271648 – [GTK] "use-after-free" warning in `WebCore/page/Navigation.cpp` with GCC 12

Bug 271648 - [GTK] "use-after-free" warning in `WebCore/page/Navigation.cpp` with GCC 12

Summary: [GTK] "use-after-free" warning in `WebCore/page/Navigation.cpp` with GCC 12

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKitGTK (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Patrick Griffis

URL:
Keywords:

Depends on:
Blocks:

Reported:	2024-03-25 08:21 PDT by Vitaly Dyackhov
Modified:	2024-03-25 17:48 PDT (History)
CC List:	1 user (show)

See Also:	239353

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Vitaly Dyackhov 2024-03-25 08:21:59 PDT

Similar to https://bugs.webkit.org/show_bug.cgi?id=239353, there is a "use-after-free" warning in `WebCore/page/Navigation.cpp`:
```
In file included from /home/vitaly/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/text/CString.h:33,
                 from /home/vitaly/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/text/StringView.h:34,
                 from /home/vitaly/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/text/StringConcatenate.h:32,
                 from /home/vitaly/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/text/AtomString.h:355,
                 from /home/vitaly/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/text/StringHash.h:26,
                 from /home/vitaly/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/JSONValues.h:36,
                 from /home/vitaly/WebKit/Source/WebCore/platform/graphics/IntSize.h:30,
                 from /home/vitaly/WebKit/Source/WebCore/platform/graphics/IntPoint.h:28,
                 from /home/vitaly/WebKit/Source/WebCore/platform/animation/AnimationUtilities.h:29,
                 from /home/vitaly/WebKit/Source/WebCore/platform/Length.h:25,
                 from /home/vitaly/WebKit/Source/WebCore/platform/LengthFunctions.h:27,
                 from /home/vitaly/WebKit/Source/WebCore/rendering/RenderElement.h:26,
                 from /home/vitaly/WebKit/Source/WebCore/rendering/RenderLayerModelObject.h:26,
                 from /home/vitaly/WebKit/Source/WebCore/page/LocalFrameViewLayoutContext.h:29,
                 from /home/vitaly/WebKit/Source/WebCore/page/LocalFrameViewLayoutContext.cpp:27,
                 from /home/vitaly/WebKit/WebKitBuild/GTK/Release/WebCore/DerivedSources/unified-sources/UnifiedSource-767013ce-6.cpp:1:
In member function ‘bool WTF::RefCountedBase::derefAllowingPartiallyDestroyedBase() const’,
    inlined from ‘bool WTF::RefCountedBase::derefBase() const’ at /home/vitaly/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/RefCounted.h:155:51,
    inlined from ‘void WTF::RefCounted<T, Deleter>::deref() const [with T = WebCore::AbortController; Deleter = std::default_delete<WebCore::AbortController>]’ at /home/vitaly/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/RefCounted.h:219:22,
    inlined from ‘static void WTF::DefaultRefDerefTraits< <template-parameter-1-1> >::derefIfNotNull(T*) [with T = WebCore::AbortController]’ at /home/vitaly/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/Ref.h:62:23,
    inlined from ‘WTF::RefPtr<T, <template-parameter-1-2>, <template-parameter-1-3> >::~RefPtr() [with T = WebCore::AbortController; _PtrTraits = WTF::RawPtrTraits<WebCore::AbortController>; _RefDerefTraits = WTF::DefaultRefDerefTraits<WebCore::AbortController>]’ at /home/vitaly/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/RefPtr.h:60:61,
    inlined from ‘bool WebCore::Navigation::_ZN7WebCore10Navigation26innerDispatchNavigateEventENS_24NavigationNavigationTypeEON3WTF3RefINS_21NavigationDestinationENS2_12RawPtrTraitsIS4_EENS2_21DefaultRefDerefTraitsIS4_EEEERKNS2_6StringE.part.0(WebCore::NavigationNavigationType, WTF::Ref<WebCore::NavigationDestination>&&, const WTF::String&)’ at /home/vitaly/WebKit/Source/WebCore/page/Navigation.cpp:436:88:
/home/vitaly/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/RefCounted.h:138:33: error: pointer ‘__old_val’ used after ‘static void WebCore::AbortController::operator delete(void*)’ [-Werror=use-after-free]
  138 |         unsigned tempRefCount = m_refCount - 1;
      |                                 ^~~~~~~~~~
In file included from /usr/include/c++/12/memory:75,
                 from /home/vitaly/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/StdLibExtras.h:30,
                 from /home/vitaly/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/FastMalloc.h:26,
                 from /home/vitaly/WebKit/Source/WebCore/config.h:47,
                 from /home/vitaly/WebKit/Source/WebCore/page/LocalFrameViewLayoutContext.cpp:26:
In member function ‘void std::default_delete<_Tp>::operator()(_Tp*) const [with _Tp = WebCore::AbortController]’,
    inlined from ‘void WTF::RefCounted<T, Deleter>::deref() const [with T = WebCore::AbortController; Deleter = std::default_delete<WebCore::AbortController>]’ at /home/vitaly/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/RefCounted.h:220:22,
    inlined from ‘static void WTF::DefaultRefDerefTraits< <template-parameter-1-1> >::derefIfNotNull(T*) [with T = WebCore::AbortController]’ at /home/vitaly/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/Ref.h:62:23,
    inlined from ‘WTF::RefPtr<T, <template-parameter-1-2>, <template-parameter-1-3> >::~RefPtr() [with T = WebCore::AbortController; _PtrTraits = WTF::RawPtrTraits<WebCore::AbortController>; _RefDerefTraits = WTF::DefaultRefDerefTraits<WebCore::AbortController>]’ at /home/vitaly/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/RefPtr.h:60:61,
    inlined from ‘static WTF::Ref<WebCore::NavigateEvent> WebCore::NavigateEvent::create(const WTF::AtomString&, const Init&, WTF::RefPtr<WebCore::AbortController>)’ at /home/vitaly/WebKit/Source/WebCore/page/NavigateEvent.cpp:55:67,
    inlined from ‘bool WebCore::Navigation::_ZN7WebCore10Navigation26innerDispatchNavigateEventENS_24NavigationNavigationTypeEON3WTF3RefINS_21NavigationDestinationENS2_12RawPtrTraitsIS4_EENS2_21DefaultRefDerefTraitsIS4_EEEERKNS2_6StringE.part.0(WebCore::NavigationNavigationType, WTF::Ref<WebCore::NavigationDestination>&&, const WTF::String&)’ at /home/vitaly/WebKit/Source/WebCore/page/Navigation.cpp:436:88:
/usr/include/c++/12/bits/unique_ptr.h:95:9: note: call to ‘static void WebCore::AbortController::operator delete(void*)’ here
   95 |         delete __ptr;
      | 
```

I think it's a GCC bug and it's safe to ignore this warning.

Comment 1 Vitaly Dyackhov 2024-03-25 08:25:09 PDT

Pull request: https://github.com/WebKit/WebKit/pull/26412

Comment 2 Patrick Griffis 2024-03-25 08:40:39 PDT

Pull request: https://github.com/WebKit/WebKit/pull/26417

Comment 3 EWS 2024-03-25 17:48:33 PDT

Committed 276662@main (508e1805310e): <https://commits.webkit.org/276662@main>

Reviewed commits have been landed. Closing PR #26417 and removing active labels.