[webkit-changes] [WebKit/WebKit] 80119b: Fix aliasing bugs in Vector::fill() and Vector::in...

Fri, 27 Mar 2026 18:50:20 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 80119b4639d5d97f8661d4917b4d0395c6a3a89a
      
https://github.com/WebKit/WebKit/commit/80119b4639d5d97f8661d4917b4d0395c6a3a89a
  Author: Chris Dumez <[email protected]>
  Date:   2026-03-27 (Fri, 27 Mar 2026)

  Changed paths:
    M Source/WTF/wtf/Vector.h
    M Tools/TestWebKitAPI/Tests/WTF/Vector.cpp

  Log Message:
  -----------
  Fix aliasing bugs in Vector::fill() and Vector::insertFill()
https://bugs.webkit.org/show_bug.cgi?id=310889

Reviewed by Darin Adler.

Both `fill()` and `insertFill()` take a `const T&` parameter that may reference
an element within the vector itself. If the vector mutates (via shrink,
clear, reallocation, or element shifting), that reference becomes dangling
or points to the wrong value.

For `fill()`, `clear()` destroys all elements before reallocation, and 
`shrink()`
destroys elements past the new size -- either case invalidates a reference
to a vector element. For `insertFill()`, `expandCapacity()` may reallocate the
buffer, and even without reallocation, `moveOverlapping()` shifts elements
right, so a reference to an element at or after the insertion position
reads the wrong value (or a destructed object for non-trivial types).

Fix both by copying the value into a local before any mutation, matching
how std::vector is required to handle this case for `insert(pos, count, value)`
and `assign(count, value)`.

Test: Tools/TestWebKitAPI/Tests/WTF/Vector.cpp

* Source/WTF/wtf/Vector.h:
(WTF::Malloc>::fill):
(WTF::Malloc>::insertFill):
* Tools/TestWebKitAPI/Tests/WTF/Vector.cpp:
(TestWebKitAPI::TEST(WTF_Vector, FillAliasingGrowth)):
(TestWebKitAPI::TEST(WTF_Vector, FillAliasingShrink)):
(TestWebKitAPI::TEST(WTF_Vector, FillAliasingNoReallocation)):
(TestWebKitAPI::TEST(WTF_Vector, FillAliasingSameSize)):
(TestWebKitAPI::TEST(WTF_Vector, InsertFillAliasingWithReallocation)):
(TestWebKitAPI::TEST(WTF_Vector, InsertFillAliasingElementAfterPosition)):
(TestWebKitAPI::TEST(WTF_Vector, InsertFillAliasingElementAtPosition)):
(TestWebKitAPI::TEST(WTF_Vector, InsertFillAliasingElementBeforePosition)):

Canonical link: https://commits.webkit.org/310131@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to