249064 – Web Inspector: Fix use-after-move in Inspector::InspectorDebuggerAgent::didCreateNativeExecutable()

Bug 249064 - Web Inspector: Fix use-after-move in Inspector::InspectorDebuggerAgent::didCreateNativeExecutable()

Summary: Web Inspector: Fix use-after-move in Inspector::InspectorDebuggerAgent::didCr...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Web Inspector (show other bugs)
Version:	WebKit Nightly Build
Hardware:	All All

Importance:	P2 Normal
Assignee:	David Kilzer (:ddkilzer)

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2022-12-09 19:50 PST by David Kilzer (:ddkilzer)
Modified:	2022-12-12 14:18 PST (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description David Kilzer (:ddkilzer) 2022-12-09 19:50:13 PST

Fix use-after-move in Inspector::InspectorDebuggerAgent::didCreateNativeExecutable() in Source/JavaScriptCore/inspector/agents/InspectorDebuggerAgent.cpp.

There are two places where `oldJITCodeRef` is used after being moved in a RELEASE_ASSERT() statement.

```
        [...]
        switch (kind) {
        case JSC::CodeForCall:
            ASSERT(!replacedThunk->callThunk);
            replacedThunk->callThunk = WTFMove(oldJITCodeRef);

            ASSERT(!replacedThunk->callArityThunk);
            replacedThunk->callArityThunk = WTFMove(oldArityJITCodeRef);

            RELEASE_ASSERT(oldJITCodeRef.code() == createJITCodeRef(vm.jitStubs->ctiNativeCall(vm)).code());  // Use-after-move of `oldJITCodeRef`.
            break;

        case JSC::CodeForConstruct:
            ASSERT(!replacedThunk->constructThunk);
            replacedThunk->constructThunk = WTFMove(oldJITCodeRef);

            ASSERT(!replacedThunk->constructArityThunk);
            replacedThunk->constructArityThunk = WTFMove(oldArityJITCodeRef);

            RELEASE_ASSERT(oldJITCodeRef.code() == createJITCodeRef(vm.jitStubs->ctiNativeConstruct(vm)).code());  // Use-after-move of `oldJITCodeRef`.
            break;
        }
        [...]
```

Comment 1 Radar WebKit Bug Importer 2022-12-09 19:50:30 PST

<rdar://problem/103204166>

Comment 2 David Kilzer (:ddkilzer) 2022-12-09 19:55:34 PST

Pull request: https://github.com/WebKit/WebKit/pull/7430

Comment 3 EWS 2022-12-12 14:18:15 PST

Committed 257755@main (9dbd0014372a): <https://commits.webkit.org/257755@main>

Reviewed commits have been landed. Closing PR #7430 and removing active labels.