Summary: | Nullptr crash in objc_msgSend under WebCore::genericFamily | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Antti Koivisto <koivisto> | ||||||
Component: | Text | Assignee: | Nobody <webkit-unassigned> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | Normal | CC: | andersca, darin, ggaren, mmaxfield | ||||||
Priority: | P2 | Keywords: | InRadar | ||||||
Version: | WebKit Nightly Build | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Attachments: |
|
Description
Antti Koivisto
2020-04-23 06:21:06 PDT
Created attachment 397335 [details]
patch
Comment on attachment 397335 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=397335&action=review > Source/WebCore/platform/graphics/cocoa/SystemFontDatabaseCoreText.cpp:253 > + auto value = adoptCF(CTFontDescriptorCopyAttribute(descriptor.get(), kCTFontFamilyNameAttribute)); Can use dynamic_cf_cast here. https://trac.webkit.org/browser/webkit/trunk/Source/WTF/wtf/cf/TypeCastsCF.h Comment on attachment 397335 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=397335&action=review >> Source/WebCore/platform/graphics/cocoa/SystemFontDatabaseCoreText.cpp:253 >> + auto value = adoptCF(CTFontDescriptorCopyAttribute(descriptor.get(), kCTFontFamilyNameAttribute)); > > Can use dynamic_cf_cast here. > > https://trac.webkit.org/browser/webkit/trunk/Source/WTF/wtf/cf/TypeCastsCF.h Or checked_cf_cast, since we know what the type is supposed to be (In reply to Darin Adler from comment #4) > Comment on attachment 397335 [details] > patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=397335&action=review > > >> Source/WebCore/platform/graphics/cocoa/SystemFontDatabaseCoreText.cpp:253 > >> + auto value = adoptCF(CTFontDescriptorCopyAttribute(descriptor.get(), kCTFontFamilyNameAttribute)); > > > > Can use dynamic_cf_cast here. > > > > https://trac.webkit.org/browser/webkit/trunk/Source/WTF/wtf/cf/TypeCastsCF.h > > Or checked_cf_cast, since we know what the type is supposed to be Wouldn't that just cause a different crash though? Comment on attachment 397335 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=397335&action=review >>>> Source/WebCore/platform/graphics/cocoa/SystemFontDatabaseCoreText.cpp:253 >>>> + auto value = adoptCF(CTFontDescriptorCopyAttribute(descriptor.get(), kCTFontFamilyNameAttribute)); >>> >>> Can use dynamic_cf_cast here. >>> >>> https://trac.webkit.org/browser/webkit/trunk/Source/WTF/wtf/cf/TypeCastsCF.h >> >> Or checked_cf_cast, since we know what the type is supposed to be > > Wouldn't that just cause a different crash though? I’m puzzled about which is correct; if it’s a programming error to have the wrong type, then checked_cf_cast seems with. If it’s not a programming mistake then dynamic_cf_cast is the right thing to use, but asserting is wrong. This patch does ASSERT_NOT_REACHED, so it’s like a third "half bad" case. Created attachment 397424 [details]
patch
(In reply to Darin Adler from comment #6) > Comment on attachment 397335 [details] > patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=397335&action=review > > >>>> Source/WebCore/platform/graphics/cocoa/SystemFontDatabaseCoreText.cpp:253 > >>>> + auto value = adoptCF(CTFontDescriptorCopyAttribute(descriptor.get(), kCTFontFamilyNameAttribute)); > >>> > >>> Can use dynamic_cf_cast here. > >>> > >>> https://trac.webkit.org/browser/webkit/trunk/Source/WTF/wtf/cf/TypeCastsCF.h > >> > >> Or checked_cf_cast, since we know what the type is supposed to be > > > > Wouldn't that just cause a different crash though? > > I’m puzzled about which is correct; if it’s a programming error to have the > wrong type, then checked_cf_cast seems with. If it’s not a programming > mistake then dynamic_cf_cast is the right thing to use, but asserting is > wrong. This patch does ASSERT_NOT_REACHED, so it’s like a third "half bad" > case. Good point, I missed the ASSERT_NOT_REACHED in the original patch. dynamic_cf_cast does have debug assert so it seems equivalent to my original patch: ASSERT_WITH_SECURITY_IMPLICATION(CFGetTypeID(object) == CFTypeTrait<T>::typeID()); if (CFGetTypeID(object) != CFTypeTrait<T>::typeID()) return nullptr; Comment on attachment 397424 [details]
patch
r=me
You could declare the lambda "[&]() -> String" to maintain the existing one-liner return. Not sure if we like being that fancy or not.
I had that when there were multiple returns but went back for simplicity. Committed r260646: <https://trac.webkit.org/changeset/260646> All reviewed patches have been landed. Closing bug and clearing flags on attachment 397424 [details]. (In reply to Antti Koivisto from comment #9) > dynamic_cf_cast does have debug assert so it seems equivalent to my > original patch: > > ASSERT_WITH_SECURITY_IMPLICATION(CFGetTypeID(object) == > CFTypeTrait<T>::typeID()); > if (CFGetTypeID(object) != CFTypeTrait<T>::typeID()) > return nullptr; Don’t get me started, though. dynamic_cf_cast is the wrong name for a function if it asserts, because dynamic_cast and dyanmic_objc_cast don’t! Agreed, I was just confused with the claim that I had invented some third way of doing things. |