[Webkit-unassigned] [Bug 249058] Fix use-after-move in WebCore:: LineBuilder::tryPlacingFloatBox()
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Dec 9 19:22:11 PST 2022
https://bugs.webkit.org/show_bug.cgi?id=249058
--- Comment #1 from zalan <zalan at apple.com> ---
(In reply to David Kilzer (:ddkilzer) from comment #0)
> Fix use-after-move in WebCore::LineBuilder::tryPlacingFloatBox() in
> Source/WebCore/layout/formattingContexts/inline/InlineLineBuilder.cpp.
>
> The `floatBoxItem` variable is involved in the use-after-move below.
>
> ```
> bool LineBuilder::tryPlacingFloatBox(const InlineItem& floatItem,
> LineBoxConstraintApplies lineBoxConstraintApplies)
> {
> [...]
> auto floatBoxItem = floatingContext.toFloatItem(floatBox);
> auto isLogicalLeftPositionedInFloatingState =
> floatBoxItem.isLeftPositioned();
> floatingState()->append(WTFMove(floatBoxItem)); // Move.
> [...]
> // FIXME: In quirks mode some content may sneak above this float.
> if (shouldAdjustLineLogicalLeft()) {
> auto floatLogicalRight = InlineLayoutUnit {
> floatBoxItem.rectWithMargin().right() }; // Use-after-move.
> [...]
> }
> [...]
> }
> ```
>
> Not sure what the default move constructor for
> `WebCore::FloatingState::FloatItem` will do to the moved-from object, but
> this should be avoided if possible.
Yeah, good catch. Fortunately it's safe, nothing gets moved here. -will nevertheless.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20221210/9528b1d9/attachment.htm>
More information about the webkit-unassigned
mailing list