Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 8255a10580c516e3caf5119f1d0bf6902c82e4e9
https://github.com/WebKit/WebKit/commit/8255a10580c516e3caf5119f1d0bf6902c82e4e9
Author: Vitaly Dyachkov <[email protected]>
Date: 2025-03-29 (Sat, 29 Mar 2025)
Changed paths:
M Source/WebCore/css/FontVariantBuilder.cpp
M Source/WebCore/style/StyleBuilderCustom.h
Log Message:
-----------
[GTK][WPE] False positive `use-after-free` error on GCC 12 in
`CSSValue::operator delete()`
https://bugs.webkit.org/show_bug.cgi?id=290185
Reviewed by Sam Weinig.
In `extractFontVariantAlternates()`, we loop through `valueList`
capturing an `item` in a `Ref`. In the loop, we check if the item is
primitive or function by downcasting it. In both branches we pass
the `item` `Ref` by copy. That makes the compiler think that by exiting
`dynamicDowncast(Ref source)` the underlying `CSSValue` can be deleted.
Passing `item`'s raw reference instead makes the compiler to pick
`dynamicDowncast(Source& source)` overload and thus eliminates potential
`deref()` call. The returned raw pointer is immediately captured in
a `Ref`, so the code stays safe.
In `BuilderCustom::applyValueFill()` the compiler is confused because we
re-assigning `RefPrt<const CSSValue> localValue`. It's possible to
slightly modify the code to keep the original logic without assigning
the new value to `localValue`.
* Source/WebCore/css/FontVariantBuilder.cpp:
(WebCore::extractFontVariantAlternates):
* Source/WebCore/style/StyleBuilderCustom.h:
(WebCore::Style::BuilderCustom::applyValueFill):
(WebCore::Style::BuilderCustom::applyValueStroke):
Canonical link: https://commits.webkit.org/292887@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
