[webkit-changes] [WebKit/WebKit] bf1930: Avoid -Wuse-after-free warnings in DOMMatrix with ...
Žan Doberšek
noreply at github.com
Tue Dec 27 23:06:47 PST 2022
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: bf1930f39d6cdd6b85f350454d0a1a99232ea848
https://github.com/WebKit/WebKit/commit/bf1930f39d6cdd6b85f350454d0a1a99232ea848
Author: Žan Doberšek <zdobersek at igalia.com>
Date: 2022-12-27 (Tue, 27 Dec 2022)
Changed paths:
M Source/WebCore/css/DOMMatrix.cpp
Log Message:
-----------
Avoid -Wuse-after-free warnings in DOMMatrix with GCC 12
https://bugs.webkit.org/show_bug.cgi?id=249910
Reviewed by Michael Catanzaro.
GCC 12 sees issues with DOMMatrix::scaleSelf() and DOMMatrix::scale3dSelf()
calling the translateSelf() method that returns a Ref<DOMMatrix> that holds
a reference to the same DOMMatrix object.
That Ref<DOMMatrix> gets destroyed when going out of scope, providing the
never-taken codepath that destroys the DOMMatrix object if its reference
count would fall to zero. This doesn't happen because of expectation that
both methods initially start operation on the DOMMatrix object with a
greater-than-zero reference count. Only after that do the two methods
construct their own Ref<DOMMatrix> return value, which in theory would
work on freed memory if that never-taken codepath was indeed taken.
To avoid this, don't call translateSelf() but instead invoke directly
the proper TransformationMatrix operations.
* Source/WebCore/css/DOMMatrix.cpp:
(WebCore::DOMMatrix::scaleSelf):
(WebCore::DOMMatrix::scale3dSelf):
Canonical link: https://commits.webkit.org/258346@main
More information about the webkit-changes
mailing list