Bug 138141 - ASSERT(!m_deletionHasBegun) in RefCounted.h should be ASSERT_WITH_SECURITY_IMPLICATION
Summary: ASSERT(!m_deletionHasBegun) in RefCounted.h should be ASSERT_WITH_SECURITY_IM...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Web Template Framework (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Vicki Pfau
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2014-10-28 11:39 PDT by Drew Yao
Modified: 2014-10-30 14:35 PDT (History)
5 users (show)

See Also:


Attachments
Patch (2.21 KB, patch)
2014-10-29 17:25 PDT, Vicki Pfau
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Drew Yao 2014-10-28 11:39:22 PDT
rdar://18798463

ASSERT(!m_deletionHasBegun) in RefCounted.h should be ASSERT_WITH_SECURITY_IMPLICATION

There are several assertions in RefCounted.h like
        ASSERT(!m_deletionHasBegun);

These assertions indicate that a use after free will occur.  Marking them as ASSERT_WITH_SECURITY_IMPLICATION will help find more security bugs with fuzzing.

Iā€™d also propose changing
#ifdef NDEBUG
#define CHECK_REF_COUNTED_LIFECYCLE 0
#else
#define CHECK_REF_COUNTED_LIFECYCLE 1
#endif

to #ifdef NDEBUG && ! defined(ADDRESS_SANITIZER)

so that release ASAN builds can get the benefit of the checking.
Comment 1 Vicki Pfau 2014-10-29 17:25:31 PDT
Created attachment 240641 [details]
Patch
Comment 2 WebKit Commit Bot 2014-10-30 14:35:00 PDT
Comment on attachment 240641 [details]
Patch

Clearing flags on attachment: 240641

Committed r175382: <http://trac.webkit.org/changeset/175382>
Comment 3 WebKit Commit Bot 2014-10-30 14:35:03 PDT
All reviewed patches have been landed.  Closing bug.