Clear-Site-Data "cache" failed to evict BFCache/MemoryCache via SecurityOriginHash ODR violation

20790ef

The C++ ODR requires a template to have exactly one definition across all translation units. HashSet<Ref<SecurityOrigin>> has two candidate DefaultHash specializations: the content-based SecurityOriginHash (from SecurityOriginHash.h) and the generic pointer-based PtrHash (always available). When a TU instantiates the HashSet without including SecurityOriginHash.h, both definitions of the inline add()/contains() end up in the binary with different hashing semantics and the linker silently keeps one.

Source/WebCore/page/SecurityOrigin.h

+namespace WTF {
+// The content-based DefaultHash specialization for Ref<SecurityOrigin> is
+// declared here but intentionally defined only in SecurityOriginHash.h. Using
+// Ref<SecurityOrigin> as a hash-table key without including SecurityOriginHash.h
+// is therefore a hard compile error rather than a silent fall back to pointer hashing.
+template<typename> struct DefaultHash;
+template<> struct DefaultHash<Ref<WebCore::SecurityOrigin>>; // Defined in SecurityOriginHash.h
+} // namespace WTF

WebProcess.cpp built the origin set with pointer hashing; WebCore queried it with freshly-created SecurityOrigin objects using content hashing — the pointer addresses never matched, so contains() always returned false and neither cache was cleared. The violation became load-bearing in commit 307882@main, which converted these containers from RefPtr to Ref. The fix forward-declares DefaultHash<Ref<SecurityOrigin>> as an incomplete type in SecurityOrigin.h, turning any future silent miscompile into a hard compile error.

Significance

Clear-Site-Data: "cache" is used by servers at logout to purge cached resources — silently failing here left post-logout BFCache and memory-cache entries reachable for every response processed between commit 307882@main and this fix.

Audit directions

Aaaaa Aaaaaaa Aaa Aaaaa Aaaaaaaaaaaaaaa Aaaaaaaaaa Aaaaaaaaaaa Aaaaaaaaaa Aaaaa Aaaaaaa Aaaaaaaaaa Aaaaaaaaaaaa Aaaaa Aaaa Aaa Aaaaa Aa Aaaaaaa Aaa Aaa Aaaaaaa Aa Aaaaaaaaaa a Aaaa Aaa Aaaaaaaaaaaaaa Aaaaaa Aaaaaaaaaaa Aaaaa Aaa Aaaaaa Aaaa Aaa Aaaa a Aaaaaaaaaaaaa Aaaaaaaaaaaaa Aaaaaaa Aa a Aaaaaaaa Aaaaaa Aa Aaaaaaaaaaaa Aaaaaa Aaaa Aaaa Aaaaaa Aa Aaa Aaaaaaaaaaaaa Aaaaa Aaaaa Aaaaa Aaaaa Aaa Aa Aaaaaaaa Aaaaaaa Aa Aaaaaaaa Aaaaaaaa Aaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaaa Aaaaaaa Aa Aaaaa Aaaa Aaaa Aaa Aaaa Aa Aaaaaa Aaaaaaaaaaaa Aaa Aaaaaa Aaa Aa a Aa Aaaa Aaaaa Aaaaa Aaaa Aa Aaaaaaaaaa

🔒

The scope of the silent failure and the class of similar ODR violations elsewhere in the codebase are both worth investigating.

Subscribe to read more