Bug 249061

Summary: Fix use-after-move in WebCore::StyleGradientImage constructor
Product: WebKit Reporter: David Kilzer (:ddkilzer) <ddkilzer>
Component: SVGAssignee: David Kilzer (:ddkilzer) <ddkilzer>
Status: RESOLVED FIXED    
Severity: Normal CC: sabouhallawa, webkit-bug-importer, zimmermann
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 246927    
Bug Blocks:    

Description David Kilzer (:ddkilzer) 2022-12-09 18:36:02 PST 
Fix use-after-free in WebCore::StyleGradientImage() constructor in Source/WebCore/rendering/style/StyleGradientImage.cpp.

```
StyleGradientImage::StyleGradientImage(Data&& data, CSSGradientColorInterpolationMethod colorInterpolationMethod, Vector
<StyleGradientImageStop>&& stops)
    : StyleGeneratedImage { Type::GradientImage, StyleGradientImage::isFixedSize }
    , m_data { WTFMove(data) }
    , m_colorInterpolationMethod { colorInterpolationMethod }
    , m_stops { WTFMove(stops) }
    , m_knownCacheableBarringFilter { stopsAreCacheable(stops) }  // FIXME: Use-after-move of `stops`.
{
}
```
Comment 1 Radar WebKit Bug Importer 2022-12-09 18:36:24 PST 
<rdar://problem/103202572>
Comment 2 David Kilzer (:ddkilzer) 2022-12-09 18:45:45 PST 
Pull request: https://github.com/WebKit/WebKit/pull/7427
Comment 3 EWS 2022-12-10 13:41:22 PST 
Committed 257686@main (40f4e5e1face): <https://commits.webkit.org/257686@main>

Reviewed commits have been landed. Closing PR #7427 and removing active labels.
Comment 4 David Kilzer (:ddkilzer) 2022-12-11 09:01:39 PST 
This was a use-after-move, not a use-after-free.