Bug 230140

Summary: Use of memcpy with overlapping memory pointers
Product: WebKit Reporter: Jean-Yves Avenard [:jya] <jean-yves.avenard>
Component: MediaAssignee: Jean-Yves Avenard [:jya] <jean-yves.avenard>
Status: RESOLVED FIXED    
Severity: Normal CC: darin, ddkilzer, eric.carlson, ews-watchlist, glenn, jer.noble, philipj, sergio, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: Other   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch none

Jean-Yves Avenard [:jya]
Reported 2021-09-09 17:33:47 PDT
Problem introduced in bug 229251; the memory buffer content is shifted to the left; the use of memcpy under these circumstances is fine. But it triggers Asan "AddressSanitizer detected: memcpy-param-overlap" Should change memcpy to memmove here to keep asan happy.
Attachments
Patch (2.03 KB, patch)
2021-09-09 17:56 PDT, Jean-Yves Avenard [:jya] 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Jean-Yves Avenard [:jya]
Comment 1 2021-09-09 17:33:55 PDT
rdar://82946555
Jean-Yves Avenard [:jya]
Comment 2 2021-09-09 17:56:05 PDT
Created attachment 437814 [details] Patch
David Kilzer (:ddkilzer)
Comment 3 2021-09-10 02:14:36 PDT
Comment on attachment 437814 [details] Patch r=me
EWS
Comment 4 2021-09-10 03:23:38 PDT
Committed r282263 (241541@main): <https://commits.webkit.org/241541@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 437814 [details].
Darin Adler
Comment 5 2021-09-10 11:19:30 PDT
Comment on attachment 437814 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=437814&action=review > Source/WebCore/ChangeLog:11 > + We use memcpy with overlapping pointers which triggers Asan. In practice, > + with how memcpy was used the behaviour wasn't undefined and so would have > + been fine. I don’t understand the comment that memcpy would have been fine? Could you elaborate, just to satisfy my curiosity?
Darin Adler
Comment 6 2021-09-10 11:20:52 PDT
(In reply to Jean-Yves Avenard [:jya] from comment #0) > the memory buffer content is shifted to > the left; the use of memcpy under these circumstances is fine I see now: You are saying that typically memcpy works fine as long as you are moving left. Never thought of it that way, but I suppose as a practical matter that is so, but I am glad we fixed this because I don’t think it is OK to rely on that.
Darin Adler
Comment 7 2021-09-10 12:18:10 PDT
Comment on attachment 437814 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=437814&action=review > Source/WebCore/ChangeLog:10 > + with how memcpy was used the behaviour wasn't undefined and so would have What you probably should have said is that even though technically the behavior was undefined, in practice real world implementations of memcpy work with overlapping ranges as long as you are moving "left".
David Kilzer (:ddkilzer)
Comment 8 2021-09-11 00:11:05 PDT
Comment on attachment 437814 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=437814&action=review >> Source/WebCore/ChangeLog:11 >> + been fine. > > I don’t understand the comment that memcpy would have been fine? Could you elaborate, just to satisfy my curiosity? On Darwin platforms, memcpy() is implemented identically to memmove(), so there is no undefined behavior for overlapping regions. This is not true on other platforms like Linux, though.
Darin Adler
Comment 9 2021-09-12 16:45:30 PDT
Comment on attachment 437814 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=437814&action=review >>> Source/WebCore/ChangeLog:11 >>> + been fine. >> >> I don’t understand the comment that memcpy would have been fine? Could you elaborate, just to satisfy my curiosity? > > On Darwin platforms, memcpy() is implemented identically to memmove(), so there is no undefined behavior for overlapping regions. > > This is not true on other platforms like Linux, though. Let’s not quibble, but "undefined behavior" is not about what the functions actually do in practice, but about what the C standard guarantees they will do.
Jean-Yves Avenard [:jya]
Comment 10 2021-09-12 17:49:09 PDT
Comment on attachment 437814 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=437814&action=review >>>> Source/WebCore/ChangeLog:11 >>>> + been fine. >>> >>> I don’t understand the comment that memcpy would have been fine? Could you elaborate, just to satisfy my curiosity? >> >> On Darwin platforms, memcpy() is implemented identically to memmove(), so there is no undefined behavior for overlapping regions. >> >> This is not true on other platforms like Linux, though. > > Let’s not quibble, but "undefined behavior" is not about what the functions actually do in practice, but about what the C standard guarantees they will do. undefined behaviour is the easiest explanation that could be given if the user isn't paying attention on this matter. I was merely pointing that there was no logic flaw in the original code: that is the end result would be wrong with rubbish data. Considering: 1- the code is only on mac, where memmove is always used 2- I'm not aware of any libc's memcpy implementation or any compiler optimisation on any supported platforms where copying when dst < src would cause unexpected results. memmove == memcpy whenever dst < src. glibc calls memcpy explicitly from memmove if that is so. When I wrote the comment, my concern was that the code could be dangerous or produce rubbish, and I wrote it with that concern in mind. I'd be more explicit next time. sorry for that.
Note You need to log in before you can comment on or make changes to this bug.