Fix aliasing bugs in Vector::fill() and Vector::insertFill()#61491
Merged
webkit-commit-queue merged 1 commit intoMar 28, 2026
Conversation
Collaborator
|
EWS run on current version of this PR (hash 18d0f43) Details |
darinadler
approved these changes
Mar 27, 2026
https://bugs.webkit.org/show_bug.cgi?id=310889 Reviewed by Darin Adler. Both `fill()` and `insertFill()` take a `const T&` parameter that may reference an element within the vector itself. If the vector mutates (via shrink, clear, reallocation, or element shifting), that reference becomes dangling or points to the wrong value. For `fill()`, `clear()` destroys all elements before reallocation, and `shrink()` destroys elements past the new size -- either case invalidates a reference to a vector element. For `insertFill()`, `expandCapacity()` may reallocate the buffer, and even without reallocation, `moveOverlapping()` shifts elements right, so a reference to an element at or after the insertion position reads the wrong value (or a destructed object for non-trivial types). Fix both by copying the value into a local before any mutation, matching how std::vector is required to handle this case for `insert(pos, count, value)` and `assign(count, value)`. Test: Tools/TestWebKitAPI/Tests/WTF/Vector.cpp * Source/WTF/wtf/Vector.h: (WTF::Malloc>::fill): (WTF::Malloc>::insertFill): * Tools/TestWebKitAPI/Tests/WTF/Vector.cpp: (TestWebKitAPI::TEST(WTF_Vector, FillAliasingGrowth)): (TestWebKitAPI::TEST(WTF_Vector, FillAliasingShrink)): (TestWebKitAPI::TEST(WTF_Vector, FillAliasingNoReallocation)): (TestWebKitAPI::TEST(WTF_Vector, FillAliasingSameSize)): (TestWebKitAPI::TEST(WTF_Vector, InsertFillAliasingWithReallocation)): (TestWebKitAPI::TEST(WTF_Vector, InsertFillAliasingElementAfterPosition)): (TestWebKitAPI::TEST(WTF_Vector, InsertFillAliasingElementAtPosition)): (TestWebKitAPI::TEST(WTF_Vector, InsertFillAliasingElementBeforePosition)): Canonical link: https://commits.webkit.org/310131@main
webkit-commit-queue
force-pushed
the
310889_Vector_fill_aliasing
branch
from
18d0f43 to
80119b4
Compare
Collaborator
|
Committed 310131@main (80119b4): https://commits.webkit.org/310131@main Reviewed commits have been landed. Closing PR #61491 and removing active labels. |
webkit-commit-queue
removed
the
merge-queue
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
80119b4
18d0f43