Bug 138141

Summary:

ASSERT(!m_deletionHasBegun) in RefCounted.h should be ASSERT_WITH_SECURITY_IMPLICATION

Product:

WebKit

Reporter:

Drew Yao <ayao>

Component:

Web Template Framework

Assignee:

Vicki Pfau <jeffrey+webkit>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

ap, benjamin, cmarcelo, commit-queue, jeffrey+webkit

Priority:

Keywords:

InRadar

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	none

Drew Yao

Reported 2014-10-28 11:39:22 PDT

rdar://18798463 ASSERT(!m_deletionHasBegun) in RefCounted.h should be ASSERT_WITH_SECURITY_IMPLICATION There are several assertions in RefCounted.h like ASSERT(!m_deletionHasBegun); These assertions indicate that a use after free will occur. Marking them as ASSERT_WITH_SECURITY_IMPLICATION will help find more security bugs with fuzzing. I’d also propose changing #ifdef NDEBUG #define CHECK_REF_COUNTED_LIFECYCLE 0 #else #define CHECK_REF_COUNTED_LIFECYCLE 1 #endif to #ifdef NDEBUG && ! defined(ADDRESS_SANITIZER) so that release ASAN builds can get the benefit of the checking.

Attachments
Patch (2.21 KB, patch) 2014-10-29 17:25 PDT, Vicki Pfau	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Vicki Pfau

Comment 1 2014-10-29 17:25:31 PDT

Created attachment 240641 [details] Patch

WebKit Commit Bot

Comment 2 2014-10-30 14:35:00 PDT

Comment on attachment 240641 [details] Patch Clearing flags on attachment: 240641 Committed r175382: <http://trac.webkit.org/changeset/175382>

WebKit Commit Bot

Comment 3 2014-10-30 14:35:03 PDT

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.