Bug 190449

Summary:	makeWeakPtr() on a derived class provides a bad pointer if CanMakeWeakPtr<> is not its first base class
Product:	WebKit	Reporter:	Simon Fraser (smfr) <simon.fraser>
Component:	Web Template Framework	Assignee:	Nobody <webkit-unassigned>
Status:	NEW
Severity:	Normal	CC:	cdumez, ggaren, jiewen_tan, koivisto, lforschler, sam, simon.fraser
Priority:	P2
Version:	WebKit Nightly Build
Hardware:	Unspecified
OS:	Unspecified

Simon Fraser (smfr)

Reported 2018-10-10 15:22:22 PDT

I changed RenderLayer to: class RenderLayer final : public RenderLayerNode, public ScrollableArea { ... } where RenderLayerNode is a base class with virtual members and ScrollableArea is: class ScrollableArea : public CanMakeWeakPtr<ScrollableArea> { ... } This triggered crashes in code that referenced weak ptrs to RenderLayers. It seems that weak_reference_downcast() assumes that the pointers are reinterpret-castable, but that's not always true.

Attachments
Add attachment proposed patch, testcase, etc.

Geoffrey Garen

Comment 1 2018-10-10 20:17:25 PDT

Related: https://bugs.webkit.org/show_bug.cgi?id=188799 https://bugs.webkit.org/show_bug.cgi?id=179405

Simon Fraser (smfr)

Comment 2 2018-10-10 20:44:50 PDT

This could probably be marked a dup of one of those. I'd like this to work soonish...

Geoffrey Garen

Comment 3 2018-10-10 20:59:17 PDT

A short-term workaround is to list ScrollableArea first in the inheritance hierarchy: class RenderLayer final : public ScrollableArea, public RenderLayerNode {

Simon Fraser (smfr)

Comment 4 2018-10-11 09:39:53 PDT

Sadly that breaks some other casting I wanted to do (but may have to do differently).

Antti Koivisto

Comment 5 2018-10-11 11:13:28 PDT

I'll try to fix WeakPtr at some point.

Note You need to log in before you can comment on or make changes to this bug.