Bug 190239 - Ref<FetchResponse> use-after-move in DOMCache::put()
Summary: Ref<FetchResponse> use-after-move in DOMCache::put()
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Zan Dobersek
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2018-10-03 01:22 PDT by Zan Dobersek
Modified: 2018-10-03 03:55 PDT (History)
4 users (show)

See Also:

Attachments
Patch (2.20 KB, patch)
2018-10-03 01:29 PDT, Zan Dobersek 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Zan Dobersek 2018-10-03 01:22:38 PDT 
Ref<FetchResponse> use-after-move in DOMCache::put()
Comment 1 Zan Dobersek 2018-10-03 01:29:04 PDT 
Created attachment 351492 [details]
Patch
Comment 2 Michael Catanzaro 2018-10-03 02:16:14 PDT 
Comment on attachment 351492 [details]
Patch

What a footgun :(
Comment 3 youenn fablet 2018-10-03 02:43:47 PDT 
Comment on attachment 351492 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=351492&action=review

> Source/WebCore/Modules/cache/DOMCache.cpp:354
> +        responseRef.consumeBodyReceivedByChunk([promise = WTFMove(promise), request = WTFMove(request), response = WTFMove(response), data = SharedBuffer::create(), pendingActivity = makePendingActivity(*this), this](auto&& result) mutable {

Is it really a bug on compilers?
Shouldn't they all do:
1. Call -> operator on the Ref<FetchResponse>
2. Call consumeBodyReceivedByChunk or move the Ref<FetchResponse> in the lambda
3. Move the Ref<FetchResponse> in the lambda or call consumeBodyReceivedByChunk
Comment 4 Zan Dobersek 2018-10-03 03:08:18 PDT 
(In reply to youenn fablet from comment #3)
> Comment on attachment 351492 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=351492&action=review
> 
> > Source/WebCore/Modules/cache/DOMCache.cpp:354
> > +        responseRef.consumeBodyReceivedByChunk([promise = WTFMove(promise), request = WTFMove(request), response = WTFMove(response), data = SharedBuffer::create(), pendingActivity = makePendingActivity(*this), this](auto&& result) mutable {
> 
> Is it really a bug on compilers?
> Shouldn't they all do:
> 1. Call -> operator on the Ref<FetchResponse>
> 2. Call consumeBodyReceivedByChunk or move the Ref<FetchResponse> in the
> lambda
> 3. Move the Ref<FetchResponse> in the lambda or call
> consumeBodyReceivedByChunk

It's a bug in our code, but compilers are free to choose the desired order of evaluating the call expression as well as each argument:
https://en.cppreference.com/w/cpp/language/operator_other#Built-in_function_call_operator

This is apparently changing in C++17, guaranteeing the function-name expression being evaluated before the arguments.
Comment 5 Zan Dobersek 2018-10-03 03:09:31 PDT 
Comment on attachment 351492 [details]
Patch

Clearing flags on attachment: 351492

Committed r236789: <https://trac.webkit.org/changeset/236789>
Comment 6 Zan Dobersek 2018-10-03 03:09:35 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 7 Radar WebKit Bug Importer 2018-10-03 03:11:00 PDT 
<rdar://problem/44969033>
Comment 8 youenn fablet 2018-10-03 03:55:07 PDT 
> This is apparently changing in C++17, guaranteeing the function-name
> expression being evaluated before the arguments.

C++17 seems tempting then!