RESOLVED FIXED 224840
Crash due to VectorBuffer pre-allocation failure
https://bugs.webkit.org/show_bug.cgi?id=224840
Summary Crash due to VectorBuffer pre-allocation failure
Ian Gilbert
Reported 2021-04-20 16:17:48 PDT
Crash due to VectorBuffer pre-allocation failure
Attachments
Patch (3.83 KB, patch)
2021-04-20 16:21 PDT, Ian Gilbert
no flags
Patch (3.84 KB, patch)
2021-04-20 16:47 PDT, Ian Gilbert
no flags
Ian Gilbert
Comment 1 2021-04-20 16:21:43 PDT
Ian Gilbert
Comment 2 2021-04-20 16:47:18 PDT
Ian Gilbert
Comment 3 2021-04-20 16:49:08 PDT
Sam Weinig
Comment 4 2021-04-20 17:42:25 PDT
Comment on attachment 426614 [details] Patch I don't quite know how to review the test, but the change looks good. I think there might be a similar issue in: ArgumentCoder<WebCore::CDMInstanceSession::KeyStatusVector>::decode(...) which does a `keyStatuses.reserveInitialCapacity(dataSize);` from a decoded size.
Sam Weinig
Comment 5 2021-04-20 17:46:17 PDT
Looks like the generic HashMap and HashSet decoders also do a reservation in ArgumentCoders.h
Ryosuke Niwa
Comment 6 2021-04-20 18:02:23 PDT
Comment on attachment 426614 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=426614&action=review > Source/WebKit/Shared/Cocoa/WebCoreArgumentCodersCocoa.mm:363 > - Vector<RefPtr<ApplePayError>> errors(size); > + Vector<RefPtr<ApplePayError>> errors; Huh, I guess this fix is correct but we should get rid of this whole encode/decode pair and just add ones for ApplePayError instead since we already have encoder/decoder for Vector<T>.
EWS
Comment 7 2021-04-20 18:20:28 PDT
Committed r276341 (236819@main): <https://commits.webkit.org/236819@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 426614 [details].
Darin Adler
Comment 8 2021-04-20 18:20:59 PDT
Comment on attachment 426614 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=426614&action=review >> Source/WebKit/Shared/Cocoa/WebCoreArgumentCodersCocoa.mm:363 >> + Vector<RefPtr<ApplePayError>> errors; > > Huh, I guess this fix is correct but we should get rid of this whole encode/decode pair and just add ones for ApplePayError instead > since we already have encoder/decoder for Vector<T>. Yes, we should do that.
Darin Adler
Comment 9 2021-04-20 18:21:59 PDT
(In reply to Sam Weinig from comment #5) > Looks like the generic HashMap and HashSet decoders also do a reservation in > ArgumentCoders.h Really!? That is not good. Let’s fix that. I hope there’s a way to do it without costing too much memory or performance.
Darin Adler
Comment 10 2021-04-20 18:22:25 PDT
(In reply to Sam Weinig from comment #4) > I think there might be a similar issue in: > > ArgumentCoder<WebCore::CDMInstanceSession::KeyStatusVector>::decode(...) > > which does a `keyStatuses.reserveInitialCapacity(dataSize);` from a decoded > size. Yes, that must be removed.
Sam Weinig
Comment 11 2021-04-21 14:12:05 PDT
(In reply to Darin Adler from comment #9) > (In reply to Sam Weinig from comment #5) > > Looks like the generic HashMap and HashSet decoders also do a reservation in > > ArgumentCoders.h > > Really!? That is not good. Let’s fix that. I hope there’s a way to do it > without costing too much memory or performance. I don't think the reservation is too likely to be that much of a win. For avoid doing multiple allocations in the general case, we could pick a maximum value for reservations (maybe, 16 or something), and do the reservation if the size is at or below that. For memory use we could add some sort of "shrinkToFix" for HashMap/HashSet, but we would probably be better off using the new RobinHoodHashMaps if we want to improve memory use.
Sam Weinig
Comment 12 2021-04-21 14:13:37 PDT
(In reply to Ryosuke Niwa from comment #6) > Comment on attachment 426614 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=426614&action=review > > > Source/WebKit/Shared/Cocoa/WebCoreArgumentCodersCocoa.mm:363 > > - Vector<RefPtr<ApplePayError>> errors(size); > > + Vector<RefPtr<ApplePayError>> errors; > > Huh, I guess this fix is correct but we should get rid of this whole > encode/decode pair and just add ones for ApplePayError instead > since we already have encoder/decoder for Vector<T>. Does the generic one work for T == RefPtr<Foo>?
Darin Adler
Comment 13 2021-04-21 15:31:12 PDT
(In reply to Sam Weinig from comment #12) > Does the generic one work for T == RefPtr<Foo>? Almost certainly yes. I meant to try it but had other code in my tree.
Darin Adler
Comment 14 2021-04-23 10:40:24 PDT
Did some follow-on work in bug 224984 and would like to continue to discuss there.
Note You need to log in before you can comment on or make changes to this bug.