RESOLVED FIXED 238048
Fix crash in Bleacher Report due to bad JSObjectRef passed to API 
https://bugs.webkit.org/show_bug.cgi?id=238048
Summary Fix crash in Bleacher Report due to bad JSObjectRef passed to API
Keith Miller
Reported 2022-03-17 14:35:43 PDT
Fix crash in Bleecher Report due to bad JSObjectRef passed to API
Attachments
Patch (5.08 KB, patch)
2022-03-17 14:43 PDT, Keith Miller 		no flags
DetailsFormatted DiffDiff
Patch (5.00 KB, patch)
2022-03-17 14:47 PDT, Keith Miller 		no flags
DetailsFormatted DiffDiff
Patch for landing (5.00 KB, patch)
2022-03-17 15:09 PDT, Keith Miller 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Keith Miller
Comment 1 2022-03-17 14:43:12 PDT
Created attachment 455029 [details] Patch
Keith Miller
Comment 2 2022-03-17 14:43:16 PDT
<rdar://problem/88766464>
Keith Miller
Comment 3 2022-03-17 14:47:05 PDT
Created attachment 455030 [details] Patch
Yusuke Suzuki
Comment 4 2022-03-17 14:53:25 PDT
Comment on attachment 455030 [details] Patch r=me
Yusuke Suzuki
Comment 5 2022-03-17 14:53:58 PDT
Can you file a bug removing this and putting FIXME comment on this?
Mark Lam
Comment 6 2022-03-17 14:55:11 PDT
Comment on attachment 455030 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=455030&action=review > Source/JavaScriptCore/ChangeLog:11 > + short curcuiting to the non-typed array return value, 0. While technically valid /curcuiting/circuiting/
Saam Barati
Comment 7 2022-03-17 14:56:04 PDT
Comment on attachment 455030 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=455030&action=review > Source/JavaScriptCore/ChangeLog:3 > + Fix crash in Bleecher Report due to bad JSObjectRef passed to API in various places, "Bleecher" => "Bleacher"
Saam Barati
Comment 8 2022-03-17 14:57:07 PDT
Comment on attachment 455030 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=455030&action=review > Source/JavaScriptCore/API/JSTypedArray.cpp:375 > +inline static bool isBleecherReport() > +{ > + auto bundleID = CFBundleGetIdentifier(CFBundleGetMainBundle()); > + return bundleID > + && CFEqual(bundleID, CFSTR("com.bleacherreport.TeamStream")) > + && !linkedOnOrAfter(SDKVersion::FirstWithoutBleecherReportQuirk); > +} Can we cache this result using std::once?
Keith Miller
Comment 9 2022-03-17 15:06:38 PDT
Comment on attachment 455030 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=455030&action=review >> Source/JavaScriptCore/API/JSTypedArray.cpp:375 >> +} > > Can we cache this result using std::once? I'm fairly sure that the fact that `shouldntCrash` is static should handle that?
Keith Miller
Comment 10 2022-03-17 15:09:36 PDT
Created attachment 455033 [details] Patch for landing
EWS
Comment 11 2022-03-17 16:35:25 PDT
Committed r291448 (248571@main): <https://commits.webkit.org/248571@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 455033 [details].
Alexey Proskuryakov
Comment 12 2022-03-18 17:17:58 PDT
Comment on attachment 455033 [details] Patch for landing View in context: https://bugs.webkit.org/attachment.cgi?id=455033&action=review > Source/JavaScriptCore/API/JSTypedArray.cpp:369 > +inline static bool isBleecherReport() Typo: Bleacher, not Bleecher. > Source/WTF/wtf/cocoa/RuntimeApplicationChecksCocoa.h:89 > + FirstWithoutBleecherReportQuirk = DYLD_IOS_VERSION_16_0, Ditto.
Note You need to log in before you can comment on or make changes to this bug.