Bug 125329 - Define m_hasBadParent in InlineBox if defined(ADDRESS_SANITIZER)
Summary: Define m_hasBadParent in InlineBox if defined(ADDRESS_SANITIZER)
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Layout and Rendering (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: David Kilzer (:ddkilzer)
URL:
Keywords:
: 124387 (view as bug list)
Depends on:
Blocks:
 
Reported: 2013-12-05 19:13 PST by Drew Yao
Modified: 2014-01-30 11:39 PST (History)
15 users (show)

See Also:

Attachments
Patch v1 for initial comments, not landing (8.70 KB, patch)
2013-12-08 10:08 PST, David Kilzer (:ddkilzer) 		no flags Details | Formatted Diff | Diff
Patch v2 (8.38 KB, patch)
2013-12-10 17:15 PST, David Kilzer (:ddkilzer) 		no flags Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Drew Yao 2013-12-05 19:13:21 PST 
Source/WebCore/rendering/InlineBox.{h,cpp} have the concept of m_hasBadParent which is used to detect use after free issues.  It's only enabled #if !ASSERT_DISABLED.

If we're running fuzzing with Address Sanitizer in a release build, we're not getting the benefit of this checking.  It should also be enabled when building with Address Sanitizer.

The simple fix is to convert all the
#if !ASSERT_DISABLED
in these files to
#if !ASSERT_DISABLED || defined(ADDRESS_SANITIZER)
Comment 1 David Kilzer (:ddkilzer) 2013-12-06 07:42:43 PST 
A slightly better approach may be to introduce an ASSERT_WITH_SECURITY_IMPLICATIONS_DISABLED macro and change:

#if !ASSERT_DISABLED

to:

#if !ASSERT_WITH_SECURITY_IMPLICATIONS_DISABLED

This would let us separate the two types of asserts and the code needed to implement them.
Comment 2 David Kilzer (:ddkilzer) 2013-12-06 13:15:38 PST 
I'm working on this.  Pulling the thread has unraveled a few uses of #ifndef NDEBUG that should have been ASSERT_DISABLED or now ASSERT_WITH_SECURITY_IMPLICATION_DISABLED.
Comment 3 David Kilzer (:ddkilzer) 2013-12-08 10:08:40 PST 
Created attachment 218697 [details]
Patch v1 for initial comments, not landing
Comment 4 Darin Adler 2013-12-09 08:19:00 PST 
Comment on attachment 218697 [details]
Patch v1 for initial comments, not landing

View in context: https://bugs.webkit.org/attachment.cgi?id=218697&action=review

> Source/WebCore/rendering/InlineBox.cpp:56
> -    if (!m_hasBadParent && m_parent)
> +    if (m_hasBadParent && m_parent)
>          m_parent->setHasBadChildList();

This change seems wrong. The point here is to tell the parent that this child is gone, and so the parent’s child list is now bad. It’s not safe to do that if the parent is bad. So we should do this only if the parent is *not* bad. Removing the ! breaks the code.

> Source/WebCore/rendering/InlineFlowBox.cpp:58
> -    if (!m_hasBadChildList)
> +    if (m_hasBadChildList) {
>          for (InlineBox* child = firstChild(); child; child = child->nextOnLine())
>              child->setHasBadParent();
> +    }

Same mistake here. The parent is going away and so any child that is still around now has a bad parent. But if the child list is already bad, then it’s not safe to walk the child list so we don’t even try in that case. Removing the ! breaks the code.
Comment 5 David Kilzer (:ddkilzer) 2013-12-10 17:15:25 PST 
Created attachment 218927 [details]
Patch v2
Comment 6 David Kilzer (:ddkilzer) 2013-12-10 17:16:02 PST 
(In reply to comment #5)
> Created an attachment (id=218927) [details]
> Patch v2

Removed the changes to the m_hasBad* ivar checks.
Comment 7 WebKit Commit Bot 2013-12-11 15:13:55 PST 
Comment on attachment 218927 [details]
Patch v2

Clearing flags on attachment: 218927

Committed r160462: <http://trac.webkit.org/changeset/160462>
Comment 8 WebKit Commit Bot 2013-12-11 15:13:58 PST 
All reviewed patches have been landed.  Closing bug.
Comment 9 David Farler 2014-01-30 11:39:04 PST 
*** Bug 124387 has been marked as a duplicate of this bug. ***