RESOLVED LATER 202164
Address static analyzer warnings in ObjCCallbackFunction.mm 
https://bugs.webkit.org/show_bug.cgi?id=202164
Summary Address static analyzer warnings in ObjCCallbackFunction.mm
Keith Rollin
Reported 2019-09-24 13:15:50 PDT
Xcode's static analyzer reports the following: ./API/ObjCCallbackFunction.mm:550:18: warning: Potential leak of an object stored into 'target' target = [m_instanceClass alloc]; ^ ./API/ObjCCallbackFunction.mm:701:27: warning: Potential leak of an object of type 'id' [invocation setTarget:[target copy]]; ^ In the first case, it does seem like target is being leaked. Address this by adding a [target release]. In the second case, management of "target" is a little non-standard. "target" is being copied, with the result being assigned into "invocation" in a non-retained manner. Just looking at this snippet of code, it seems like "target"'s copy is being leaked. However, management of the clone is taken over elsewhere. The line after the "[target copy]" passes "invocation" into a stack of other functions, which take over ownership of the "target" clone. This is explained in some comments above the code cited above, but they weren't quite clear to me. Address this by using "#ifndef __clang_analyzer__" to hide the "[target copy]" from the static analyzer, and adding some more comments to further explain what's going on.
Attachments
Patch (3.70 KB, patch)
2019-09-24 13:18 PDT, Keith Rollin 		ews-watchlist: commit-queue-
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2019-09-24 13:16:06 PDT
<rdar://problem/55674457>
Keith Rollin
Comment 2 2019-09-24 13:18:01 PDT
Created attachment 379478 [details] Patch
Geoffrey Garen
Comment 3 2019-09-24 13:36:41 PDT
Comment on attachment 379478 [details] Patch Can we use smart pointers here? Specifically, RetainPtr.
Tim Horton
Comment 4 2019-09-24 13:43:02 PDT
Comment on attachment 379478 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=379478&action=review > Source/JavaScriptCore/API/ObjCCallbackFunction.mm:556 > + [target release]; This seems wrong (too early), because anything that uses m_invocation.target after this point is a UAF? Nothing else keeps target alive.
EWS Watchlist
Comment 5 2019-09-24 17:18:19 PDT
Comment on attachment 379478 [details] Patch Attachment 379478 [details] did not pass jsc-ews (mac): Output: https://webkit-queues.webkit.org/results/13065005 New failing tests: apiTests
Alexey Proskuryakov
Comment 6 2025-01-29 13:18:20 PST
Closing this 5+ years later, as it's an abandoned patch.
Note You need to log in before you can comment on or make changes to this bug.