The clang static analyzer found the following issue: DumpRenderTree/mac/PixelDumpSupportMac.mm:67:9: warning: Use of memory after it is freed WTFLogAlways("DumpRenderTree: CGBitmapContextCreate(%p, %llu, %llu, 8, %llu, %p, 0x%x) failed\n", buffer, pixelsHigh, pixelsWide, rowBytes, colorSpace.get(), kCGImageAlphaPremultipliedFirst | kCGBitmapByteOrder32Host); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The issue is that free(buffer) is called before it's used in the WTFLogAlways() macro: if (!context) { free(buffer); WTFLogAlways("DumpRenderTree: CGBitmapContextCreate(%p, %llu, %llu, 8, %llu, %p, 0x%x) failed\n", buffer, pixelsHigh, pixelsWide, rowBytes, colorSpace.get(), kCGImageAlphaPremultipliedFirst | kCGBitmapByteOrder32Host); return nullptr; }
Created attachment 266591 [details] Patch v1
Comment on attachment 266591 [details] Patch v1 View in context: https://bugs.webkit.org/attachment.cgi?id=266591&action=review > Tools/DumpRenderTree/mac/PixelDumpSupportMac.mm:66 > WTFLogAlways("DumpRenderTree: CGBitmapContextCreate(%p, %llu, %llu, 8, %llu, %p, 0x%x) failed\n", buffer, pixelsHigh, pixelsWide, rowBytes, colorSpace.get(), kCGImageAlphaPremultipliedFirst | kCGBitmapByteOrder32Host); This just prints the address of the buffer, so not really a use-after-free. But OK.
(In reply to comment #2) > Comment on attachment 266591 [details] > Patch v1 > > View in context: > https://bugs.webkit.org/attachment.cgi?id=266591&action=review > > > Tools/DumpRenderTree/mac/PixelDumpSupportMac.mm:66 > > WTFLogAlways("DumpRenderTree: CGBitmapContextCreate(%p, %llu, %llu, 8, %llu, %p, 0x%x) failed\n", buffer, pixelsHigh, pixelsWide, rowBytes, colorSpace.get(), kCGImageAlphaPremultipliedFirst | kCGBitmapByteOrder32Host); > > This just prints the address of the buffer, so not really a use-after-free. > But OK. I know. It's the lamest use-after-free ever.
Comment on attachment 266591 [details] Patch v1 Clearing flags on attachment: 266591 Committed r193409: <http://trac.webkit.org/changeset/193409>
All reviewed patches have been landed. Closing bug.