RESOLVED FIXED290185
[GTK][WPE] False positive `use-after-free` error on GCC 12 in `CSSValue::operator delete()` 
https://bugs.webkit.org/show_bug.cgi?id=290185
Summary [GTK][WPE] False positive `use-after-free` error on GCC 12 in `CSSValue::oper...
Vitaly Dyackhov
Reported 2025-03-21 09:10:04 PDT
``` In member function ‘void WebCore::CSSValue::deref() const’, inlined from ‘static void WTF::DefaultRefDerefTraits< <template-parameter-1-1> >::derefIfNotNull(T*) [with T = WebCore::CSSValueList]’ at /home/vitaly/Projects/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/Ref.h:62:23, inlined from ‘WTF::RefPtr<T, <template-parameter-1-2>, <template-parameter-1-3> >::~RefPtr() [with T = WebCore::CSSValueList; _PtrTraits = WTF::RawPtrTraits<WebCore::CSSValueList>; _RefDerefTraits = WTF::DefaultRefDerefTraits<WebCore::CSSValueList>]’ at /home/vitaly/Projects/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/RefPtr.h:60:61, inlined from ‘static void WebCore::Style::BuilderCustom::applyValueFill(WebCore::Style::BuilderState&, WebCore::CSSValue&)’ at /home/vitaly/Projects/WebKit/Source/WebCore/style/StyleBuilderCustom.h:1244:5: /home/vitaly/Projects/WebKit/Source/WebCore/css/CSSValue.h:312:29: error: pointer ‘value’ used after ‘static void WebCore::CSSValue::operator delete(WebCore::CSSValue*, std::destroying_delete_t)’ [-Werror=use-after-free] 312 | unsigned tempRefCount = m_refCount - refCountIncrement; | ^~~~~~~~~~ In member function ‘void WebCore::CSSValue::deref() const’, inlined from ‘static void WTF::DefaultRefDerefTraits< <template-parameter-1-1> >::derefIfNotNull(T*) [with T = const WebCore::CSSValue]’ at /home/vitaly/Projects/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/Ref.h:62:23, inlined from ‘WTF::RefPtr<T, <template-parameter-1-2>, <template-parameter-1-3> >::~RefPtr() [with T = const WebCore::CSSValue; _PtrTraits = WTF::RawPtrTraits<const WebCore::CSSValue>; _RefDerefTraits = WTF::DefaultRefDerefTraits<const WebCore::CSSValue>]’ at /home/vitaly/Projects/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/RefPtr.h:60:61, inlined from ‘WTF::RefPtr<T, PtrTraits, RefDerefTraits>& WTF::RefPtr<T, <template-parameter-1-2>, <template-parameter-1-3> >::operator=(WTF::RefPtr<T, <template-parameter-1-2>, <template-parameter-1-3> >&&) [with T = const WebCore::CSSValue; _PtrTraits = WTF::RawPtrTraits<const WebCore::CSSValue>; _RefDerefTraits = WTF::DefaultRefDerefTraits<const WebCore::CSSValue>]’ at /home/vitaly/Projects/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/RefPtr.h:165:1, inlined from ‘static void WebCore::Style::BuilderCustom::applyValueFill(WebCore::Style::BuilderState&, WebCore::CSSValue&)’ at /home/vitaly/Projects/WebKit/Source/WebCore/style/StyleBuilderCustom.h:1243:43: /home/vitaly/Projects/WebKit/Source/WebCore/css/CSSValue.h:316:16: note: call to ‘static void WebCore::CSSValue::operator delete(WebCore::CSSValue*, std::destroying_delete_t)’ here 316 | delete this; ```
Attachments
Add attachment proposed patch, testcase, etc.
Vitaly Dyackhov
Comment 1 2025-03-21 09:13:41 PDT
Pull request: https://github.com/WebKit/WebKit/pull/42813
EWS
Comment 2 2025-03-29 00:18:28 PDT
Committed 292887@main (8255a10580c5): <https://commits.webkit.org/292887@main> Reviewed commits have been landed. Closing PR #42813 and removing active labels.
Radar WebKit Bug Importer
Comment 3 2025-03-29 00:19:18 PDT
<rdar://problem/148153125>
Note You need to log in before you can comment on or make changes to this bug.