Bug 271648

Summary: [GTK] "use-after-free" warning in `WebCore/page/Navigation.cpp` with GCC 12
Product: WebKit Reporter: Vitaly Dyackhov <vitaly>
Component: WebKitGTKAssignee: Patrick Griffis <pgriffis>
Status: RESOLVED FIXED    
Severity: Normal CC: bugs-noreply
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=239353

Vitaly Dyackhov
Reported 2024-03-25 08:21:59 PDT
Similar to https://bugs.webkit.org/show_bug.cgi?id=239353, there is a "use-after-free" warning in `WebCore/page/Navigation.cpp`: ``` In file included from /home/vitaly/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/text/CString.h:33, from /home/vitaly/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/text/StringView.h:34, from /home/vitaly/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/text/StringConcatenate.h:32, from /home/vitaly/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/text/AtomString.h:355, from /home/vitaly/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/text/StringHash.h:26, from /home/vitaly/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/JSONValues.h:36, from /home/vitaly/WebKit/Source/WebCore/platform/graphics/IntSize.h:30, from /home/vitaly/WebKit/Source/WebCore/platform/graphics/IntPoint.h:28, from /home/vitaly/WebKit/Source/WebCore/platform/animation/AnimationUtilities.h:29, from /home/vitaly/WebKit/Source/WebCore/platform/Length.h:25, from /home/vitaly/WebKit/Source/WebCore/platform/LengthFunctions.h:27, from /home/vitaly/WebKit/Source/WebCore/rendering/RenderElement.h:26, from /home/vitaly/WebKit/Source/WebCore/rendering/RenderLayerModelObject.h:26, from /home/vitaly/WebKit/Source/WebCore/page/LocalFrameViewLayoutContext.h:29, from /home/vitaly/WebKit/Source/WebCore/page/LocalFrameViewLayoutContext.cpp:27, from /home/vitaly/WebKit/WebKitBuild/GTK/Release/WebCore/DerivedSources/unified-sources/UnifiedSource-767013ce-6.cpp:1: In member function ‘bool WTF::RefCountedBase::derefAllowingPartiallyDestroyedBase() const’, inlined from ‘bool WTF::RefCountedBase::derefBase() const’ at /home/vitaly/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/RefCounted.h:155:51, inlined from ‘void WTF::RefCounted<T, Deleter>::deref() const [with T = WebCore::AbortController; Deleter = std::default_delete<WebCore::AbortController>]’ at /home/vitaly/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/RefCounted.h:219:22, inlined from ‘static void WTF::DefaultRefDerefTraits< <template-parameter-1-1> >::derefIfNotNull(T*) [with T = WebCore::AbortController]’ at /home/vitaly/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/Ref.h:62:23, inlined from ‘WTF::RefPtr<T, <template-parameter-1-2>, <template-parameter-1-3> >::~RefPtr() [with T = WebCore::AbortController; _PtrTraits = WTF::RawPtrTraits<WebCore::AbortController>; _RefDerefTraits = WTF::DefaultRefDerefTraits<WebCore::AbortController>]’ at /home/vitaly/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/RefPtr.h:60:61, inlined from ‘bool WebCore::Navigation::_ZN7WebCore10Navigation26innerDispatchNavigateEventENS_24NavigationNavigationTypeEON3WTF3RefINS_21NavigationDestinationENS2_12RawPtrTraitsIS4_EENS2_21DefaultRefDerefTraitsIS4_EEEERKNS2_6StringE.part.0(WebCore::NavigationNavigationType, WTF::Ref<WebCore::NavigationDestination>&&, const WTF::String&)’ at /home/vitaly/WebKit/Source/WebCore/page/Navigation.cpp:436:88: /home/vitaly/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/RefCounted.h:138:33: error: pointer ‘__old_val’ used after ‘static void WebCore::AbortController::operator delete(void*)’ [-Werror=use-after-free] 138 | unsigned tempRefCount = m_refCount - 1; | ^~~~~~~~~~ In file included from /usr/include/c++/12/memory:75, from /home/vitaly/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/StdLibExtras.h:30, from /home/vitaly/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/FastMalloc.h:26, from /home/vitaly/WebKit/Source/WebCore/config.h:47, from /home/vitaly/WebKit/Source/WebCore/page/LocalFrameViewLayoutContext.cpp:26: In member function ‘void std::default_delete<_Tp>::operator()(_Tp*) const [with _Tp = WebCore::AbortController]’, inlined from ‘void WTF::RefCounted<T, Deleter>::deref() const [with T = WebCore::AbortController; Deleter = std::default_delete<WebCore::AbortController>]’ at /home/vitaly/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/RefCounted.h:220:22, inlined from ‘static void WTF::DefaultRefDerefTraits< <template-parameter-1-1> >::derefIfNotNull(T*) [with T = WebCore::AbortController]’ at /home/vitaly/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/Ref.h:62:23, inlined from ‘WTF::RefPtr<T, <template-parameter-1-2>, <template-parameter-1-3> >::~RefPtr() [with T = WebCore::AbortController; _PtrTraits = WTF::RawPtrTraits<WebCore::AbortController>; _RefDerefTraits = WTF::DefaultRefDerefTraits<WebCore::AbortController>]’ at /home/vitaly/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/RefPtr.h:60:61, inlined from ‘static WTF::Ref<WebCore::NavigateEvent> WebCore::NavigateEvent::create(const WTF::AtomString&, const Init&, WTF::RefPtr<WebCore::AbortController>)’ at /home/vitaly/WebKit/Source/WebCore/page/NavigateEvent.cpp:55:67, inlined from ‘bool WebCore::Navigation::_ZN7WebCore10Navigation26innerDispatchNavigateEventENS_24NavigationNavigationTypeEON3WTF3RefINS_21NavigationDestinationENS2_12RawPtrTraitsIS4_EENS2_21DefaultRefDerefTraitsIS4_EEEERKNS2_6StringE.part.0(WebCore::NavigationNavigationType, WTF::Ref<WebCore::NavigationDestination>&&, const WTF::String&)’ at /home/vitaly/WebKit/Source/WebCore/page/Navigation.cpp:436:88: /usr/include/c++/12/bits/unique_ptr.h:95:9: note: call to ‘static void WebCore::AbortController::operator delete(void*)’ here 95 | delete __ptr; | ``` I think it's a GCC bug and it's safe to ignore this warning.
Attachments
Add attachment proposed patch, testcase, etc.
Vitaly Dyackhov
Comment 1 2024-03-25 08:25:09 PDT
Pull request: https://github.com/WebKit/WebKit/pull/26412
Patrick Griffis
Comment 2 2024-03-25 08:40:39 PDT
Pull request: https://github.com/WebKit/WebKit/pull/26417
EWS
Comment 3 2024-03-25 17:48:33 PDT
Committed 276662@main (508e1805310e): <https://commits.webkit.org/276662@main> Reviewed commits have been landed. Closing PR #26417 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.