Bug 223581

Summary:

Source/WebKit/UIProcess/Cocoa/WebViewImpl.mm:2681:9: runtime error: load of value nnn, which is not a valid value for type 'BOOL' (aka 'signed char')

Product:

WebKit

Reporter:

Chris Dumez <cdumez>

Component:

WebKit2

Assignee:

Chris Dumez <cdumez>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

darin, ggaren, kkinnunen, simon.fraser, thorton, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

See Also:

https://bugs.webkit.org/show_bug.cgi?id=176131

Attachments:

Description	Flags
Patch	none
Patch	none

Description Chris Dumez 2021-03-22 09:18:26 PDT

Fix bug found by UBSAN in WebViewImpl::pluginFocusOrWindowFocusChanged().

Comment 1 Chris Dumez 2021-03-22 09:22:35 PDT

Created attachment 423897 [details]
Patch

Comment 2 Chris Dumez 2021-03-22 10:03:49 PDT

Created attachment 423902 [details]
Patch

Comment 3 EWS 2021-03-22 13:15:10 PDT

Committed r274786: <https://commits.webkit.org/r274786>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 423902 [details].

Comment 4 Radar WebKit Bug Importer 2021-03-22 13:16:17 PDT

<rdar://problem/75705715>

Comment 5 Darin Adler 2021-03-22 15:23:34 PDT

Comment on attachment 423902 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=423902&action=review

> Source/WebKit/ChangeLog:10
> +        The code was implicitly casting an uint64_t identifier into a BOOL variable. The intention was
> +        to check whether the identifier is 0 or not. To silence the UBSAN error, we now use the bool
> +        type instead of BOOL (since BOOL is defined as a signed char on some platforms).

On platforms where BOOL is signed char, the original code will work wrong any time the low 8 bits of the pointer are zero!

I feel like we are concentrating too much on "placating" UBSan and too little on fixing the bug UBSan found in our commentary.