RESOLVED FIXED 173803
Assert that callback ID is not 0 or -1 during encoding and decoding 
https://bugs.webkit.org/show_bug.cgi?id=173803
Summary Assert that callback ID is not 0 or -1 during encoding and decoding
Ryosuke Niwa
Reported 2017-06-23 21:02:48 PDT
To diagnose a hang inside the m_callbacks in WebPageProxy, assert that callbackID is not 0 or -1 in IPC message encode/decode code
Attachments
Adds assertion (129.96 KB, patch)
2017-06-23 22:58 PDT, Ryosuke Niwa 		no flags
DetailsFormatted DiffDiff
Fixed iOS build (161.77 KB, patch)
2017-06-23 23:25 PDT, Ryosuke Niwa 		no flags
DetailsFormatted DiffDiff
WPE build fix attempt (162.79 KB, patch)
2017-06-23 23:35 PDT, Ryosuke Niwa 		no flags
DetailsFormatted DiffDiff
Another WPE build fix attempt (167.48 KB, patch)
2017-06-23 23:55 PDT, Ryosuke Niwa 		no flags
DetailsFormatted DiffDiff
Yet another WPE build fix attempt (167.70 KB, patch)
2017-06-24 00:07 PDT, Ryosuke Niwa 		no flags
DetailsFormatted DiffDiff
More GTK+ and WPE build fixes (171.03 KB, patch)
2017-06-24 00:21 PDT, Ryosuke Niwa 		no flags
DetailsFormatted DiffDiff
Another GTK+ and WPE build fixes (171.00 KB, patch)
2017-06-24 00:28 PDT, Ryosuke Niwa 		no flags
DetailsFormatted DiffDiff
Yet another GTK+ and WPE build fixes (171.01 KB, patch)
2017-06-24 00:38 PDT, Ryosuke Niwa 		no flags
DetailsFormatted DiffDiff
Even more GTK+ and WPE build fixes (172.47 KB, patch)
2017-06-24 00:47 PDT, Ryosuke Niwa 		no flags
DetailsFormatted DiffDiff
Another GTK+ build fix (172.96 KB, patch)
2017-06-24 00:53 PDT, Ryosuke Niwa 		no flags
DetailsFormatted DiffDiff
Updated per Dan's comments (168.26 KB, patch)
2017-06-25 21:34 PDT, Ryosuke Niwa 		beidson: review+
DetailsFormatted DiffDiff
Show Obsolete (10) View All Add attachment proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1 2017-06-23 22:58:55 PDT
Created attachment 313771 [details] Adds assertion
Ryosuke Niwa
Comment 2 2017-06-23 23:25:40 PDT
Created attachment 313773 [details] Fixed iOS build
Ryosuke Niwa
Comment 3 2017-06-23 23:35:10 PDT
Created attachment 313774 [details] WPE build fix attempt
Ryosuke Niwa
Comment 4 2017-06-23 23:55:31 PDT
Created attachment 313775 [details] Another WPE build fix attempt
Ryosuke Niwa
Comment 5 2017-06-24 00:07:33 PDT
Created attachment 313776 [details] Yet another WPE build fix attempt
Ryosuke Niwa
Comment 6 2017-06-24 00:21:25 PDT
Created attachment 313777 [details] More GTK+ and WPE build fixes
Ryosuke Niwa
Comment 7 2017-06-24 00:28:35 PDT
Created attachment 313779 [details] Another GTK+ and WPE build fixes
Ryosuke Niwa
Comment 8 2017-06-24 00:38:38 PDT
Created attachment 313780 [details] Yet another GTK+ and WPE build fixes
Ryosuke Niwa
Comment 9 2017-06-24 00:47:47 PDT
Created attachment 313781 [details] Even more GTK+ and WPE build fixes
Ryosuke Niwa
Comment 10 2017-06-24 00:53:32 PDT
Created attachment 313782 [details] Another GTK+ build fix
Radar WebKit Bug Importer
Comment 11 2017-06-24 01:09:45 PDT
<rdar://problem/32964323>
mitz
Comment 12 2017-06-24 08:04:23 PDT
Comment on attachment 313782 [details] Another GTK+ build fix View in context: https://bugs.webkit.org/attachment.cgi?id=313782&action=review > Source/WebKit2/ChangeLog:47 > + (WebKit::SpecificCallbackMap): Added. Used in WebCookieManagerProxy. In earlier work, we replaced specific maps with generic ones. Why keep the ones in WebCookieManagerProxy separate? > Source/WebKit2/ChangeLog:646 > +>>>>>>> .r218782 Stray conflict marker.
Ryosuke Niwa
Comment 13 2017-06-25 21:33:49 PDT
(In reply to mitz from comment #12) > Comment on attachment 313782 [details] > Another GTK+ build fix > > View in context: > https://bugs.webkit.org/attachment.cgi?id=313782&action=review > > > Source/WebKit2/ChangeLog:47 > > + (WebKit::SpecificCallbackMap): Added. Used in WebCookieManagerProxy. > > In earlier work, we replaced specific maps with generic ones. Why keep the > ones in WebCookieManagerProxy separate? Okay, I wasn't aware of that refactoring effort. Fixed. > > Source/WebKit2/ChangeLog:646 > > +>>>>>>> .r218782 > > Stray conflict marker. Removed.
Ryosuke Niwa
Comment 14 2017-06-25 21:34:08 PDT
Created attachment 313820 [details] Updated per Dan's comments
Chris Dumez
Comment 15 2017-06-25 21:59:55 PDT
We don’t really need this anymore, do we? I think adding MESSAGE_CHECKs on UI process side for hardening would likely suffice to protect against this in the future.
Ryosuke Niwa
Comment 16 2017-06-26 00:53:48 PDT
(In reply to Chris Dumez from comment #15) > We don’t really need this anymore, do we? I think adding MESSAGE_CHECKs on > UI process side for hardening would likely suffice to protect against this > in the future. I think it's still useful to wrap CallbackID in a class so that we can easily add diagnostics in the future. For example, we should really be making the decode() function fail when a callbackID is not optional and it's 0 or -1.
Geoffrey Garen
Comment 17 2017-06-26 11:02:53 PDT
Comment on attachment 313820 [details] Updated per Dan's comments View in context: https://bugs.webkit.org/attachment.cgi?id=313820&action=review > Source/WebKit2/Shared/OptionalCallbackID.h:62 > + static ALWAYS_INLINE bool isValidCallbackID(uint64_t rawId) > + { > + return !HashTraits<uint64_t>::isDeletedValue(rawId); > + } Why do we consider emptyValue() to be valid? Isn't that the bug we're trying to catch?
Ryosuke Niwa
Comment 18 2017-06-26 11:04:01 PDT
(In reply to Geoffrey Garen from comment #17) > Comment on attachment 313820 [details] > Updated per Dan's comments > > View in context: > https://bugs.webkit.org/attachment.cgi?id=313820&action=review > > > Source/WebKit2/Shared/OptionalCallbackID.h:62 > > + static ALWAYS_INLINE bool isValidCallbackID(uint64_t rawId) > > + { > > + return !HashTraits<uint64_t>::isDeletedValue(rawId); > > + } > > Why do we consider emptyValue() to be valid? Isn't that the bug we're trying > to catch? For OptionalCallbackID, we use 0 to mean it's not set. I have a separate release assertion when the value is used like WTF::Optional.
Brady Eidson
Comment 19 2017-06-27 15:03:19 PDT
Comment on attachment 313820 [details] Updated per Dan's comments View in context: https://bugs.webkit.org/attachment.cgi?id=313820&action=review > Source/WebKit2/Shared/CallbackID.h:35 > +namespace WTF { > + > +struct CallbackIDHash; > + > +} I don't usually see empty lines between namespace and forward decls like this. > Source/WebKit2/UIProcess/GenericCallback.h:209 > + // FIXME: Every caller should pass in activityToken > + template<typename... T> > + CallbackID put(Function<void(T...)>&& function) > + { > + auto callback = GenericCallbackType<sizeof...(T), T...>::type::create(WTFMove(function)); > + return put(WTFMove(callback)); > + } Is it okay to punt on this FIXME right now?
Ryosuke Niwa
Comment 20 2017-06-27 15:06:23 PDT
(In reply to Brady Eidson from comment #19) > Comment on attachment 313820 [details] > Updated per Dan's comments > > View in context: > https://bugs.webkit.org/attachment.cgi?id=313820&action=review > > > Source/WebKit2/Shared/CallbackID.h:35 > > +namespace WTF { > > + > > +struct CallbackIDHash; > > + > > +} > > I don't usually see empty lines between namespace and forward decls like > this. > > > Source/WebKit2/UIProcess/GenericCallback.h:209 > > + // FIXME: Every caller should pass in activityToken > > + template<typename... T> > > + CallbackID put(Function<void(T...)>&& function) > > + { > > + auto callback = GenericCallbackType<sizeof...(T), T...>::type::create(WTFMove(function)); > > + return put(WTFMove(callback)); > > + } > > Is it okay to punt on this FIXME right now? I wanted to fix it in a separate patch at least to reduce the chance of this patch introducing a new regression.
Brady Eidson
Comment 21 2017-06-28 16:05:15 PDT
(In reply to Ryosuke Niwa from comment #20) > (In reply to Brady Eidson from comment #19) > > Comment on attachment 313820 [details] > > Updated per Dan's comments > > > > View in context: > > https://bugs.webkit.org/attachment.cgi?id=313820&action=review > > > > > Source/WebKit2/Shared/CallbackID.h:35 > > > +namespace WTF { > > > + > > > +struct CallbackIDHash; > > > + > > > +} > > > > I don't usually see empty lines between namespace and forward decls like > > this. > > > > > Source/WebKit2/UIProcess/GenericCallback.h:209 > > > + // FIXME: Every caller should pass in activityToken > > > + template<typename... T> > > > + CallbackID put(Function<void(T...)>&& function) > > > + { > > > + auto callback = GenericCallbackType<sizeof...(T), T...>::type::create(WTFMove(function)); > > > + return put(WTFMove(callback)); > > > + } > > > > Is it okay to punt on this FIXME right now? > > I wanted to fix it in a separate patch at least to reduce the chance of this > patch introducing a new regression. Could we file a bug and include it in the comment?
Ryosuke Niwa
Comment 22 2017-06-29 20:03:36 PDT
(In reply to Brady Eidson from comment #21) > (In reply to Ryosuke Niwa from comment #20) > > (In reply to Brady Eidson from comment #19) > > > Comment on attachment 313820 [details] > > > Updated per Dan's comments > > > > > > View in context: > > > https://bugs.webkit.org/attachment.cgi?id=313820&action=review > > > > > > > Source/WebKit2/Shared/CallbackID.h:35 > > > > +namespace WTF { > > > > + > > > > +struct CallbackIDHash; > > > > + > > > > +} > > > > > > I don't usually see empty lines between namespace and forward decls like > > > this. > > > > > > > Source/WebKit2/UIProcess/GenericCallback.h:209 > > > > + // FIXME: Every caller should pass in activityToken > > > > + template<typename... T> > > > > + CallbackID put(Function<void(T...)>&& function) > > > > + { > > > > + auto callback = GenericCallbackType<sizeof...(T), T...>::type::create(WTFMove(function)); > > > > + return put(WTFMove(callback)); > > > > + } > > > > > > Is it okay to punt on this FIXME right now? > > > > I wanted to fix it in a separate patch at least to reduce the chance of this > > patch introducing a new regression. > > Could we file a bug and include it in the comment? Filed https://bugs.webkit.org/show_bug.cgi?id=174007 to track this. Thanks for the review.
Ryosuke Niwa
Comment 23 2017-06-29 20:03:56 PDT
Committed r218985: <http://trac.webkit.org/changeset/218985>
Note You need to log in before you can comment on or make changes to this bug.