Bug 138141

Summary: ASSERT(!m_deletionHasBegun) in RefCounted.h should be ASSERT_WITH_SECURITY_IMPLICATION
Product: WebKit Reporter: Drew Yao <ayao>
Component: Web Template FrameworkAssignee: Vicki Pfau <jeffrey+webkit>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, benjamin, cmarcelo, commit-queue, jeffrey+webkit
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch none

Description Drew Yao 2014-10-28 11:39:22 PDT
rdar://18798463

ASSERT(!m_deletionHasBegun) in RefCounted.h should be ASSERT_WITH_SECURITY_IMPLICATION

There are several assertions in RefCounted.h like
        ASSERT(!m_deletionHasBegun);

These assertions indicate that a use after free will occur.  Marking them as ASSERT_WITH_SECURITY_IMPLICATION will help find more security bugs with fuzzing.

I’d also propose changing
#ifdef NDEBUG
#define CHECK_REF_COUNTED_LIFECYCLE 0
#else
#define CHECK_REF_COUNTED_LIFECYCLE 1
#endif

to #ifdef NDEBUG && ! defined(ADDRESS_SANITIZER)

so that release ASAN builds can get the benefit of the checking.
Comment 1 Vicki Pfau 2014-10-29 17:25:31 PDT
Created attachment 240641 [details]
Patch
Comment 2 WebKit Commit Bot 2014-10-30 14:35:00 PDT
Comment on attachment 240641 [details]
Patch

Clearing flags on attachment: 240641

Committed r175382: <http://trac.webkit.org/changeset/175382>
Comment 3 WebKit Commit Bot 2014-10-30 14:35:03 PDT
All reviewed patches have been landed.  Closing bug.