WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
296427
Crash in WebCore::FragmentedSharedBuffer::takeData
https://bugs.webkit.org/show_bug.cgi?id=296427
Summary
Crash in WebCore::FragmentedSharedBuffer::takeData
Jean-Yves Avenard [:jya]
Reported
2025-07-24 05:39:12 PDT
``` 22 bool WTF::VectorBufferBase<unsigned char, WTF::FastMalloc>::allocateBuffer<(WTF::FailureAction)0>(unsigned long) (WebCore) 22 bool WTF::Vector<unsigned char, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::reserveInitialCapacity<(WTF::FailureAction)0>(unsigned long) (WebCore) 22 WTF::Vector<unsigned char, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::reserveInitialCapacity(unsigned long) (WebCore) 22 WebCore::combineSegmentsData(WTF::Vector<WebCore::FragmentedSharedBuffer::DataSegmentVectorEntry, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, unsigned long) (WebCore) ==> 22 WebCore::FragmentedSharedBuffer::takeData() (WebCore) <== 22 WebCore::FragmentedSharedBuffer::extractData() (WebCore) 22 WebCore::FetchBodyConsumer::takeAsBlob(WebCore::ScriptExecutionContext*, WTF::String const&) (WebCore) 22 auto WebCore::FetchBodyConsumer::resolve(WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise>>&&, WTF::String const&, WebCore::FetchBodyOwner*, WebCore::ReadableStream*)::$_1::operator()<WebCore::ScriptExecutionContext>(WebCore::ScriptExecutionContext&) const (WebCore) 22 WTF::Detail::CallableWrapper<WebCore::FetchBodyConsumer::resolve(WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise>>&&, WTF::String const&, WebCore::FetchBodyOwner*, WebCore::ReadableStream*)::$_1, WTF::Ref<WebCore::Blob, WTF::RawPtrTraits<WebCore::Blob>, WTF::DefaultRefDerefTraits<WebCore::Blob>>, WebCore::ScriptExecutionContext&>::call(WebCore::ScriptExecutionContext&) (WebCore) 22 WTF::Function<WTF::Ref<WebCore::Blob, WTF::RawPtrTraits<WebCore::Blob>, WTF::DefaultRefDerefTraits<WebCore::Blob>> (WebCore::ScriptExecutionContext&)>::operator()(WebCore::ScriptExecutionContext&) const (WebCore) 22 void WebCore::DeferredPromise::resolveCallbackValueWithNewlyCreated<WebCore::IDLInterface<WebCore::Blob>>(WTF::Function<WebCore::IDLInterface<WebCore::Blob>::InnerParameterType (WebCore::ScriptExecutionContext&)> const&) (WebCore) 22 WebCore::FetchBodyConsumer::resolve(WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise>>&&, WTF::String const&, WebCore::FetchBodyOwner*, WebCore::ReadableStream*) (WebCore) 22 WebCore::FetchBodyConsumer::loadingSucceeded(WTF::String const&) (WebCore) 22 WebCore::FetchBody::loadingSucceeded(WTF::String const&) (WebCore) 22 WebCore::FetchResponse::didSucceed(WebCore::NetworkLoadMetrics const&) (WebCore) 22 WebCore::FetchResponse::Loader::didSucceed(WebCore::NetworkLoadMetrics const&) (WebCore) 22 WebCore::DocumentThreadableLoader::didFinishLoading(std::__1::optional<WTF::ObjectIdentifierGeneric<WebCore::ResourceLoaderIdentifierType, WTF::ObjectIdentifierThreadSafeAccessTraits<unsigned long long>, unsigned long long>>, WebCore::NetworkLoadMetrics const&) (WebCore) 22 WebCore::CachedResource::checkNotify(WebCore::NetworkLoadMetrics const&, WebCore::LoadWillContinueInAnotherProcess) (WebCore) 22 WebCore::CachedResource::finishLoading(WebCore::FragmentedSharedBuffer const*, WebCore::NetworkLoadMetrics const&) (WebCore) 22 WebCore::CachedRawResource::finishLoading(WebCore::FragmentedSharedBuffer const*, WebCore::NetworkLoadMetrics const&) (WebCore) 22 WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (WebCore) 22 WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics&&) (WebKit) 22 auto void IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&), std::__1::tuple<WebCore::NetworkLoadMetrics>>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::__1::tuple<WebCore::NetworkLoadMetrics>&&)::'lambda'(auto&&...)::operator()<WebCore::NetworkLoadMetrics>(auto&&...) const (WebKit) 22 decltype(std::declval<WebKit::WebResourceLoader>()(std::declval<WebCore::NetworkLoadMetrics>())) std::__1::__invoke[abi:sn200100]<void IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&), std::__1::tuple<WebCore::NetworkLoadMetrics>>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::__1::tuple<WebCore::NetworkLoadMetrics>&&)::'lambda'(auto&&...), WebCore::NetworkLoadMetrics>(WebKit::WebResourceLoader&&, WebCore::NetworkLoadMetrics&&) (WebKit) 22 decltype(auto) std::__1::__apply_tuple_impl[abi:sn200100]<void IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&), std::__1::tuple<WebCore::NetworkLoadMetrics>>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::__1::tuple<WebCore::NetworkLoadMetrics>&&)::'lambda'(auto&&...), std::__1::tuple<WebCore::NetworkLoadMetrics>, 0ul>(WebKit::WebResourceLoader&&, WebKit::WebResourceLoader&&, std::__1::__tuple_indices<0ul>) (WebKit) 22 decltype(auto) std::__1::apply[abi:sn200100]<void IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&), std::__1::tuple<WebCore::NetworkLoadMetrics>>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::__1::tuple<WebCore::NetworkLoadMetrics>&&)::'lambda'(auto&&...), std::__1::tuple<WebCore::NetworkLoadMetrics>>(WebKit::WebResourceLoader&&, WebKit::WebResourceLoader&&) (WebKit) 22 void IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&), std::__1::tuple<WebCore::NetworkLoadMetrics>>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::__1::tuple<WebCore::NetworkLoadMetrics>&&) (WebKit) 22 void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, IPC::Connection, WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&)>(IPC::Connection&, IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&)) (WebKit) 22 WebKit::WebResourceLoader::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (WebKit) 22 WebKit::NetworkProcessConnection::dispatchMessage(IPC::Connection&, IPC::Decoder&) (WebKit) 22 WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (WebKit) 22 IPC::Connection::dispatchMessage(IPC::Decoder&) (WebKit) 22 IPC::Connection::dispatchMessage(WTF::UniqueRef<IPC::Decoder>) (WebKit) 22 IPC::Connection::dispatchOneIncomingMessage() (WebKit) 22 IPC::Connection::enqueueIncomingMessage(WTF::UniqueRef<IPC::Decoder>)::$_2::operator()() const (WebKit) 22 WTF::Detail::CallableWrapper<IPC::Connection::enqueueIncomingMessage(WTF::UniqueRef<IPC::Decoder>)::$_2, void>::call() (WebKit) 22 WTF::Function<void ()>::operator()() const (JavaScriptCore) 22 WTF::RunLoop::performWork() (JavaScriptCore) 22 WTF::RunLoop::performWork(void*) (JavaScriptCore) 22 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (CoreFoundation) 22 __CFRunLoopDoSource0 (CoreFoundation) 22 __CFRunLoopDoSources0 (CoreFoundation) 22 __CFRunLoopRun (CoreFoundation) 22 _CFRunLoopRunSpecificWithOptions (CoreFoundation) 22 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] (Foundation) 22 -[NSRunLoop(NSRunLoop) run] (Foundation) 22 _xpc_objc_main (libxpc.dylib) 22 _xpc_main (libxpc.dylib) 22 xpc_main (libxpc.dylib) 22 WebKit::XPCServiceMain(int, char const**) (WebKit) 22 start (dyld) ```
Attachments
Add attachment
proposed patch, testcase, etc.
Jean-Yves Avenard [:jya]
Comment 1
2025-07-24 05:41:01 PDT
rdar://155578324
Jean-Yves Avenard [:jya]
Comment 2
2025-07-24 05:51:31 PDT
Pull request:
https://github.com/WebKit/WebKit/pull/48473
EWS
Comment 3
2025-07-25 22:33:34 PDT
Committed
297885@main
(59ff57feba67): <
https://commits.webkit.org/297885@main
> Reviewed commits have been landed. Closing PR #48473 and removing active labels.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug