Bug 138141 - ASSERT(!m_deletionHasBegun) in RefCounted.h should be ASSERT_WITH_SECURITY_IMPLICATION
Summary: ASSERT(!m_deletionHasBegun) in RefCounted.h should be ASSERT_WITH_SECURITY_IM...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Web Template Framework (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Vicki Pfau
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2014-10-28 11:39 PDT by Drew Yao
Modified: 2014-10-30 14:35 PDT (History)
5 users (show)

See Also:

Attachments
Patch (2.21 KB, patch)
2014-10-29 17:25 PDT, Vicki Pfau 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Drew Yao 2014-10-28 11:39:22 PDT 
rdar://18798463

ASSERT(!m_deletionHasBegun) in RefCounted.h should be ASSERT_WITH_SECURITY_IMPLICATION

There are several assertions in RefCounted.h like
        ASSERT(!m_deletionHasBegun);

These assertions indicate that a use after free will occur.  Marking them as ASSERT_WITH_SECURITY_IMPLICATION will help find more security bugs with fuzzing.

Iā€™d also propose changing
#ifdef NDEBUG
#define CHECK_REF_COUNTED_LIFECYCLE 0
#else
#define CHECK_REF_COUNTED_LIFECYCLE 1
#endif

to #ifdef NDEBUG && ! defined(ADDRESS_SANITIZER)

so that release ASAN builds can get the benefit of the checking.
Comment 1 Vicki Pfau 2014-10-29 17:25:31 PDT 
Created attachment 240641 [details]
Patch
Comment 2 WebKit Commit Bot 2014-10-30 14:35:00 PDT 
Comment on attachment 240641 [details]
Patch

Clearing flags on attachment: 240641

Committed r175382: <http://trac.webkit.org/changeset/175382>
Comment 3 WebKit Commit Bot 2014-10-30 14:35:03 PDT 
All reviewed patches have been landed.  Closing bug.