NEW 238495
IPC::Connection::connection(UniqueID) makes thread-safe IPC::Connection harder to implement 
https://bugs.webkit.org/show_bug.cgi?id=238495
Summary IPC::Connection::connection(UniqueID) makes thread-safe IPC::Connection harde...
Kimmo Kinnunen
Reported 2022-03-29 02:01:15 PDT
IPC::Connection::connection(UniqueID) makes thread-safe IPC::Connection harder
Attachments
Patch (7.27 KB, patch)
2022-03-29 02:05 PDT, Kimmo Kinnunen 		kkinnunen: review?
ews-feeder: commit-queue-
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Kimmo Kinnunen
Comment 1 2022-03-29 02:05:43 PDT
Created attachment 456007 [details] Patch
Chris Dumez
Comment 2 2022-03-31 10:21:06 PDT
Comment on attachment 456007 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=456007&action=review > Source/WebKit/NetworkProcess/NetworkBroadcastChannelRegistry.cpp:63 > + auto& connectionIdentifiersForName = channelsForOrigin.ensure(name, [] { return Vector<IPC::Connection*> { }; }).iterator->value; // NOLINT Curious, what is this NOLINT about? First time I see it. I am not aware that it is a thing in WebKit? > Source/WebKit/NetworkProcess/NetworkBroadcastChannelRegistry.h:56 > + using NameToConnectionIdentifiersMap = HashMap<String, Vector<IPC::Connection*>>; We don't store raw pointers in containers in WebKit anymore because of UAF risks. We may want to use a WeakPtr<>.
Kimmo Kinnunen
Comment 3 2022-04-04 01:49:00 PDT
(In reply to Chris Dumez from comment #2) > Comment on attachment 456007 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=456007&action=review > > > Source/WebKit/NetworkProcess/NetworkBroadcastChannelRegistry.cpp:63 > > + auto& connectionIdentifiersForName = channelsForOrigin.ensure(name, [] { return Vector<IPC::Connection*> { }; }).iterator->value; // NOLINT > > Curious, what is this NOLINT about? First time I see it. I am not aware that > it is a thing in WebKit? git grep NOLINT Source/WebCore Source/WebKit Source/WTF Source/JavaScriptCore | wc -l 104 It's a workaround for case where where webkit style check regular expressions fail. It is implemented in the webkit style checker. > > Source/WebKit/NetworkProcess/NetworkBroadcastChannelRegistry.h:56 > > + using NameToConnectionIdentifiersMap = HashMap<String, Vector<IPC::Connection*>>; > > We don't store raw pointers in containers in WebKit anymore because of UAF > risks. We may want to use a WeakPtr<>. WeakPtrs of cross-thread objects are an oxymoron.
Kimmo Kinnunen
Comment 4 2022-04-04 06:13:58 PDT
>> We don't store raw pointers in containers in WebKit anymore because of UAF >> risks. We may want to use a WeakPtr<>. > WeakPtrs of cross-thread objects are an oxymoron. And to elaborate: currently we don't have useful abstraction for holding cross-thread object without a Ref in a thread-safe manner. It is generally a sign of a bug if WeakPtrs are being used for ThreadSafeRefCounted objects. However, if we don't think that's an issue for today, maybe these objects are only used in main thread, and IPC::Connections are created and destroyed in main thread, so it should work. I can try this if there's no better options and RefPtrs nor raw pointers are appropriate..
Radar WebKit Bug Importer
Comment 5 2022-04-05 02:02:22 PDT
<rdar://problem/91283581>
Note You need to log in before you can comment on or make changes to this bug.