WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
224840
Crash due to VectorBuffer pre-allocation failure
https://bugs.webkit.org/show_bug.cgi?id=224840
Summary
Crash due to VectorBuffer pre-allocation failure
Ian Gilbert
Reported
2021-04-20 16:17:48 PDT
Crash due to VectorBuffer pre-allocation failure
Attachments
Patch
(3.83 KB, patch)
2021-04-20 16:21 PDT
,
Ian Gilbert
no flags
Details
Formatted Diff
Diff
Patch
(3.84 KB, patch)
2021-04-20 16:47 PDT
,
Ian Gilbert
no flags
Details
Formatted Diff
Diff
Show Obsolete
(1)
View All
Add attachment
proposed patch, testcase, etc.
Ian Gilbert
Comment 1
2021-04-20 16:21:43 PDT
Created
attachment 426610
[details]
Patch
Ian Gilbert
Comment 2
2021-04-20 16:47:18 PDT
Created
attachment 426614
[details]
Patch
Ian Gilbert
Comment 3
2021-04-20 16:49:08 PDT
<
rdar://problem/76698411
>
Sam Weinig
Comment 4
2021-04-20 17:42:25 PDT
Comment on
attachment 426614
[details]
Patch I don't quite know how to review the test, but the change looks good. I think there might be a similar issue in: ArgumentCoder<WebCore::CDMInstanceSession::KeyStatusVector>::decode(...) which does a `keyStatuses.reserveInitialCapacity(dataSize);` from a decoded size.
Sam Weinig
Comment 5
2021-04-20 17:46:17 PDT
Looks like the generic HashMap and HashSet decoders also do a reservation in ArgumentCoders.h
Ryosuke Niwa
Comment 6
2021-04-20 18:02:23 PDT
Comment on
attachment 426614
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=426614&action=review
> Source/WebKit/Shared/Cocoa/WebCoreArgumentCodersCocoa.mm:363 > - Vector<RefPtr<ApplePayError>> errors(size); > + Vector<RefPtr<ApplePayError>> errors;
Huh, I guess this fix is correct but we should get rid of this whole encode/decode pair and just add ones for ApplePayError instead since we already have encoder/decoder for Vector<T>.
EWS
Comment 7
2021-04-20 18:20:28 PDT
Committed
r276341
(
236819@main
): <
https://commits.webkit.org/236819@main
> All reviewed patches have been landed. Closing bug and clearing flags on
attachment 426614
[details]
.
Darin Adler
Comment 8
2021-04-20 18:20:59 PDT
Comment on
attachment 426614
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=426614&action=review
>> Source/WebKit/Shared/Cocoa/WebCoreArgumentCodersCocoa.mm:363 >> + Vector<RefPtr<ApplePayError>> errors; > > Huh, I guess this fix is correct but we should get rid of this whole encode/decode pair and just add ones for ApplePayError instead > since we already have encoder/decoder for Vector<T>.
Yes, we should do that.
Darin Adler
Comment 9
2021-04-20 18:21:59 PDT
(In reply to Sam Weinig from
comment #5
)
> Looks like the generic HashMap and HashSet decoders also do a reservation in > ArgumentCoders.h
Really!? That is not good. Let’s fix that. I hope there’s a way to do it without costing too much memory or performance.
Darin Adler
Comment 10
2021-04-20 18:22:25 PDT
(In reply to Sam Weinig from
comment #4
)
> I think there might be a similar issue in: > > ArgumentCoder<WebCore::CDMInstanceSession::KeyStatusVector>::decode(...) > > which does a `keyStatuses.reserveInitialCapacity(dataSize);` from a decoded > size.
Yes, that must be removed.
Sam Weinig
Comment 11
2021-04-21 14:12:05 PDT
(In reply to Darin Adler from
comment #9
)
> (In reply to Sam Weinig from
comment #5
) > > Looks like the generic HashMap and HashSet decoders also do a reservation in > > ArgumentCoders.h > > Really!? That is not good. Let’s fix that. I hope there’s a way to do it > without costing too much memory or performance.
I don't think the reservation is too likely to be that much of a win. For avoid doing multiple allocations in the general case, we could pick a maximum value for reservations (maybe, 16 or something), and do the reservation if the size is at or below that. For memory use we could add some sort of "shrinkToFix" for HashMap/HashSet, but we would probably be better off using the new RobinHoodHashMaps if we want to improve memory use.
Sam Weinig
Comment 12
2021-04-21 14:13:37 PDT
(In reply to Ryosuke Niwa from
comment #6
)
> Comment on
attachment 426614
[details]
> Patch > > View in context: >
https://bugs.webkit.org/attachment.cgi?id=426614&action=review
> > > Source/WebKit/Shared/Cocoa/WebCoreArgumentCodersCocoa.mm:363 > > - Vector<RefPtr<ApplePayError>> errors(size); > > + Vector<RefPtr<ApplePayError>> errors; > > Huh, I guess this fix is correct but we should get rid of this whole > encode/decode pair and just add ones for ApplePayError instead > since we already have encoder/decoder for Vector<T>.
Does the generic one work for T == RefPtr<Foo>?
Darin Adler
Comment 13
2021-04-21 15:31:12 PDT
(In reply to Sam Weinig from
comment #12
)
> Does the generic one work for T == RefPtr<Foo>?
Almost certainly yes. I meant to try it but had other code in my tree.
Darin Adler
Comment 14
2021-04-23 10:40:24 PDT
Did some follow-on work in
bug 224984
and would like to continue to discuss there.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug