[Webkit-unassigned] [Bug 271648] New: [GTK] "use-after-free" warning in `WebCore/page/Navigation.cpp` with GCC 12

Mon Mar 25 15:21:59 PDT 2024

https://bugs.webkit.org/show_bug.cgi?id=271648

            Bug ID: 271648
           Summary: [GTK] "use-after-free" warning in
                    `WebCore/page/Navigation.cpp` with GCC 12
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKitGTK
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: vitaly at igalia.com
                CC: bugs-noreply at webkitgtk.org

Similar to https://bugs.webkit.org/show_bug.cgi?id=239353, there is a "use-after-free" warning in `WebCore/page/Navigation.cpp`:
```
In file included from /home/vitaly/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/text/CString.h:33,
                 from /home/vitaly/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/text/StringView.h:34,
                 from /home/vitaly/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/text/StringConcatenate.h:32,
                 from /home/vitaly/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/text/AtomString.h:355,
                 from /home/vitaly/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/text/StringHash.h:26,
                 from /home/vitaly/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/JSONValues.h:36,
                 from /home/vitaly/WebKit/Source/WebCore/platform/graphics/IntSize.h:30,
                 from /home/vitaly/WebKit/Source/WebCore/platform/graphics/IntPoint.h:28,
                 from /home/vitaly/WebKit/Source/WebCore/platform/animation/AnimationUtilities.h:29,
                 from /home/vitaly/WebKit/Source/WebCore/platform/Length.h:25,
                 from /home/vitaly/WebKit/Source/WebCore/platform/LengthFunctions.h:27,
                 from /home/vitaly/WebKit/Source/WebCore/rendering/RenderElement.h:26,
                 from /home/vitaly/WebKit/Source/WebCore/rendering/RenderLayerModelObject.h:26,
                 from /home/vitaly/WebKit/Source/WebCore/page/LocalFrameViewLayoutContext.h:29,
                 from /home/vitaly/WebKit/Source/WebCore/page/LocalFrameViewLayoutContext.cpp:27,
                 from /home/vitaly/WebKit/WebKitBuild/GTK/Release/WebCore/DerivedSources/unified-sources/UnifiedSource-767013ce-6.cpp:1:
In member function ‘bool WTF::RefCountedBase::derefAllowingPartiallyDestroyedBase() const’,
    inlined from ‘bool WTF::RefCountedBase::derefBase() const’ at /home/vitaly/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/RefCounted.h:155:51,
    inlined from ‘void WTF::RefCounted<T, Deleter>::deref() const [with T = WebCore::AbortController; Deleter = std::default_delete<WebCore::AbortController>]’ at /home/vitaly/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/RefCounted.h:219:22,
    inlined from ‘static void WTF::DefaultRefDerefTraits< <template-parameter-1-1> >::derefIfNotNull(T*) [with T = WebCore::AbortController]’ at /home/vitaly/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/Ref.h:62:23,
    inlined from ‘WTF::RefPtr<T, <template-parameter-1-2>, <template-parameter-1-3> >::~RefPtr() [with T = WebCore::AbortController; _PtrTraits = WTF::RawPtrTraits<WebCore::AbortController>; _RefDerefTraits = WTF::DefaultRefDerefTraits<WebCore::AbortController>]’ at /home/vitaly/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/RefPtr.h:60:61,
    inlined from ‘bool WebCore::Navigation::_ZN7WebCore10Navigation26innerDispatchNavigateEventENS_24NavigationNavigationTypeEON3WTF3RefINS_21NavigationDestinationENS2_12RawPtrTraitsIS4_EENS2_21DefaultRefDerefTraitsIS4_EEEERKNS2_6StringE.part.0(WebCore::NavigationNavigationType, WTF::Ref<WebCore::NavigationDestination>&&, const WTF::String&)’ at /home/vitaly/WebKit/Source/WebCore/page/Navigation.cpp:436:88:
/home/vitaly/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/RefCounted.h:138:33: error: pointer ‘__old_val’ used after ‘static void WebCore::AbortController::operator delete(void*)’ [-Werror=use-after-free]
  138 |         unsigned tempRefCount = m_refCount - 1;
      |                                 ^~~~~~~~~~
In file included from /usr/include/c++/12/memory:75,
                 from /home/vitaly/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/StdLibExtras.h:30,
                 from /home/vitaly/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/FastMalloc.h:26,
                 from /home/vitaly/WebKit/Source/WebCore/config.h:47,
                 from /home/vitaly/WebKit/Source/WebCore/page/LocalFrameViewLayoutContext.cpp:26:
In member function ‘void std::default_delete<_Tp>::operator()(_Tp*) const [with _Tp = WebCore::AbortController]’,
    inlined from ‘void WTF::RefCounted<T, Deleter>::deref() const [with T = WebCore::AbortController; Deleter = std::default_delete<WebCore::AbortController>]’ at /home/vitaly/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/RefCounted.h:220:22,
    inlined from ‘static void WTF::DefaultRefDerefTraits< <template-parameter-1-1> >::derefIfNotNull(T*) [with T = WebCore::AbortController]’ at /home/vitaly/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/Ref.h:62:23,
    inlined from ‘WTF::RefPtr<T, <template-parameter-1-2>, <template-parameter-1-3> >::~RefPtr() [with T = WebCore::AbortController; _PtrTraits = WTF::RawPtrTraits<WebCore::AbortController>; _RefDerefTraits = WTF::DefaultRefDerefTraits<WebCore::AbortController>]’ at /home/vitaly/WebKit/WebKitBuild/GTK/Release/WTF/Headers/wtf/RefPtr.h:60:61,
    inlined from ‘static WTF::Ref<WebCore::NavigateEvent> WebCore::NavigateEvent::create(const WTF::AtomString&, const Init&, WTF::RefPtr<WebCore::AbortController>)’ at /home/vitaly/WebKit/Source/WebCore/page/NavigateEvent.cpp:55:67,
    inlined from ‘bool WebCore::Navigation::_ZN7WebCore10Navigation26innerDispatchNavigateEventENS_24NavigationNavigationTypeEON3WTF3RefINS_21NavigationDestinationENS2_12RawPtrTraitsIS4_EENS2_21DefaultRefDerefTraitsIS4_EEEERKNS2_6StringE.part.0(WebCore::NavigationNavigationType, WTF::Ref<WebCore::NavigationDestination>&&, const WTF::String&)’ at /home/vitaly/WebKit/Source/WebCore/page/Navigation.cpp:436:88:
/usr/include/c++/12/bits/unique_ptr.h:95:9: note: call to ‘static void WebCore::AbortController::operator delete(void*)’ here
   95 |         delete __ptr;
      | 
```

I think it's a GCC bug and it's safe to ignore this warning.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240325/55fdef46/attachment-0001.htm>