[Webkit-unassigned] [Bug 247055] New: CSSValue pointer returned from DeclaredStylePropertyMap::propertyValue() causes use-after-free errors

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Oct 26 03:23:14 PDT 2022 

https://bugs.webkit.org/show_bug.cgi?id=247055

            Bug ID: 247055
           Summary: CSSValue pointer returned from
                    DeclaredStylePropertyMap::propertyValue() causes
                    use-after-free errors
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: zan at falconsigh.net

Probably specific to GCC 12, the CSSValue pointer returned from DeclaredStylePropertyMap::propertyValue() method ends up triggering use-after-free errors:

--------
In file included from /home/zan/Work/webkit/git/Source/WebCore/css/typedom/CSSStyleValue.h:29,
                 from /home/zan/Work/webkit/git/Source/WebCore/css/typedom/StylePropertyMapReadOnly.h:28,
                 from /home/zan/Work/webkit/git/Source/WebCore/css/typedom/StylePropertyMap.h:28,
                 from /home/zan/Work/webkit/git/Source/WebCore/css/typedom/DeclaredStylePropertyMap.h:28,
                 from /home/zan/Work/webkit/git/Source/WebCore/css/typedom/DeclaredStylePropertyMap.cpp:27,
                 from /build/webkit/build-unstable/build-webkit/WebCore/DerivedSources/unified-sources/UnifiedSource-2f84417a-22.cpp:1:
In member function ‘void WebCore::CSSValue::ref() const’,
    inlined from ‘static void WTF::DefaultRefDerefTraits< <template-parameter-1-1> >::refIfNotNull(T*) [with T = WebCore::CSSValue]’ at /build/webkit/build-unstable/build-webkit/WTF/Headers/wtf/RefPtr.h:36:21,
    inlined from ‘WTF::RefPtr<T, <template-parameter-1-2>, <template-parameter-1-3> >::RefPtr(T*) [with T = WebCore::CSSValue; _PtrTraits = WTF::RawPtrTraits<WebCore::CSSValue>; _RefDerefTraits = WTF::DefaultRefDerefTraits<WebCore::CSSValue>]’ at /build/webkit/build-unstable/build-webkit/WTF/Headers/wtf/RefPtr.h:62:77,
    inlined from ‘WTF::RefPtr<WebCore::CSSStyleValue> WebCore::StylePropertyMap::shorthandPropertyValue(WebCore::Document&, WebCore::CSSPropertyID) const’ at /home/zan/Work/webkit/git/Source/WebCore/css/typedom/StylePropertyMap.cpp:58:46:
/home/zan/Work/webkit/git/Source/WebCore/css/CSSValue.h:43:24: error: pointer used after ‘static void WebCore::CSSValue::operator delete(WebCore::CSSValue*, std::destroying_delete_t)’ [-Werror=use-after-free]
   43 |     void ref() const { m_refCount += refCountIncrement; }
      |                        ^~~~~~~~~~
In member function ‘void WebCore::CSSValue::deref() const’,
    inlined from ‘static void WTF::DefaultRefDerefTraits< <template-parameter-1-1> >::derefIfNotNull(T*) [with T = WebCore::CSSValue]’ at /build/webkit/build-unstable/build-webkit/WTF/Headers/wtf/RefPtr.h:42:23,
    inlined from ‘WTF::RefPtr<T, <template-parameter-1-2>, <template-parameter-1-3> >::~RefPtr() [with T = WebCore::CSSValue; _PtrTraits = WTF::RawPtrTraits<WebCore::CSSValue>; _RefDerefTraits = WTF::DefaultRefDerefTraits<WebCore::CSSValue>]’ at /build/webkit/build-unstable/build-webkit/WTF/Headers/wtf/RefPtr.h:74:61,
    inlined from ‘virtual WebCore::CSSValue* WebCore::DeclaredStylePropertyMap::propertyValue(WebCore::CSSPropertyID) const’ at /home/zan/Work/webkit/git/Source/WebCore/css/typedom/DeclaredStylePropertyMap.cpp:78:55,
    inlined from ‘WTF::RefPtr<WebCore::CSSStyleValue> WebCore::StylePropertyMap::shorthandPropertyValue(WebCore::Document&, WebCore::CSSPropertyID) const’ at /home/zan/Work/webkit/git/Source/WebCore/css/typedom/StylePropertyMap.cpp:58:46:
/home/zan/Work/webkit/git/Source/WebCore/css/CSSValue.h:268:16: note: call to ‘static void WebCore::CSSValue::operator delete(WebCore::CSSValue*, std::destroying_delete_t)’ here
  268 |         delete this;
      |                ^~~~
cc1plus: all warnings being treated as errors
--------

As I understand it, the DeclaredStylePropertyMap::propertyValue() method ends up retrieving the returning pointer from a RefPtr that's returned from the StyleProperties::getPropertyCSSValue() call. That RefPtr is destroyed and just the pointer value is returned, and GCC marks this up as possible deletion of the CSSValue object.

That pointer is then used to construct another RefPtr<CSSValue> object in StylePropertyMap::shorthandPropertyValue(), invoking the CSSValue::ref() method along the way. GCC then loses its marbles cause that's supposedly the object that could have been destroyed at the end of DeclaredStylePropertyMap::propertyValue().

There shouldn't be an issue in general here, the CSSValue object is alive and well, just the pointer-style handling makes things awkward and newer versions of GCC end up not liking that.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20221026/4f7c585b/attachment-0001.htm>

More information about the webkit-unassigned mailing list