtMDQtMjEgIFJheSBSaXNjaHBhdGVyICA8UmF5bW9uZC5SaXNj aHBhdGVyQE5va2lhLmNvbT4KIAogICAgICAgICBJbiBIVE1MSW5wdXRFbGVtZW50LmNwcCB0aGVy ZSBhcmUgbnVtZXJvdXMgc3R5bGUKZGlmZiAtLWdpdCBhL1dlYkNvcmUvZWRpdGluZy9UZXh0SXRl cmF0b3IuY3BwIGIvV2ViQ29yZS9lZGl0aW5nL1RleHRJdGVyYXRvci5jcHAKaW5kZXggZTM4MTQ1 MS4uYjQ0N2UwMiAxMDA2NDQKLS0tIGEvV2ViQ29yZS9lZGl0aW5nL1RleHRJdGVyYXRvci5jcHAK KysrIGIvV2ViQ29yZS9lZGl0aW5nL1RleHRJdGVyYXRvci5jcHAKQEAgLTg5MSwxNiArODkxLDE2 IEBAIHZvaWQgVGV4dEl0ZXJhdG9yOjplbWl0Q2hhcmFjdGVyKFVDaGFyIGMsIE5vZGUqIHRleHRO b2RlLCBOb2RlKiBvZmZzZXRCYXNlTm9kZSwKIHZvaWQgVGV4dEl0ZXJhdG9yOjplbWl0VGV4dChO b2RlKiB0ZXh0Tm9kZSwgaW50IHRleHRTdGFydE9mZnNldCwgaW50IHRleHRFbmRPZmZzZXQpCiB7 CiAgICAgUmVuZGVyVGV4dCogcmVuZGVyZXIgPSB0b1JlbmRlclRleHQobV9ub2RlLT5yZW5kZXJl cigpKTsKLSAgICBTdHJpbmcgc3RyID0gbV9lbWl0c1RleHRXaXRob3V0VHJhbnNjb2RpbmcgPyBy ZW5kZXJlci0+dGV4dFdpdGhvdXRUcmFuc2NvZGluZygpIDogcmVuZGVyZXItPnRleHQoKTsKLSAg ICBBU1NFUlQoc3RyLmNoYXJhY3RlcnMoKSk7CisgICAgbV90ZXh0ID0gbV9lbWl0c1RleHRXaXRo b3V0VHJhbnNjb2RpbmcgPyByZW5kZXJlci0+dGV4dFdpdGhvdXRUcmFuc2NvZGluZygpIDogcmVu ZGVyZXItPnRleHQoKTsKKyAgICBBU1NFUlQobV90ZXh0LmNoYXJhY3RlcnMoKSk7CiAKICAgICBt X3Bvc2l0aW9uTm9kZSA9IHRleHROb2RlOwogICAgIG1fcG9zaXRpb25PZmZzZXRCYXNlTm9kZSA9 IDA7CiAgICAgbV9wb3NpdGlvblN0YXJ0T2Zmc2V0ID0gdGV4dFN0YXJ0T2Zmc2V0OwogICAgIG1f cG9zaXRpb25FbmRPZmZzZXQgPSB0ZXh0RW5kT2Zmc2V0OwotICAgIG1fdGV4dENoYXJhY3RlcnMg PSBzdHIuY2hhcmFjdGVycygpICsgdGV4dFN0YXJ0T2Zmc2V0OworICAgIG1fdGV4dENoYXJhY3Rl cnMgPSBtX3RleHQuY2hhcmFjdGVycygpICsgdGV4dFN0YXJ0T2Zmc2V0OwogICAgIG1fdGV4dExl bmd0aCA9IHRleHRFbmRPZmZzZXQgLSB0ZXh0U3RhcnRPZmZzZXQ7Ci0gICAgbV9sYXN0Q2hhcmFj dGVyID0gc3RyW3RleHRFbmRPZmZzZXQgLSAxXTsKKyAgICBtX2xhc3RDaGFyYWN0ZXIgPSBtX3Rl eHRbdGV4dEVuZE9mZnNldCAtIDFdOwogCiAgICAgbV9sYXN0VGV4dE5vZGVFbmRlZFdpdGhDb2xs YXBzZWRTcGFjZSA9IGZhbHNlOwogICAgIG1faGFzRW1pdHRlZCA9IHRydWU7CmRpZmYgLS1naXQg YS9XZWJDb3JlL2VkaXRpbmcvVGV4dEl0ZXJhdG9yLmggYi9XZWJDb3JlL2VkaXRpbmcvVGV4dEl0 ZXJhdG9yLmgKaW5kZXggYTNiZTgzZC4uOGI0NzFmMSAxMDA2NDQKLS0tIGEvV2ViQ29yZS9lZGl0 aW5nL1RleHRJdGVyYXRvci5oCisrKyBiL1dlYkNvcmUvZWRpdGluZy9UZXh0SXRlcmF0b3IuaApA QCAtMTI3LDcgKzEyNyw5IEBAIHByaXZhdGU6CiAgICAgbXV0YWJsZSBpbnQgbV9wb3NpdGlvbkVu ZE9mZnNldDsKICAgICBjb25zdCBVQ2hhciogbV90ZXh0Q2hhcmFjdGVyczsKICAgICBpbnQgbV90 ZXh0TGVuZ3RoOwotICAgIAorICAgIC8vIFByZXZlbnQgbV90ZXh0Q2hhcmFjdGVycyBmcm9tIGJl aW5nIGZyZWVkLgorICAgIFN0cmluZyBtX3RleHQ7CisKICAgICAvLyBVc2VkIHdoZW4gdGhlcmUg aXMgc3RpbGwgc29tZSBwZW5kaW5nIHRleHQgZnJvbSB0aGUgY3VycmVudCBub2RlOyB3aGVuIHRo ZXNlCiAgICAgLy8gYXJlIGZhbHNlIGFuZCAwLCB3ZSBnbyBiYWNrIHRvIG5vcm1hbCBpdGVyYXRp bmcuCiAgICAgYm9vbCBtX25lZWRzQW5vdGhlck5ld2xpbmU7Cg==