Bug 293369
| Summary: | NSData created by dataWithUserTypedString causes a crash when MALLOC_HEAP_BREAKDOWN is turned on | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Vassili Bykov <v_bykov> |
| Component: | WebKit Misc. | Assignee: | Vassili Bykov <v_bykov> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Vassili Bykov
The function has been changed some 6 months ago to use a Vector<char> to allocate and populate the memory buffer, instead of a raw malloc and pointer operations. The buffer is then extracted from the vector and registered to be freed using FastMalloc::free(). This assumes that the buffer was initially allocated by FastMalloc. The assumption doesn't hold when MALLOC_HEAP_BREAKDOWN is on and vector buffers are allocated by VectorBufferMalloc. FastMalloc::free() in that case sees the pointer as misaligned and crashes. This happens on startup in both Safari and MiniBrowser.
A patch will follow.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/151776839>
Vassili Bykov
Pull request: https://github.com/WebKit/WebKit/pull/45706
EWS
Committed 295226@main (4fbe97d9d0c4): <https://commits.webkit.org/295226@main>
Reviewed commits have been landed. Closing PR #45706 and removing active labels.