[Webkit-unassigned] [Bug 138141] New: ASSERT(!m_deletionHasBegun) in RefCounted.h should be ASSERT_WITH_SECURITY_IMPLICATION

Tue Oct 28 11:39:22 PDT 2014

https://bugs.webkit.org/show_bug.cgi?id=138141

            Bug ID: 138141
           Summary: ASSERT(!m_deletionHasBegun) in RefCounted.h should be
                    ASSERT_WITH_SECURITY_IMPLICATION
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Keywords: InRadar
          Severity: Normal
          Priority: P2
         Component: Web Template Framework
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: ayao at apple.com

rdar://18798463

ASSERT(!m_deletionHasBegun) in RefCounted.h should be ASSERT_WITH_SECURITY_IMPLICATION

There are several assertions in RefCounted.h like
        ASSERT(!m_deletionHasBegun);

These assertions indicate that a use after free will occur.  Marking them as ASSERT_WITH_SECURITY_IMPLICATION will help find more security bugs with fuzzing.

I’d also propose changing
#ifdef NDEBUG
#define CHECK_REF_COUNTED_LIFECYCLE 0
#else
#define CHECK_REF_COUNTED_LIFECYCLE 1
#endif

to #ifdef NDEBUG && ! defined(ADDRESS_SANITIZER)

so that release ASAN builds can get the benefit of the checking.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20141028/2b5d877e/attachment-0002.html>