[Webkit-unassigned] [Bug 177603] Use smart pointers for creating, adding and removing renderers

Thu Sep 28 10:11:25 PDT 2017

https://bugs.webkit.org/show_bug.cgi?id=177603

--- Comment #4 from zalan <zalan at apple.com> ---
Comment on attachment 322083
  --> https://bugs.webkit.org/attachment.cgi?id=322083
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=322083&action=review

> Source/WebCore/rendering/RenderBlock.cpp:815
> +    auto toBeDeleted = parent.removeChildInternal(child, child.hasLayer() ? NotifyChildren : DontNotifyChildren);

I am a bit worried about the potential UAF errors this introduces. (takeInternal might make it less error prone)

...
RenderObject* nextSibling = child.nextSibling();
...
// We need to scope here because of reasons.
{
    reasonForScoping();
    ...
    parent.removeChildInternal(child);
    ...
}
child.deleteLines();

> Source/WebCore/rendering/RenderGrid.cpp:71
> +    auto& child = baseAddChild<RenderBlock>(WTFMove(newChild), beforeChild);

I wish there was a better way to write this. I am sure we'll see problems like the moved newChild used later accidentally (I know this is a general problem, the only reason I am picking on this is because newChild is an argument). I've run into problems like this in the past.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170928/f03a8f12/attachment-0001.html>