293369 – NSData created by dataWithUserTypedString causes a crash when MALLOC_HEAP_BREAKDOWN is turned on

RESOLVED FIXED293369

NSData created by dataWithUserTypedString causes a crash when MALLOC_HEAP_BREAKDOWN is turned on

https://bugs.webkit.org/show_bug.cgi?id=293369

Summary NSData created by dataWithUserTypedString causes a crash when MALLOC_HEAP_BRE...

Vassili Bykov

Reported 2025-05-21 09:00:11 PDT

The function has been changed some 6 months ago to use a Vector<char> to allocate and populate the memory buffer, instead of a raw malloc and pointer operations. The buffer is then extracted from the vector and registered to be freed using FastMalloc::free(). This assumes that the buffer was initially allocated by FastMalloc. The assumption doesn't hold when MALLOC_HEAP_BREAKDOWN is on and vector buffers are allocated by VectorBufferMalloc. FastMalloc::free() in that case sees the pointer as misaligned and crashes. This happens on startup in both Safari and MiniBrowser. A patch will follow.

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2025-05-21 09:00:24 PDT

<rdar://problem/151776839>

Vassili Bykov

Comment 2 2025-05-21 09:09:40 PDT

Pull request: https://github.com/WebKit/WebKit/pull/45706

EWS

Comment 3 2025-05-21 13:29:43 PDT

Committed 295226@main (4fbe97d9d0c4): <https://commits.webkit.org/295226@main> Reviewed commits have been landed. Closing PR #45706 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component WebKit Misc.

Assignee

Vassili Bykov

Reported

2025-05-21 09:00 PDT

Modified

2025-05-21 13:29 PDT History

CC List

1 user Show

URL

Keywords InRadar

Depends on

Blocks