Bug 125329

Summary: Define m_hasBadParent in InlineBox if defined(ADDRESS_SANITIZER)
Product: WebKit Reporter: Drew Yao <ayao>
Component: Layout and RenderingAssignee: David Kilzer (:ddkilzer) <ddkilzer>
Status: RESOLVED FIXED    
Severity: Normal CC: benjamin, bfulgham, cmarcelo, commit-queue, darin, ddkilzer, dfarler, esprehn+autocc, glenn, hyatt, kling, koivisto, kondapallykalyan, sam, simon.fraser
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch v1 for initial comments, not landing
none
Patch v2 none

Drew Yao
Reported 2013-12-05 19:13:21 PST
Source/WebCore/rendering/InlineBox.{h,cpp} have the concept of m_hasBadParent which is used to detect use after free issues. It's only enabled #if !ASSERT_DISABLED. If we're running fuzzing with Address Sanitizer in a release build, we're not getting the benefit of this checking. It should also be enabled when building with Address Sanitizer. The simple fix is to convert all the #if !ASSERT_DISABLED in these files to #if !ASSERT_DISABLED || defined(ADDRESS_SANITIZER)
Attachments
Patch v1 for initial comments, not landing (8.70 KB, patch)
2013-12-08 10:08 PST, David Kilzer (:ddkilzer) 		no flags
DetailsFormatted DiffDiff
Patch v2 (8.38 KB, patch)
2013-12-10 17:15 PST, David Kilzer (:ddkilzer) 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
David Kilzer (:ddkilzer)
Comment 1 2013-12-06 07:42:43 PST
A slightly better approach may be to introduce an ASSERT_WITH_SECURITY_IMPLICATIONS_DISABLED macro and change: #if !ASSERT_DISABLED to: #if !ASSERT_WITH_SECURITY_IMPLICATIONS_DISABLED This would let us separate the two types of asserts and the code needed to implement them.
David Kilzer (:ddkilzer)
Comment 2 2013-12-06 13:15:38 PST
I'm working on this. Pulling the thread has unraveled a few uses of #ifndef NDEBUG that should have been ASSERT_DISABLED or now ASSERT_WITH_SECURITY_IMPLICATION_DISABLED.
David Kilzer (:ddkilzer)
Comment 3 2013-12-08 10:08:40 PST
Created attachment 218697 [details] Patch v1 for initial comments, not landing
Darin Adler
Comment 4 2013-12-09 08:19:00 PST
Comment on attachment 218697 [details] Patch v1 for initial comments, not landing View in context: https://bugs.webkit.org/attachment.cgi?id=218697&action=review > Source/WebCore/rendering/InlineBox.cpp:56 > - if (!m_hasBadParent && m_parent) > + if (m_hasBadParent && m_parent) > m_parent->setHasBadChildList(); This change seems wrong. The point here is to tell the parent that this child is gone, and so the parent’s child list is now bad. It’s not safe to do that if the parent is bad. So we should do this only if the parent is *not* bad. Removing the ! breaks the code. > Source/WebCore/rendering/InlineFlowBox.cpp:58 > - if (!m_hasBadChildList) > + if (m_hasBadChildList) { > for (InlineBox* child = firstChild(); child; child = child->nextOnLine()) > child->setHasBadParent(); > + } Same mistake here. The parent is going away and so any child that is still around now has a bad parent. But if the child list is already bad, then it’s not safe to walk the child list so we don’t even try in that case. Removing the ! breaks the code.
David Kilzer (:ddkilzer)
Comment 5 2013-12-10 17:15:25 PST
Created attachment 218927 [details] Patch v2
David Kilzer (:ddkilzer)
Comment 6 2013-12-10 17:16:02 PST
(In reply to comment #5) > Created an attachment (id=218927) [details] > Patch v2 Removed the changes to the m_hasBad* ivar checks.
WebKit Commit Bot
Comment 7 2013-12-11 15:13:55 PST
Comment on attachment 218927 [details] Patch v2 Clearing flags on attachment: 218927 Committed r160462: <http://trac.webkit.org/changeset/160462>
WebKit Commit Bot
Comment 8 2013-12-11 15:13:58 PST
All reviewed patches have been landed. Closing bug.
David Farler
Comment 9 2014-01-30 11:39:04 PST
*** Bug 124387 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.