[Webkit-unassigned] [Bug 196472] New: CFI base-to-derived cast error in SentinelLinkedList.h

Mon Apr 1 17:07:09 PDT 2019

https://bugs.webkit.org/show_bug.cgi?id=196472

            Bug ID: 196472
           Summary: CFI base-to-derived cast error in SentinelLinkedList.h
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: chris.reid at sony.com

We're trying to get CFI running with JSC and one of the errors we're seeing is:
`SentinelLinkedList.h:63:24: runtime error: control flow integrity check for type 'JSC::Watchpoint' failed during base-to-derived cast (vtable address 0x000000000000)`

(lldb) bt
* thread #6, name = ' via C++ thread', stop reason = Cfi bad type
    frame #0: 0x0000000000877810 testapi`__ubsan_on_report at ubsan_monitor.cc:39:40
    frame #1: 0x0000000000871d54 testapi`::~Diag() at ubsan_diag.cc:354:29
    frame #2: 0x00000000008789b4 testapi`::__ubsan_handle_cfi_bad_type() at ubsan_handlers_cxx.cc:133:3
    frame #3: 0x00000000008771b2 testapi`__ubsan_handle_cfi_check_fail at ubsan_handlers.cc:846:5
  * frame #4: 0x00000000009339a1 testapi`WTF::BasicRawSentinelNode<JSC::Watchpoint>::next(this=0x00007ffff0df93a0) at SentinelLinkedList.h:63:24
    frame #5: 0x0000000000a34bc5 testapi`WTF::SentinelLinkedList<JSC::Watchpoint, WTF::BasicRawSentinelNode<JSC::Watchpoint> >::begin(this=0x00007ffff0df93a0) at SentinelLinkedList.h:151:43
    frame #6: 0x0000000000a34b8b testapi`WTF::SentinelLinkedList<JSC::Watchpoint, WTF::BasicRawSentinelNode<JSC::Watchpoint> >::isEmpty(this=0x00007ffff0df93a0) at SentinelLinkedList.h:102:29
    frame #7: 0x0000000000a34b3d testapi`JSC::WatchpointSet::~WatchpointSet(this=0x00007ffff0df9398) at Watchpoint.cpp:70:19
    ...

This looks like a valid base-to-derived error because the SentinelLinkedList head and tail nodes are constructed as the base class BasicRawSentinelNode<JSC::Watchpoint>. m_headSentinel.next() tries to cast the object constructed as BasicRawSentinelNode<JSC::Watchpoint>* to a JSC::Watchpoint*. Those two objects are also different sizes. It doesn't seem like the head and tail nodes are dereferenced after a prev/next call, but it will probably be unsafe if they do end up being dereferenced.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190402/f12c3003/attachment.html>