Bug 190239

Summary: Ref<FetchResponse> use-after-move in DOMCache::put()
Product: WebKit Reporter: Zan Dobersek <zan>
Component: New BugsAssignee: Zan Dobersek <zan>
Status: RESOLVED FIXED    
Severity: Normal CC: fred.wang, mcatanzaro, webkit-bug-importer, youennf
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch none

Zan Dobersek
Reported 2018-10-03 01:22:38 PDT
Ref<FetchResponse> use-after-move in DOMCache::put()
Attachments
Patch (2.20 KB, patch)
2018-10-03 01:29 PDT, Zan Dobersek 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Zan Dobersek
Comment 1 2018-10-03 01:29:04 PDT
Created attachment 351492 [details] Patch
Michael Catanzaro
Comment 2 2018-10-03 02:16:14 PDT
Comment on attachment 351492 [details] Patch What a footgun :(
youenn fablet
Comment 3 2018-10-03 02:43:47 PDT
Comment on attachment 351492 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=351492&action=review > Source/WebCore/Modules/cache/DOMCache.cpp:354 > + responseRef.consumeBodyReceivedByChunk([promise = WTFMove(promise), request = WTFMove(request), response = WTFMove(response), data = SharedBuffer::create(), pendingActivity = makePendingActivity(*this), this](auto&& result) mutable { Is it really a bug on compilers? Shouldn't they all do: 1. Call -> operator on the Ref<FetchResponse> 2. Call consumeBodyReceivedByChunk or move the Ref<FetchResponse> in the lambda 3. Move the Ref<FetchResponse> in the lambda or call consumeBodyReceivedByChunk
Zan Dobersek
Comment 4 2018-10-03 03:08:18 PDT
(In reply to youenn fablet from comment #3) > Comment on attachment 351492 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=351492&action=review > > > Source/WebCore/Modules/cache/DOMCache.cpp:354 > > + responseRef.consumeBodyReceivedByChunk([promise = WTFMove(promise), request = WTFMove(request), response = WTFMove(response), data = SharedBuffer::create(), pendingActivity = makePendingActivity(*this), this](auto&& result) mutable { > > Is it really a bug on compilers? > Shouldn't they all do: > 1. Call -> operator on the Ref<FetchResponse> > 2. Call consumeBodyReceivedByChunk or move the Ref<FetchResponse> in the > lambda > 3. Move the Ref<FetchResponse> in the lambda or call > consumeBodyReceivedByChunk It's a bug in our code, but compilers are free to choose the desired order of evaluating the call expression as well as each argument: https://en.cppreference.com/w/cpp/language/operator_other#Built-in_function_call_operator This is apparently changing in C++17, guaranteeing the function-name expression being evaluated before the arguments.
Zan Dobersek
Comment 5 2018-10-03 03:09:31 PDT
Comment on attachment 351492 [details] Patch Clearing flags on attachment: 351492 Committed r236789: <https://trac.webkit.org/changeset/236789>
Zan Dobersek
Comment 6 2018-10-03 03:09:35 PDT
All reviewed patches have been landed. Closing bug.
Radar WebKit Bug Importer
Comment 7 2018-10-03 03:11:00 PDT
<rdar://problem/44969033>
youenn fablet
Comment 8 2018-10-03 03:55:07 PDT
> This is apparently changing in C++17, guaranteeing the function-name > expression being evaluated before the arguments. C++17 seems tempting then!
Note You need to log in before you can comment on or make changes to this bug.