Bug 293499
| Summary: | Reduce risk of lifetime issues when forwarding ref-counting from an object to its "owner" | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Chris Dumez <cdumez> |
| Component: | Web Template Framework | Assignee: | Chris Dumez <cdumez> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | darin, ggaren, rniwa, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Chris Dumez
Reduce risk of lifetime issues when forwarding ref-counting from an object to its "owner".
A common pattern in WebKit is to have an "owner" object create an "ownee" object lazily using makeUniqueWithoutRefCountedCheck<>() and then store it as a data member. The Owner object then has `ref()` and `deref()` member functions that call `ref()` / `deref()` on the owner object. However, this is only safe if the owner never clears its ownee data member unique_ptr.
We have had several recent security bugs where the data member would get cleared and someone holding a Ref/RefPtr to an object could still do a use-after-free, despite the code looking safe and the safer cpp static analysis being happy.
To address the issue, I propose that we update `makeUniqueWithoutRefCountedCheck<>()` to return a new `ConstUniquePtr<>` pointer instead of a `std::unique_ptr<>`. `ConstUniquePtr<>` is essentially a std::unique_ptr which cannot be reassigned, thus guarding against the kind of bug I am mentioning above.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Chris Dumez
Pull request: https://github.com/WebKit/WebKit/pull/45845
EWS
Committed 295448@main (412d441c9a97): <https://commits.webkit.org/295448@main>
Reviewed commits have been landed. Closing PR #45845 and removing active labels.
Radar WebKit Bug Importer
<rdar://problem/152089253>