Bug 220710

Summary: Validate ItemHandles when decoding them in GPUProcess
Product: WebKit Reporter: youenn fablet <youennf>
Component: Layout and RenderingAssignee: youenn fablet <youennf>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, simon.fraser, webkit-bug-importer, wenson_hsieh, zalan
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 219097    
Attachments:
Description Flags
Patch
none
Patch
none
Patch
none
Patch none

youenn fablet
Reported 2021-01-18 07:10:29 PST
Validate ItemHandles when decoding them in GPUProcess
Attachments
Patch (22.53 KB, patch)
2021-01-18 08:10 PST, youenn fablet 		no flags
DetailsFormatted DiffDiff
Patch (22.60 KB, patch)
2021-01-18 09:22 PST, youenn fablet 		no flags
DetailsFormatted DiffDiff
Patch (22.55 KB, patch)
2021-01-19 02:14 PST, youenn fablet 		no flags
DetailsFormatted DiffDiff
Patch (22.53 KB, patch)
2021-01-22 01:05 PST, youenn fablet 		no flags
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
youenn fablet
Comment 1 2021-01-18 08:10:13 PST
Created attachment 417832 [details] Patch
youenn fablet
Comment 2 2021-01-18 08:10:41 PST
<rdar://problem/72931549>
youenn fablet
Comment 3 2021-01-18 09:22:22 PST
Created attachment 417837 [details] Patch
youenn fablet
Comment 4 2021-01-19 02:14:01 PST
Created attachment 417865 [details] Patch
Wenson Hsieh
Comment 5 2021-01-21 08:39:25 PST
Comment on attachment 417865 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=417865&action=review > Source/WebCore/platform/graphics/displaylists/DisplayListItemBuffer.cpp:543 > +template<typename, typename = void> inline constexpr bool HasIsValid = false; > +template<typename T> inline constexpr bool HasIsValid<T, std::void_t<decltype(std::declval<T>().isValid())>> = true; This is a really neat trick! > Source/WebCore/platform/graphics/displaylists/DisplayListItemBuffer.cpp:559 > +bool ItemHandle::decodeInto(ItemHandle destination) const Nit - I think the notion of "copying" is more accurate here than "decoding" (the latter of which sounds like it would involve marshaling of data to and from buffers, à la IPC encoding/decoding). Perhaps "createValidCopy" or "copyWithValidation"?
youenn fablet
Comment 6 2021-01-22 01:05:29 PST
Created attachment 418117 [details] Patch
youenn fablet
Comment 7 2021-01-22 01:06:03 PST
Thanks for the review. > > Source/WebCore/platform/graphics/displaylists/DisplayListItemBuffer.cpp:559 > > +bool ItemHandle::decodeInto(ItemHandle destination) const > > Nit - I think the notion of "copying" is more accurate here than "decoding" > (the latter of which sounds like it would involve marshaling of data to and > from buffers, à la IPC encoding/decoding). Perhaps "createValidCopy" or > "copyWithValidation"? I changed to safeCopy
EWS
Comment 8 2021-01-22 01:34:16 PST
Committed r271741: <https://trac.webkit.org/changeset/271741> All reviewed patches have been landed. Closing bug and clearing flags on attachment 418117 [details].
Note You need to log in before you can comment on or make changes to this bug.