Bug 234724

Summary: SharedBuffer::takeData() is still dangerous
Product: WebKit Reporter: Jean-Yves Avenard [:jya] <jean-yves.avenard>
Component: WebCore Misc.Assignee: Jean-Yves Avenard [:jya] <jean-yves.avenard>
Status: RESOLVED FIXED    
Severity: Normal CC: darin, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: Other   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=228161
Bug Depends on:    
Bug Blocks: 232424    
Attachments:
Description Flags
Patch none

Description Jean-Yves Avenard [:jya] 2021-12-28 06:55:22 PST 
This issue was first addressed in bug 228161

What this change did was to ensure that there was only one reference to the SharedBuffer before taking the data's vector otherwise would return a copy instead.

But this isn't a sufficient condition to ensure that the DataSegment itself isn't shared. The same DataSegment can be shared across multiple SharedBuffers

Consider the following code:

auto buffer = SharedBuffer::create("my_data", 7);
auto copy = buffer->copy();

auto innerData = copy->extractData();

now the original SharedBuffer `buffer` is empty (but still has a size of 7) as SharedBuffer::copy() will only do a shallow copy of the SharedBuffer.

This is what caused the remaining errors in bug 232424.
Comment 1 Radar WebKit Bug Importer 2021-12-28 06:55:56 PST 
<rdar://problem/86957233>
Comment 2 Jean-Yves Avenard [:jya] 2021-12-28 16:20:33 PST 
Created attachment 448059 [details]
Patch
Comment 3 EWS 2021-12-30 19:21:19 PST 
Committed r287489 (245624@main): <https://commits.webkit.org/245624@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 448059 [details].