Bug 305728

Summary: Safari crashes in WebPreferences::platformGetUInt32UserValueForKey due to checked_objc_cast type assertion failure
Product: WebKit Reporter: David Kilzer (:ddkilzer) <ddkilzer>
Component: WebKit Misc.Assignee: David Kilzer (:ddkilzer) <ddkilzer>
Status: RESOLVED FIXED    
Severity: Normal CC: webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 299627    
Bug Blocks:    

David Kilzer (:ddkilzer)
Reported 2026-01-18 10:37:49 PST
Safari crashes during startup when WebKit preferences contain a type mismatch in NSUserDefaults. The crash occurs in WebKit::WebPreferences::platformGetUInt32UserValueForKey() when checked_objc_cast<NSNumber>() receives a non-NSNumber object (such as NSString) from NSUserDefaults for a UInt32 preference. Root Cause: The code uses checked_objc_cast<NSNumber>() which crashes with RELEASE_ASSERT_WITH_SECURITY_IMPLICATION on type mismatch, rather than gracefully handling corrupted or incompatible preference data. Crash Details: - Exception: EXC_BREAKPOINT (SIGKILL) - intentional crash from assertion failure - Location: Source/WebKit/UIProcess/Cocoa/WebPreferencesCocoa.mm in platformGetUInt32UserValueForKey - Trigger: User has WebKit preference stored as wrong type in NSUserDefaults Stack Trace: WTFCrashWithInfo() checked_objc_cast<NSNumber>() WebPreferences::platformGetUInt32UserValueForKey() WebPreferences::platformInitializeStore() [Safari startup] Proposed Fix: Replace checked_objc_cast<NSNumber>() with dynamic_objc_cast<NSNumber>() in WebPreferencesCocoa.mm. This matches the error handling used by platformGetBoolUserValueForKey() and platformGetDoubleUserValueForKey() which use safe respondsToSelector: checks. Test Coverage: Added test WKPreferences.UInt32TypeMismatchDoesNotCrash in TestWebKitAPI that: 1. Swizzles NSUserDefaults to return NSString instead of NSNumber 2. Triggers WebPreferences initialization via WKWebView creation 3. Verifies no crash occurs (test fails before fix, passes after) Impact: Affects Safari users who have corrupted WebKit preferences in NSUserDefaults, causing immediate crash on startup. The fix ensures graceful degradation by ignoring malformed preference values. rdar://168370261
Attachments
Add attachment proposed patch, testcase, etc.
David Kilzer (:ddkilzer)
Comment 1 2026-01-18 10:44:07 PST
Pull request: https://github.com/WebKit/WebKit/pull/56791
EWS
Comment 2 2026-01-19 21:36:04 PST
Committed 305850@main (9bb29113a20a): <https://commits.webkit.org/305850@main> Reviewed commits have been landed. Closing PR #56791 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.