249058 – Fix use-after-move in WebCore:: LineBuilder::tryPlacingFloatBox()

Bug 249058 - Fix use-after-move in WebCore:: LineBuilder::tryPlacingFloatBox()

Summary: Fix use-after-move in WebCore:: LineBuilder::tryPlacingFloatBox()

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Layout and Rendering (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	zalan

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2022-12-09 18:04 PST by David Kilzer (:ddkilzer)
Modified:	2022-12-10 17:04 PST (History)
CC List:	5 users (show)

See Also:

Attachments
[fast-cq]Patch (1.41 KB, patch) 2022-12-10 07:16 PST, zalan	ews-feeder: commit-queue-	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description David Kilzer (:ddkilzer) 2022-12-09 18:04:42 PST

Fix use-after-move in WebCore::LineBuilder::tryPlacingFloatBox() in Source/WebCore/layout/formattingContexts/inline/InlineLineBuilder.cpp.

The `floatBoxItem` variable is involved in the use-after-move below.

```
bool LineBuilder::tryPlacingFloatBox(const InlineItem& floatItem, LineBoxConstraintApplies lineBoxConstraintApplies)
{
    [...]
    auto floatBoxItem = floatingContext.toFloatItem(floatBox);
    auto isLogicalLeftPositionedInFloatingState = floatBoxItem.isLeftPositioned();
    floatingState()->append(WTFMove(floatBoxItem));  // Move.
    [...]
    // FIXME: In quirks mode some content may sneak above this float.
    if (shouldAdjustLineLogicalLeft()) {
        auto floatLogicalRight = InlineLayoutUnit { floatBoxItem.rectWithMargin().right() };  // Use-after-move.
        [...]
    }
    [...]
}
```

Not sure what the default move constructor for `WebCore::FloatingState::FloatItem` will do to the moved-from object, but this should be avoided if possible.

Comment 1 zalan 2022-12-09 19:22:11 PST

(In reply to David Kilzer (:ddkilzer) from comment #0)
> Fix use-after-move in WebCore::LineBuilder::tryPlacingFloatBox() in
> Source/WebCore/layout/formattingContexts/inline/InlineLineBuilder.cpp.
> 
> The `floatBoxItem` variable is involved in the use-after-move below.
> 
> ```
> bool LineBuilder::tryPlacingFloatBox(const InlineItem& floatItem,
> LineBoxConstraintApplies lineBoxConstraintApplies)
> {
>     [...]
>     auto floatBoxItem = floatingContext.toFloatItem(floatBox);
>     auto isLogicalLeftPositionedInFloatingState =
> floatBoxItem.isLeftPositioned();
>     floatingState()->append(WTFMove(floatBoxItem));  // Move.
>     [...]
>     // FIXME: In quirks mode some content may sneak above this float.
>     if (shouldAdjustLineLogicalLeft()) {
>         auto floatLogicalRight = InlineLayoutUnit {
> floatBoxItem.rectWithMargin().right() };  // Use-after-move.
>         [...]
>     }
>     [...]
> }
> ```
> 
> Not sure what the default move constructor for
> `WebCore::FloatingState::FloatItem` will do to the moved-from object, but
> this should be avoided if possible.
Yeah, good catch. Fortunately it's safe, nothing gets moved here. -will nevertheless.

Comment 2 zalan 2022-12-09 20:03:01 PST

"-will nevertheless." should read "will fix nevertheless"

Comment 3 zalan 2022-12-10 07:16:45 PST

Created attachment 463977 [details]
[fast-cq]Patch

Comment 4 EWS 2022-12-10 15:58:54 PST

Committed 257688@main (59efc6d73de9): <https://commits.webkit.org/257688@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 463977 [details].

Comment 5 Radar WebKit Bug Importer 2022-12-10 15:59:15 PST

<rdar://problem/103218248>