Bug 249058

Summary:

Fix use-after-move in WebCore:: LineBuilder::tryPlacingFloatBox()

Product:

WebKit

Reporter:

David Kilzer (:ddkilzer) <ddkilzer>

Component:

Layout and Rendering

Assignee:

zalan <zalan>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

bfulgham, koivisto, simon.fraser, webkit-bug-importer, zalan

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
[fast-cq]Patch	ews-feeder: commit-queue-

Description David Kilzer (:ddkilzer) 2022-12-09 18:04:42 PST

Fix use-after-move in WebCore::LineBuilder::tryPlacingFloatBox() in Source/WebCore/layout/formattingContexts/inline/InlineLineBuilder.cpp.

The `floatBoxItem` variable is involved in the use-after-move below.

```
bool LineBuilder::tryPlacingFloatBox(const InlineItem& floatItem, LineBoxConstraintApplies lineBoxConstraintApplies)
{
    [...]
    auto floatBoxItem = floatingContext.toFloatItem(floatBox);
    auto isLogicalLeftPositionedInFloatingState = floatBoxItem.isLeftPositioned();
    floatingState()->append(WTFMove(floatBoxItem));  // Move.
    [...]
    // FIXME: In quirks mode some content may sneak above this float.
    if (shouldAdjustLineLogicalLeft()) {
        auto floatLogicalRight = InlineLayoutUnit { floatBoxItem.rectWithMargin().right() };  // Use-after-move.
        [...]
    }
    [...]
}
```

Not sure what the default move constructor for `WebCore::FloatingState::FloatItem` will do to the moved-from object, but this should be avoided if possible.

Comment 1 zalan 2022-12-09 19:22:11 PST

(In reply to David Kilzer (:ddkilzer) from comment #0)
> Fix use-after-move in WebCore::LineBuilder::tryPlacingFloatBox() in
> Source/WebCore/layout/formattingContexts/inline/InlineLineBuilder.cpp.
> 
> The `floatBoxItem` variable is involved in the use-after-move below.
> 
> ```
> bool LineBuilder::tryPlacingFloatBox(const InlineItem& floatItem,
> LineBoxConstraintApplies lineBoxConstraintApplies)
> {
>     [...]
>     auto floatBoxItem = floatingContext.toFloatItem(floatBox);
>     auto isLogicalLeftPositionedInFloatingState =
> floatBoxItem.isLeftPositioned();
>     floatingState()->append(WTFMove(floatBoxItem));  // Move.
>     [...]
>     // FIXME: In quirks mode some content may sneak above this float.
>     if (shouldAdjustLineLogicalLeft()) {
>         auto floatLogicalRight = InlineLayoutUnit {
> floatBoxItem.rectWithMargin().right() };  // Use-after-move.
>         [...]
>     }
>     [...]
> }
> ```
> 
> Not sure what the default move constructor for
> `WebCore::FloatingState::FloatItem` will do to the moved-from object, but
> this should be avoided if possible.
Yeah, good catch. Fortunately it's safe, nothing gets moved here. -will nevertheless.

Comment 2 zalan 2022-12-09 20:03:01 PST

"-will nevertheless." should read "will fix nevertheless"

Comment 3 zalan 2022-12-10 07:16:45 PST

Created attachment 463977 [details]
[fast-cq]Patch

Comment 4 EWS 2022-12-10 15:58:54 PST

Committed 257688@main (59efc6d73de9): <https://commits.webkit.org/257688@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 463977 [details].

Comment 5 Radar WebKit Bug Importer 2022-12-10 15:59:15 PST

<rdar://problem/103218248>