Branch: refs/heads/webkitglib/2.52
Home: https://github.com/WebKit/WebKit
Commit: 2f59b476703bd9b2858e5cfd54593ae6db87971d
https://github.com/WebKit/WebKit/commit/2f59b476703bd9b2858e5cfd54593ae6db87971d
Author: Milan Crha <[email protected]>
Date: 2026-05-21 (Thu, 21 May 2026)
Changed paths:
M Source/WebKit/Platform/IPC/TransferString.cpp
Log Message:
-----------
Cherry-pick 313602@main (cc28449d96ca).
https://bugs.webkit.org/show_bug.cgi?id=311995
Fix use-after-move crash in TransferString::release() with GCC
Fix use-after-move crash in TransferString::release() with GCC
https://bugs.webkit.org/show_bug.cgi?id=311995
Reviewed by Michael Catanzaro.
In TransferString::release(), the ExternalStringImpl::create() calls
pass memory->span() as the first argument and a lambda capturing
memory.releaseNonNull() as the second argument. Since C++ leaves the
evaluation order of function arguments indeterminate, the compiler is
free to evaluate argument 2 before argument 1.
GCC typically evaluates arguments right-to-left, which means
memory.releaseNonNull() runs first, nulling out the RefPtr, and then
memory->span() dereferences the now-null pointer — causing a SIGSEGV
("Invalid read of size 8" in valgrind, as it tries to read the m_data
and m_size members through null).
Clang typically evaluates arguments left-to-right, so the bug does not
manifest on macOS/Clang builds where WebKit is primarily developed and
tested, which is likely why it was not caught earlier.
The crash only triggers when the shared memory mapping is larger than
transferAsMappingSize - 1 (16383 bytes), i.e. for IPC-transferred
strings larger than ~16 KB. In the reported case, this happens when
Evolution sends a long HTML email body to WebKitWebProcess via
RunJavaScriptInFrameInScriptWorld.
The fix extracts the span into a local variable before the
ExternalStringImpl::create() call, ensuring memory->span() is always
evaluated while the RefPtr is still valid.
Both the SharedSpan8 (Latin1) and SharedSpan16 (char16_t) code paths
are affected and fixed.
* Source/WebKit/Platform/IPC/TransferString.cpp:
(IPC::TransferString::release): Extract memory->span() into a local
variable before passing it to ExternalStringImpl::create(), so it is
evaluated before the lambda capture moves the RefPtr via
releaseNonNull().
Assisted-by: Claude Opus 4.6 <[email protected]>
Canonical link: https://commits.webkit.org/313602@main
Canonical link: https://commits.webkit.org/305877.622@webkitglib/2.52
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
