Bug 290185
| Summary: | [GTK][WPE] False positive `use-after-free` error on GCC 12 in `CSSValue::operator delete()` | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Vitaly Dyackhov <vitaly> |
| Component: | New Bugs | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Vitaly Dyackhov
```
In member function ‘void WebCore::CSSValue::deref() const’,
inlined from ‘static void WTF::DefaultRefDerefTraits< <template-parameter-1-1> >::derefIfNotNull(T*) [with T = WebCore::CSSValueList]’ at /home/vitaly/Projects/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/Ref.h:62:23,
inlined from ‘WTF::RefPtr<T, <template-parameter-1-2>, <template-parameter-1-3> >::~RefPtr() [with T = WebCore::CSSValueList; _PtrTraits = WTF::RawPtrTraits<WebCore::CSSValueList>; _RefDerefTraits = WTF::DefaultRefDerefTraits<WebCore::CSSValueList>]’ at /home/vitaly/Projects/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/RefPtr.h:60:61,
inlined from ‘static void WebCore::Style::BuilderCustom::applyValueFill(WebCore::Style::BuilderState&, WebCore::CSSValue&)’ at /home/vitaly/Projects/WebKit/Source/WebCore/style/StyleBuilderCustom.h:1244:5:
/home/vitaly/Projects/WebKit/Source/WebCore/css/CSSValue.h:312:29: error: pointer ‘value’ used after ‘static void WebCore::CSSValue::operator delete(WebCore::CSSValue*, std::destroying_delete_t)’ [-Werror=use-after-free]
312 | unsigned tempRefCount = m_refCount - refCountIncrement;
| ^~~~~~~~~~
In member function ‘void WebCore::CSSValue::deref() const’,
inlined from ‘static void WTF::DefaultRefDerefTraits< <template-parameter-1-1> >::derefIfNotNull(T*) [with T = const WebCore::CSSValue]’ at /home/vitaly/Projects/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/Ref.h:62:23,
inlined from ‘WTF::RefPtr<T, <template-parameter-1-2>, <template-parameter-1-3> >::~RefPtr() [with T = const WebCore::CSSValue; _PtrTraits = WTF::RawPtrTraits<const WebCore::CSSValue>; _RefDerefTraits = WTF::DefaultRefDerefTraits<const WebCore::CSSValue>]’ at /home/vitaly/Projects/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/RefPtr.h:60:61,
inlined from ‘WTF::RefPtr<T, PtrTraits, RefDerefTraits>& WTF::RefPtr<T, <template-parameter-1-2>, <template-parameter-1-3> >::operator=(WTF::RefPtr<T, <template-parameter-1-2>, <template-parameter-1-3> >&&) [with T = const WebCore::CSSValue; _PtrTraits = WTF::RawPtrTraits<const WebCore::CSSValue>; _RefDerefTraits = WTF::DefaultRefDerefTraits<const WebCore::CSSValue>]’ at /home/vitaly/Projects/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/RefPtr.h:165:1,
inlined from ‘static void WebCore::Style::BuilderCustom::applyValueFill(WebCore::Style::BuilderState&, WebCore::CSSValue&)’ at /home/vitaly/Projects/WebKit/Source/WebCore/style/StyleBuilderCustom.h:1243:43:
/home/vitaly/Projects/WebKit/Source/WebCore/css/CSSValue.h:316:16: note: call to ‘static void WebCore::CSSValue::operator delete(WebCore::CSSValue*, std::destroying_delete_t)’ here
316 | delete this;
```
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Vitaly Dyackhov
Pull request: https://github.com/WebKit/WebKit/pull/42813
EWS
Committed 292887@main (8255a10580c5): <https://commits.webkit.org/292887@main>
Reviewed commits have been landed. Closing PR #42813 and removing active labels.
Radar WebKit Bug Importer
<rdar://problem/148153125>