Bug 234724 - SharedBuffer::takeData() is still dangerous
Summary: SharedBuffer::takeData() is still dangerous
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: Other
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Jean-Yves Avenard [:jya]
URL:
Keywords: InRadar
Depends on:
Blocks: 232424
  Show dependency treegraph
 
Reported: 2021-12-28 06:55 PST by Jean-Yves Avenard [:jya]
Modified: 2021-12-30 19:21 PST (History)
2 users (show)

See Also:


Attachments
Patch (4.11 KB, patch)
2021-12-28 16:20 PST, Jean-Yves Avenard [:jya]
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jean-Yves Avenard [:jya] 2021-12-28 06:55:22 PST
This issue was first addressed in bug 228161

What this change did was to ensure that there was only one reference to the SharedBuffer before taking the data's vector otherwise would return a copy instead.

But this isn't a sufficient condition to ensure that the DataSegment itself isn't shared. The same DataSegment can be shared across multiple SharedBuffers

Consider the following code:

auto buffer = SharedBuffer::create("my_data", 7);
auto copy = buffer->copy();

auto innerData = copy->extractData();

now the original SharedBuffer `buffer` is empty (but still has a size of 7) as SharedBuffer::copy() will only do a shallow copy of the SharedBuffer.

This is what caused the remaining errors in bug 232424.
Comment 1 Radar WebKit Bug Importer 2021-12-28 06:55:56 PST
<rdar://problem/86957233>
Comment 2 Jean-Yves Avenard [:jya] 2021-12-28 16:20:33 PST
Created attachment 448059 [details]
Patch
Comment 3 EWS 2021-12-30 19:21:19 PST
Committed r287489 (245624@main): <https://commits.webkit.org/245624@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 448059 [details].