[webkit-changes] [WebKit/WebKit] cc2844: Fix use-after-move crash in TransferString::releas...

Wed, 20 May 2026 15:38:14 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: cc28449d96ca6784222c2e10f52c57fc4fdcff54
      
https://github.com/WebKit/WebKit/commit/cc28449d96ca6784222c2e10f52c57fc4fdcff54
  Author: Milan Crha <[email protected]>
  Date:   2026-05-20 (Wed, 20 May 2026)

  Changed paths:
    M Source/WebKit/Platform/IPC/TransferString.cpp

  Log Message:
  -----------
  Fix use-after-move crash in TransferString::release() with GCC

Fix use-after-move crash in TransferString::release() with GCC
https://bugs.webkit.org/show_bug.cgi?id=311995

Reviewed by Michael Catanzaro.

In TransferString::release(), the ExternalStringImpl::create() calls
pass memory->span() as the first argument and a lambda capturing
memory.releaseNonNull() as the second argument. Since C++ leaves the
evaluation order of function arguments indeterminate, the compiler is
free to evaluate argument 2 before argument 1.

GCC typically evaluates arguments right-to-left, which means
memory.releaseNonNull() runs first, nulling out the RefPtr, and then
memory->span() dereferences the now-null pointer — causing a SIGSEGV
("Invalid read of size 8" in valgrind, as it tries to read the m_data
and m_size members through null).

Clang typically evaluates arguments left-to-right, so the bug does not
manifest on macOS/Clang builds where WebKit is primarily developed and
tested, which is likely why it was not caught earlier.

The crash only triggers when the shared memory mapping is larger than
transferAsMappingSize - 1 (16383 bytes), i.e. for IPC-transferred
strings larger than ~16 KB. In the reported case, this happens when
Evolution sends a long HTML email body to WebKitWebProcess via
RunJavaScriptInFrameInScriptWorld.

The fix extracts the span into a local variable before the
ExternalStringImpl::create() call, ensuring memory->span() is always
evaluated while the RefPtr is still valid.

Both the SharedSpan8 (Latin1) and SharedSpan16 (char16_t) code paths
are affected and fixed.

* Source/WebKit/Platform/IPC/TransferString.cpp:
(IPC::TransferString::release): Extract memory->span() into a local
variable before passing it to ExternalStringImpl::create(), so it is
evaluated before the lambda capture moves the RefPtr via
releaseNonNull().

Assisted-by: Claude Opus 4.6 <[email protected]>
Canonical link: https://commits.webkit.org/313602@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to