RESOLVED FIXED234724
SharedBuffer::takeData() is still dangerous 
https://bugs.webkit.org/show_bug.cgi?id=234724
Summary SharedBuffer::takeData() is still dangerous
Jean-Yves Avenard [:jya]
Reported 2021-12-28 06:55:22 PST
This issue was first addressed in bug 228161 What this change did was to ensure that there was only one reference to the SharedBuffer before taking the data's vector otherwise would return a copy instead. But this isn't a sufficient condition to ensure that the DataSegment itself isn't shared. The same DataSegment can be shared across multiple SharedBuffers Consider the following code: auto buffer = SharedBuffer::create("my_data", 7); auto copy = buffer->copy(); auto innerData = copy->extractData(); now the original SharedBuffer `buffer` is empty (but still has a size of 7) as SharedBuffer::copy() will only do a shallow copy of the SharedBuffer. This is what caused the remaining errors in bug 232424.
Attachments
Patch (4.11 KB, patch)
2021-12-28 16:20 PST, Jean-Yves Avenard [:jya] 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2021-12-28 06:55:56 PST
<rdar://problem/86957233>
Jean-Yves Avenard [:jya]
Comment 2 2021-12-28 16:20:33 PST
Created attachment 448059 [details] Patch
EWS
Comment 3 2021-12-30 19:21:19 PST
Committed r287489 (245624@main): <https://commits.webkit.org/245624@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 448059 [details].
Note You need to log in before you can comment on or make changes to this bug.