CFI: avoid a bad cast in InsertBeforeAndInvalidateAllPointers.

CFI: avoid a bad cast in InsertBeforeMany.

Instead of dereferencing an iterator pointing to non-initialized memory (which requires a cast to the element type pointer), pass a char* memory pointer to new().

BUG=chromium:531664, chromium:457523
CQ_INCLUDE_TRYBOTS=tryserver.blink:linux_blink_rel

Committed: https://crrev.com/93f671bcf253ae4df5e054b542bd31a4eb17023b
Cr-Commit-Position: refs/heads/master@{#350035}

[krasin, 2015-09-21 18:45:11]

Patchset #1 (id:1) has been deleted

[krasin, 2015-09-21 18:45:43]

krasin@google.com changed reviewers:
+ ccameron@chromium.org

[ccameron, 2015-09-21 19:01:39]

Thanks! lgtm (with the suggestion).

https://codereview.chromium.org/1359693002/diff/20001/cc/base/list_container.h
File cc/base/list_container.h (right):

https://codereview.chromium.org/1359693002/diff/20001/cc/base/list_container....
cc/base/list_container.h:127: return new (*at) DerivedElementType();
Could you grab this instance as well? I'm surprised this didn't trigger it as
well (the operator* will do a reinterpret here, and I'd think that the dtor
above would make that no longer acceptable).

[weiliangc, 2015-09-21 19:04:18]

weiliangc@chromium.org changed reviewers:
+ weiliangc@chromium.org

[weiliangc, 2015-09-21 19:04:18]

Thanks for catching this!

The problem happens when we dereference an Iterator on uninitialized memory.
These insertion should be the only places we try to do that.

https://codereview.chromium.org/1359693002/diff/20001/cc/base/list_container.h
File cc/base/list_container.h (right):

https://codereview.chromium.org/1359693002/diff/20001/cc/base/list_container....
cc/base/list_container.h:127: return new (*at) DerivedElementType();
This is another case here.

[krasin, 2015-09-21 20:43:35]

https://codereview.chromium.org/1359693002/diff/20001/cc/base/list_container.h
File cc/base/list_container.h (right):

https://codereview.chromium.org/1359693002/diff/20001/cc/base/list_container....
cc/base/list_container.h:127: return new (*at) DerivedElementType();
On 2015/09/21 19:04:18, weiliangc wrote:
> This is another case here.

Done.

https://codereview.chromium.org/1359693002/diff/20001/cc/base/list_container....
cc/base/list_container.h:127: return new (*at) DerivedElementType();
On 2015/09/21 19:01:39, ccameron wrote:
> Could you grab this instance as well? I'm surprised this didn't trigger it as
> well (the operator* will do a reinterpret here, and I'd think that the dtor
> above would make that no longer acceptable).

Done.

[krasin, 2015-09-21 20:43:56]

The CQ bit was checked by krasin@google.com

[krasin, 2015-09-21 20:43:56]

The patchset sent to the CQ was uploaded after l-g-t-m from
ccameron@chromium.org
Link to the patchset: https://codereview.chromium.org/1359693002/#ps40001
(title: "fixed another instance")

[commit-bot: I haz the power, 2015-09-21 20:44:28]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/1359693002/40001
View timeline at
 https://chromium-cq-status.appspot.com/patch-timeline/1359693002/40001

[commit-bot: I haz the power, 2015-09-21 21:52:04]

Committed patchset #2 (id:40001)

[commit-bot: I haz the power, 2015-09-21 21:53:06]

Patchset 2 (id:??) landed as
https://crrev.com/93f671bcf253ae4df5e054b542bd31a4eb17023b
Cr-Commit-Position: refs/heads/master@{#350035}