Closed Bug 2024165 Opened 2 months ago Closed 1 month ago

[wpt-sync] Sync PR 58549 - Fix a use-after-free with lazy style attributes.

Categories

(Core :: CSS Parsing and Computation, task, P4)

Product:
Core
Component:
CSS Parsing and Computation
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
151 Branch
Tracking Flags:
Tracking Status
firefox151 --- fixed

People

(Reporter: wpt-sync, Unassigned)

References

(
URL
)

Details

(Whiteboard: [wptsync downstream])

Sync web-platform-tests PR 58549 into mozilla-central (this bug is closed when the sync is complete).

PR: https://github.com/web-platform-tests/wpt/pull/58549
Details from upstream follow.

Steinar H. Gunderson <sesse@chromium.org> wrote:

Fix a use-after-free with lazy style attributes.

Running selector checking on an element could add new attributes to it,
invalidating the Attribute pointers we are iterating over. We knew this
and had code in place for it, but that code was defeated when we added
RuleSet bundles; we'd refresh the Attribute span after we'd processed
the entire bundle instead of after each RuleSet, and since the
Aho-Corasick code wanted to read a value from one of the attributes,
we could have use-after-free.

We also appeared to hold a reference to the name, but it is actually
harmless; since ToAsciiLower() returns a value, so does the entire
ternary expression and it's just a normal value that's kept alive
by C++'s reference extension.

Style perftest is neutral.

Fixed: 492735384
Change-Id: Ib9b56eedbc8bd89978973717be8543b37584b730
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7673597
Reviewed-by: Rune Lillesveen \<futhark@chromium.org>
Commit-Queue: Steinar H Gunderson \<sesse@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1600463}

Component: web-platform-tests → CSS Parsing and Computation
Product: Testing → Core

CI Results

Ran 11 Firefox configurations based on mozilla-central, and Firefox, Chrome, and Safari on GitHub CI

Total 3 tests

Status Summary

Firefox

PASS: 1[GitHub] 3[Gecko-android-em-14-x86_64-debug-geckoview, Gecko-android-em-14-x86_64-lite-opt-geckoview, Gecko-android-em-14-x86_64-opt-geckoview, Gecko-linux2204-64-wayland-debug, Gecko-linux2204-64-wayland-opt, Gecko-linux2404-64-debug, Gecko-linux2404-64-opt, Gecko-windows11-32-24h2-debug, Gecko-windows11-32-24h2-opt, Gecko-windows11-64-24h2-debug, Gecko-windows11-64-24h2-opt]

Chrome

PASS: 1

Safari

PASS: 1

Links

Gecko CI (Treeherder)
GitHub PR Head
GitHub PR Base

Pushed by wptsync@mozilla.com: https://github.com/mozilla-firefox/firefox/commit/2a3e6a160164 https://hg.mozilla.org/integration/autoland/rev/0ff8869cb049 [wpt PR 58549] - Fix a use-after-free with lazy style attributes., a=testonly

https://hg.mozilla.org/mozilla-central/rev/0ff8869cb049

Status: NEW → RESOLVED
Closed: 1 month ago
status-firefox151: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 151 Branch
You need to log in before you can comment on or make changes to this bug.