Bug 247288

Summary:	Change m_node in RenderObject to being a WeakPtr
Product:	WebKit	Reporter:	Chirag M Shah <chirag_m_shah>
Component:	Layout and Rendering	Assignee:	Chirag M Shah <chirag_m_shah>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	bfulgham, koivisto, rniwa, simon.fraser, webkit-bug-importer, zalan
Priority:	P2	Keywords:	InRadar
Version:	Other
Hardware:	Unspecified
OS:	Unspecified

Chirag M Shah

Reported 2022-10-31 14:09:17 PDT

m_node should be a WeakPtr instead of a plain C++ reference so that we don't hit use-after-free and instead crash.

Attachments
Add attachment proposed patch, testcase, etc.

Simon Fraser (smfr)

Comment 1 2022-10-31 14:41:55 PDT

WeakPtr is not free; there are additional memory and performance costs because of the back-referencing required. We should do some memory and perf testing before landing this.

Ryosuke Niwa

Comment 2 2022-10-31 15:33:08 PDT

We should also explore if CheckedRef is a better alternative. It prevents UAF of free'd memory and it's slightly cheaper than WeakPtr in terms of instantiation (no extra malloc) and dereference (no chained indirect loads). Node currently doesn't support CheckedPtr/CheckedRef though so we'd need to figure that one out but if WeakPtr ended up causing a perf regression or semantics of reference makes more sense, then we should consider using CheckedRef.

EWS

Comment 3 2022-11-03 11:36:52 PDT

Committed 256282@main (63c86a3d1b18): <https://commits.webkit.org/256282@main> Reviewed commits have been landed. Closing PR #5977 and removing active labels.

Radar WebKit Bug Importer

Comment 4 2022-11-03 11:37:21 PDT

<rdar://problem/101922970>

David Kilzer (:ddkilzer)

Comment 5 2022-11-04 13:04:29 PDT

Corrected radar: <rdar://101505011>

Note You need to log in before you can comment on or make changes to this bug.