RESOLVED FIXED247288
Change m_node in RenderObject to being a WeakPtr 
https://bugs.webkit.org/show_bug.cgi?id=247288
Summary Change m_node in RenderObject to being a WeakPtr
Chirag M Shah
Reported 2022-10-31 14:09:17 PDT
m_node should be a WeakPtr instead of a plain C++ reference so that we don't hit use-after-free and instead crash.
Attachments
Add attachment proposed patch, testcase, etc.
Simon Fraser (smfr)
Comment 1 2022-10-31 14:41:55 PDT
WeakPtr is not free; there are additional memory and performance costs because of the back-referencing required. We should do some memory and perf testing before landing this.
Ryosuke Niwa
Comment 2 2022-10-31 15:33:08 PDT
We should also explore if CheckedRef is a better alternative. It prevents UAF of free'd memory and it's slightly cheaper than WeakPtr in terms of instantiation (no extra malloc) and dereference (no chained indirect loads). Node currently doesn't support CheckedPtr/CheckedRef though so we'd need to figure that one out but if WeakPtr ended up causing a perf regression or semantics of reference makes more sense, then we should consider using CheckedRef.
EWS
Comment 3 2022-11-03 11:36:52 PDT
Committed 256282@main (63c86a3d1b18): <https://commits.webkit.org/256282@main> Reviewed commits have been landed. Closing PR #5977 and removing active labels.
Radar WebKit Bug Importer
Comment 4 2022-11-03 11:37:21 PDT
<rdar://problem/101922970>
David Kilzer (:ddkilzer)
Comment 5 2022-11-04 13:04:29 PDT
Corrected radar: <rdar://101505011>
Note You need to log in before you can comment on or make changes to this bug.