Avoid -Wuse-after-free warnings in DOMMatrix with GCC 12

https://bugs.webkit.org/show_bug.cgi?id=249910 Reviewed by Michael Catanzaro. GCC 12 sees issues with DOMMatrix::scaleSelf() and DOMMatrix::scale3dSelf() calling the translateSelf() method that returns a Ref<DOMMatrix> that holds a reference to the same DOMMatrix object. That Ref<DOMMatrix> gets destroyed when going out of scope, providing the never-taken codepath that destroys the DOMMatrix object if its reference count would fall to zero. This doesn't happen because of expectation that both methods initially start operation on the DOMMatrix object with a greater-than-zero reference count. Only after that do the two methods construct their own Ref<DOMMatrix> return value, which in theory would work on freed memory if that never-taken codepath was indeed taken. To avoid this, don't call translateSelf() but instead invoke directly the proper TransformationMatrix operations. * Source/WebCore/css/DOMMatrix.cpp: (WebCore::DOMMatrix::scaleSelf): (WebCore::DOMMatrix::scale3dSelf): Canonical link: https://commits.webkit.org/258346@main
WebKit · Dec 28, 2022 · bf1930f · bf1930f
1 parent 9d2d5fe
commit bf1930f
Showing 1 changed file with 5 additions and 5 deletions.
diff --git a/Source/WebCore/css/DOMMatrix.cpp b/Source/WebCore/css/DOMMatrix.cpp
@@ -159,11 +159,11 @@ Ref<DOMMatrix> DOMMatrix::scaleSelf(double scaleX, std::optional<double> scaleY,
 {
     if (!scaleY)
         scaleY = scaleX;
-    translateSelf(originX, originY, originZ);
+    m_matrix.translate3d(originX, originY, originZ);
     // Post-multiply a non-uniform scale transformation on the current matrix.
     // The 3D scale matrix is described in CSS Transforms with sx = scaleX, sy = scaleY and sz = scaleZ.
     m_matrix.scale3d(scaleX, scaleY.value(), scaleZ);
-    translateSelf(-originX, -originY, -originZ);
+    m_matrix.translate3d(-originX, -originY, -originZ);
     if (scaleZ != 1 || originZ)
         m_is2D = false;
     return *this;
@@ -172,12 +172,12 @@ Ref<DOMMatrix> DOMMatrix::scaleSelf(double scaleX, std::optional<double> scaleY,
 // https://drafts.fxtf.org/geometry/#dom-dommatrix-scale3dself
 Ref<DOMMatrix> DOMMatrix::scale3dSelf(double scale, double originX, double originY, double originZ)
 {
-    translateSelf(originX, originY, originZ);
+    m_matrix.translate3d(originX, originY, originZ);
     // Post-multiply a uniform 3D scale transformation (m11 = m22 = m33 = scale) on the current matrix.
     // The 3D scale matrix is described in CSS Transforms with sx = sy = sz = scale. [CSS3-TRANSFORMS]
     m_matrix.scale3d(scale, scale, scale);
-    translateSelf(-originX, -originY, -originZ);
-    if (scale != 1)
+    m_matrix.translate3d(-originX, -originY, -originZ);
+    if (scale != 1 || originZ)
         m_is2D = false;
     return *this;
 }