[Webkit-unassigned] [Bug 249058] New: Fix use-after-move in WebCore:: LineBuilder::tryPlacingFloatBox()
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Dec 9 18:04:42 PST 2022
https://bugs.webkit.org/show_bug.cgi?id=249058
Bug ID: 249058
Summary: Fix use-after-move in WebCore::
LineBuilder::tryPlacingFloatBox()
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: Layout and Rendering
Assignee: webkit-unassigned at lists.webkit.org
Reporter: ddkilzer at webkit.org
CC: bfulgham at webkit.org, simon.fraser at apple.com,
zalan at apple.com
Fix use-after-move in WebCore::LineBuilder::tryPlacingFloatBox() in Source/WebCore/layout/formattingContexts/inline/InlineLineBuilder.cpp.
The `floatBoxItem` variable is involved in the use-after-move below.
```
bool LineBuilder::tryPlacingFloatBox(const InlineItem& floatItem, LineBoxConstraintApplies lineBoxConstraintApplies)
{
[...]
auto floatBoxItem = floatingContext.toFloatItem(floatBox);
auto isLogicalLeftPositionedInFloatingState = floatBoxItem.isLeftPositioned();
floatingState()->append(WTFMove(floatBoxItem)); // Move.
[...]
// FIXME: In quirks mode some content may sneak above this float.
if (shouldAdjustLineLogicalLeft()) {
auto floatLogicalRight = InlineLayoutUnit { floatBoxItem.rectWithMargin().right() }; // Use-after-move.
[...]
}
[...]
}
```
Not sure what the default move constructor for `WebCore::FloatingState::FloatItem` will do to the moved-from object, but this should be avoided if possible.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20221210/d1208cfb/attachment.htm>
More information about the webkit-unassigned
mailing list