RESOLVED FIXED 279994
[GTK][WPE] REGRESSION(283749@main) Build broken because of pointer use after free 
https://bugs.webkit.org/show_bug.cgi?id=279994
Summary [GTK][WPE] REGRESSION(283749@main) Build broken because of pointer use after ...
Miguel Gomez
Reported 2024-09-19 10:39:20 PDT
I don't know why the bots are building properly and they are not showing this error, but this is what I'm getting when trying to build ToT: In file included from /host/home/magomez/webkit/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/NeverDestroyed.h:32, from /host/home/magomez/webkit/WebKit/Source/WebCore/platform/animation/TimingFunction.h:27, from /host/home/magomez/webkit/WebKit/Source/WebCore/animation/KeyframeInterpolation.h:30, from /host/home/magomez/webkit/WebKit/Source/WebCore/animation/BlendingKeyframes.h:28, from /host/home/magomez/webkit/WebKit/Source/WebCore/animation/BlendingKeyframes.cpp:23, from /host/home/magomez/webkit/WebKit/WebKitBuild/GTK/Release/WebCore/DerivedSources/unified-sources/UnifiedSource-a6b8b600-2.cpp:1: In member function ‘bool WTF::RefCountedBase::derefAllowingPartiallyDestroyedBase() const’, inlined from ‘bool WTF::RefCountedBase::derefBase() const’ at /host/home/magomez/webkit/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/RefCounted.h:155:51, inlined from ‘void WTF::RefCounted<T>::deref() const [with T = WebCore::CSSStyleValue]’ at /host/home/magomez/webkit/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/RefCounted.h:211:22, inlined from ‘static void WTF::DefaultRefDerefTraits< <template-parameter-1-1> >::derefIfNotNull(T*) [with T = WebCore::CSSNumericValue]’ at /host/home/magomez/webkit/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/Ref.h:62:23, inlined from ‘WTF::RefPtr<T, <template-parameter-1-2>, <template-parameter-1-3> >::~RefPtr() [with T = WebCore::CSSNumericValue; _PtrTraits = WTF::RawPtrTraits<WebCore::CSSNumericValue>; _RefDerefTraits = WTF::DefaultRefDerefTraits<WebCore::CSSNumericValue>]’ at /host/home/magomez/webkit/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/RefPtr.h:60:61, inlined from ‘WebCore::CSSNumberishTime::CSSNumberishTime(WebCore::CSSNumberish)’ at /host/home/magomez/webkit/WebKit/Source/WebCore/animation/CSSNumberishTime.cpp:79:1, inlined from ‘WebCore::CSSNumberishTime::CSSNumberishTime(WebCore::CSSNumberish)’ at /host/home/magomez/webkit/WebKit/Source/WebCore/animation/CSSNumberishTime.cpp:49:1: /host/home/magomez/webkit/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/RefCounted.h:141:33: error: pointer used after ‘static void WebCore::CSSStyleValue::operator delete(void*)’ [-Werror=use-after-free] 141 | unsigned tempRefCount = m_refCount - 1; | ^~~~~~~~~~ In file included from /host/home/magomez/webkit/WebKit/Source/WebCore/css/typedom/CSSNumericValue.h:30, from /host/home/magomez/webkit/WebKit/Source/WebCore/animation/CSSNumberishTime.h:28, from /host/home/magomez/webkit/WebKit/Source/WebCore/animation/WebAnimationTypes.h:28, from /host/home/magomez/webkit/WebKit/Source/WebCore/animation/KeyframeInterpolation.h:31: In destructor ‘virtual WebCore::CSSStyleValue::~CSSStyleValue()’, inlined from ‘void WTF::RefCounted<T>::deref() const [with T = WebCore::CSSStyleValue]’ at /host/home/magomez/webkit/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/RefCounted.h:212:13, inlined from ‘static void WTF::DefaultRefDerefTraits< <template-parameter-1-1> >::derefIfNotNull(T*) [with T = WebCore::CSSUnitValue]’ at /host/home/magomez/webkit/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/Ref.h:62:23, inlined from ‘WTF::RefPtr<T, <template-parameter-1-2>, <template-parameter-1-3> >::~RefPtr() [with T = WebCore::CSSUnitValue; _PtrTraits = WTF::RawPtrTraits<WebCore::CSSUnitValue>; _RefDerefTraits = WTF::DefaultRefDerefTraits<WebCore::CSSUnitValue>]’ at /host/home/magomez/webkit/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/RefPtr.h:60:61, inlined from ‘WebCore::CSSNumberishTime::CSSNumberishTime(WebCore::CSSNumberish)’ at /host/home/magomez/webkit/WebKit/Source/WebCore/animation/CSSNumberishTime.cpp:78:5, inlined from ‘WebCore::CSSNumberishTime::CSSNumberishTime(WebCore::CSSNumberish)’ at /host/home/magomez/webkit/WebKit/Source/WebCore/animation/CSSNumberishTime.cpp:49:1: /host/home/magomez/webkit/WebKit/Source/WebCore/css/typedom/CSSStyleValue.h:114:13: note: call to ‘static void WebCore::CSSStyleValue::operator delete(void*)’ here 114 | virtual ~CSSStyleValue() = default; | ^ In member function ‘bool WTF::RefCountedBase::derefAllowingPartiallyDestroyedBase() const’, inlined from ‘bool WTF::RefCountedBase::derefBase() const’ at /host/home/magomez/webkit/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/RefCounted.h:155:51, inlined from ‘void WTF::RefCounted<T>::deref() const [with T = WebCore::CSSStyleValue]’ at /host/home/magomez/webkit/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/RefCounted.h:211:22, inlined from ‘static void WTF::DefaultRefDerefTraits< <template-parameter-1-1> >::derefIfNotNull(T*) [with T = WebCore::CSSNumericValue]’ at /host/home/magomez/webkit/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/Ref.h:62:23, inlined from ‘WTF::RefPtr<T, <template-parameter-1-2>, <template-parameter-1-3> >::~RefPtr() [with T = WebCore::CSSNumericValue; _PtrTraits = WTF::RawPtrTraits<WebCore::CSSNumericValue>; _RefDerefTraits = WTF::DefaultRefDerefTraits<WebCore::CSSNumericValue>]’ at /host/home/magomez/webkit/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/RefPtr.h:60:61, inlined from ‘WebCore::CSSNumberishTime::CSSNumberishTime(WebCore::CSSNumberish)’ at /host/home/magomez/webkit/WebKit/Source/WebCore/animation/CSSNumberishTime.cpp:79:1, inlined from ‘WebCore::CSSNumberishTime::CSSNumberishTime(WebCore::CSSNumberish)’ at /host/home/magomez/webkit/WebKit/Source/WebCore/animation/CSSNumberishTime.cpp:49:1: /host/home/magomez/webkit/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/RefCounted.h:141:33: error: pointer used after ‘static void WebCore::CSSStyleValue::operator delete(void*)’ [-Werror=use-after-free] 141 | unsigned tempRefCount = m_refCount - 1; | ^~~~~~~~~~ In destructor ‘virtual WebCore::CSSStyleValue::~CSSStyleValue()’, inlined from ‘void WTF::RefCounted<T>::deref() const [with T = WebCore::CSSStyleValue]’ at /host/home/magomez/webkit/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/RefCounted.h:212:13, inlined from ‘static void WTF::DefaultRefDerefTraits< <template-parameter-1-1> >::derefIfNotNull(T*) [with T = WebCore::CSSUnitValue]’ at /host/home/magomez/webkit/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/Ref.h:62:23, inlined from ‘WTF::RefPtr<T, <template-parameter-1-2>, <template-parameter-1-3> >::~RefPtr() [with T = WebCore::CSSUnitValue; _PtrTraits = WTF::RawPtrTraits<WebCore::CSSUnitValue>; _RefDerefTraits = WTF::DefaultRefDerefTraits<WebCore::CSSUnitValue>]’ at /host/home/magomez/webkit/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/RefPtr.h:60:61, inlined from ‘WebCore::CSSNumberishTime::CSSNumberishTime(WebCore::CSSNumberish)’ at /host/home/magomez/webkit/WebKit/Source/WebCore/animation/CSSNumberishTime.cpp:78:5, inlined from ‘WebCore::CSSNumberishTime::CSSNumberishTime(WebCore::CSSNumberish)’ at /host/home/magomez/webkit/WebKit/Source/WebCore/animation/CSSNumberishTime.cpp:49:1: /host/home/magomez/webkit/WebKit/Source/WebCore/css/typedom/CSSStyleValue.h:114:13: note: call to ‘static void WebCore::CSSStyleValue::operator delete(void*)’ here 114 | virtual ~CSSStyleValue() = default; | ^ cc1plus: all warnings being treated as errors
Attachments
Add attachment proposed patch, testcase, etc.
Michael Catanzaro
Comment 1 2024-09-19 10:46:59 PDT
You're surely using a different version of GCC than the bots? Unfortunately this does not look like a false positive.
Michael Catanzaro
Comment 2 2024-09-19 10:48:33 PDT
This was introduced in 273805@main. Looks like 283749@main was just enough for GCC to uncover it.
Miguel Gomez
Comment 3 2024-09-19 10:53:38 PDT
(In reply to Michael Catanzaro from comment #1) > You're surely using a different version of GCC than the bots? I'm using gcc 12.3.0, but I'm not sure what version are the bots running.
Miguel Gomez
Comment 4 2024-09-23 03:40:50 PDT
The bots are running gcc13, and that's probably the reason why they are not getting the build problem that I'm getting. But we need to support gcc12 for a while still, so we need to fix this.
Michael Catanzaro
Comment 5 2024-09-23 06:07:24 PDT
Well we need to fix it regardless of what compiler we are using if the diagnosis is correct and this is indeed a use after free. If we can prove the diagnosis is incorrect, then we can just suppress the warning easily enough. But if we're wrong that just gives attackers a roadmap for how to find a use after free bug. (Though in fairness, they've surely already found this bug report, since it's public and uses sensitive keywords.)
Carlos Alberto Lopez Perez
Comment 6 2024-09-30 06:34:54 PDT
The issue is that post-commit bots are not stopping the build on warnings. Only the EWS bots (pre-commit) are stopping the build on warnings, but those use the flatpak build which much more modern GCC I wonder why gcc-12 catches this but newer gcc doesn't?
Michael Catanzaro
Comment 7 2024-09-30 09:10:28 PDT
The use after free warning in GCC 12 is just bad. Presumably GCC 13 toned down the false positives. (That said, this really doesn't look like a false positive? I'm not sure.) Anyway, good news: I think this should be fixed by 284164@main.
Michael Catanzaro
Comment 8 2024-09-30 09:21:06 PDT
So the commit message of 283685@main indicates that RefPtrAllowingPartiallyDestroyed is only used when a human has decided it's OK. I don't know whether GCC knows better than the human or not. Of course compilers are generally smarter than humans, but this particular warning really is half-baked. That said, this code also looks very risky. Since the problem is surely fixed on the main branch, what I would do is suppress the warning only on the stable branch. (We could alternatively try backporting 283685@main and 284164@main, though I'm not sure whether that's a good idea.)
Miguel Gomez
Comment 9 2024-10-01 00:09:38 PDT
I've just pulled and this is still happening for me.
Miguel Gomez
Comment 10 2024-10-17 06:08:40 PDT
283749@main was reverted in main, so this is not happening anymore.
Note You need to log in before you can comment on or make changes to this bug.