RESOLVED FIXED210086
Use-after-move of Vector<ManipulationToken> in TextManipulationController::observeParagraphs() 
https://bugs.webkit.org/show_bug.cgi?id=210086
Summary Use-after-move of Vector<ManipulationToken> in TextManipulationController::ob...
David Kilzer (:ddkilzer)
Reported 2020-04-06 17:52:06 PDT
Use-after-move of Vector<ManipulationToken> in TextManipulationController::observeParagraphs(). This is not a security issue since the move constructor and the move assignment operator for WTF::Vector both do a swap(). This is to fix a clang static analyzer warning. void TextManipulationController::observeParagraphs(const Position& start, const Position& end) { [...] Vector<ManipulationToken> tokensInCurrentParagraph; [...] for (; !iterator.atEnd(); iterator.advance()) { [...] if (content.isReplacedContent) { [...] tokensInCurrentParagraph.append(ManipulationToken { m_tokenIdentifier.generate(), "[]", true /* isExcluded */}); continue; } [...] while ((offsetOfNextNewLine = currentText.find('\n', startOfCurrentLine)) != notFound) { if (startOfCurrentLine < offsetOfNextNewLine) { [...] tokensInCurrentParagraph.append(ManipulationToken { m_tokenIdentifier.generate(), stringUntilEndOfLine, exclusionRuleMatcher.isExcluded(content.node.get()) }); } if (!tokensInCurrentParagraph.isEmpty()) { [...] addItem(ManipulationItemData { startOfCurrentParagraph, endOfCurrentParagraph, nullptr, nullQName(), WTFMove(tokensInCurrentParagraph) }); [...] } [...] } [...] if (remainingText.length()) tokensInCurrentParagraph.append(ManipulationToken { m_tokenIdentifier.generate(), remainingText.toString(), exclusionRuleMatcher.isExcluded(content.node.get()) }); } if (!tokensInCurrentParagraph.isEmpty()) addItem(ManipulationItemData { startOfCurrentParagraph, visibleEnd.deepEquivalent(), nullptr, nullQName(), WTFMove(tokensInCurrentParagraph) }); }
Attachments
Patch v1 (1.95 KB, patch)
2020-04-06 17:54 PDT, David Kilzer (:ddkilzer) 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
David Kilzer (:ddkilzer)
Comment 1 2020-04-06 17:54:27 PDT
Created attachment 395641 [details] Patch v1
Radar WebKit Bug Importer
Comment 2 2020-04-06 17:54:56 PDT
<rdar://problem/61369003>
Ryosuke Niwa
Comment 3 2020-04-06 18:07:50 PDT
Comment on attachment 395641 [details] Patch v1 View in context: https://bugs.webkit.org/attachment.cgi?id=395641&action=review > Source/WebCore/editing/TextManipulationController.cpp:307 > - addItem(ManipulationItemData { startOfCurrentParagraph, endOfCurrentParagraph, nullptr, nullQName(), WTFMove(tokensInCurrentParagraph) }); > + addItem(ManipulationItemData { startOfCurrentParagraph, endOfCurrentParagraph, nullptr, nullQName(), std::exchange(tokensInCurrentParagraph, { }) }); Huh, it's kind of annoying that we have to use std::exchange instead in this simple case...
EWS
Comment 4 2020-04-06 19:16:53 PDT
Committed r259620: <https://trac.webkit.org/changeset/259620> All reviewed patches have been landed. Closing bug and clearing flags on attachment 395641 [details].
Darin Adler
Comment 5 2020-04-10 09:42:24 PDT
(In reply to Ryosuke Niwa from comment #3) > it's kind of annoying that we have to use std::exchange instead in this simple case... Given how C++ defines the move operation, *any* time we want to do anything with the object afterward we should use std::exchange. If we use WTFMove or std::move, we should think of the object left behind as "can't look at this; can only destroy it or overwrite it with a new value". Any existing habit of using WTFMove and counting on the thing being null afterward is not good for the long term. We need to either use std::exchange or something new define, something other than WTFMove or std::move. The good news is: auto takenValue = std::exchange(m_oldValue, nullptr); with enough inlining could compile to the same thing as: auto takeValue = WTFMove(m_oldValue);
Note You need to log in before you can comment on or make changes to this bug.