[webkit-changes] [235739] trunk/Source/WebKit

[cdumez]

Title: [235739] trunk/Source/WebKit

Revision

235739

Author

cdu...@apple.com

Date

2018-09-06 09:12:00 -0700 (Thu, 06 Sep 2018)

Log Message

WebKit/Platform/IPC/mac/ConnectionMac.mm:222: _dispatch_bug_kevent_vanished
https://bugs.webkit.org/show_bug.cgi?id=189314
<rdar://problem/41248286>

Reviewed by Anders Carlsson.

There is a short period in time when m_isServer is true, after open() has been
called, but before we've receive the InitializeConnection IPC, where m_receiveSource
has been initialized but m_isConnected is still false. If platformInvalidate() gets
called during this period of time, we would fail to cancel / release m_receiveSource
and we would forcefully deallocate m_receivePort, leading to the libdispatch simulated
crashes.

To address the issue, platformInvalidate() now properly cancels / releases
m_receiveSource if present, and only deallocates m_receivePort manually if m_receiveSource
has not been initialized (i.e. open() has not been called yet).

* Platform/IPC/Connection.h:
* Platform/IPC/mac/ConnectionMac.mm:
(IPC::Connection::platformInvalidate):
(IPC::Connection::clearReceiveSource):

Modified Paths

• trunk/Source/WebKit/ChangeLog
• trunk/Source/WebKit/Platform/IPC/Connection.h
• trunk/Source/WebKit/Platform/IPC/mac/ConnectionMac.mm

Diff

Modified: trunk/Source/WebKit/ChangeLog (235738 => 235739)

--- trunk/Source/WebKit/ChangeLog	2018-09-06 16:01:05 UTC (rev 235738)
+++ trunk/Source/WebKit/ChangeLog	2018-09-06 16:12:00 UTC (rev 235739)
@@ -1,3 +1,27 @@
+2018-09-06  Chris Dumez  <cdu...@apple.com>
+
+        WebKit/Platform/IPC/mac/ConnectionMac.mm:222: _dispatch_bug_kevent_vanished
+        https://bugs.webkit.org/show_bug.cgi?id=189314
+        <rdar://problem/41248286>
+
+        Reviewed by Anders Carlsson.
+
+        There is a short period in time when m_isServer is true, after open() has been
+        called, but before we've receive the InitializeConnection IPC, where m_receiveSource
+        has been initialized but m_isConnected is still false. If platformInvalidate() gets
+        called during this period of time, we would fail to cancel / release m_receiveSource
+        and we would forcefully deallocate m_receivePort, leading to the libdispatch simulated
+        crashes.
+
+        To address the issue, platformInvalidate() now properly cancels / releases
+        m_receiveSource if present, and only deallocates m_receivePort manually if m_receiveSource
+        has not been initialized (i.e. open() has not been called yet).
+
+        * Platform/IPC/Connection.h:
+        * Platform/IPC/mac/ConnectionMac.mm:
+        (IPC::Connection::platformInvalidate):
+        (IPC::Connection::clearReceiveSource):
+
 2018-09-05  David Kilzer  <ddkil...@apple.com>
 
         REGRESSION (r235489): WKSharingServicePickerDelegate.mm accidentally added back to Sources in WebKit project

Modified: trunk/Source/WebKit/Platform/IPC/Connection.h (235738 => 235739)

--- trunk/Source/WebKit/Platform/IPC/Connection.h	2018-09-06 16:01:05 UTC (rev 235738)
+++ trunk/Source/WebKit/Platform/IPC/Connection.h	2018-09-06 16:12:00 UTC (rev 235739)
@@ -357,6 +357,7 @@
     void receiveSourceEventHandler();
     void initializeSendSource();
     void resumeSendSource();
+    void cancelReceiveSource();
 
     mach_port_t m_sendPort { MACH_PORT_NULL };
     dispatch_source_t m_sendSource { nullptr };

Modified: trunk/Source/WebKit/Platform/IPC/mac/ConnectionMac.mm (235738 => 235739)

--- trunk/Source/WebKit/Platform/IPC/mac/ConnectionMac.mm	2018-09-06 16:01:05 UTC (rev 235738)
+++ trunk/Source/WebKit/Platform/IPC/mac/ConnectionMac.mm	2018-09-06 16:12:00 UTC (rev 235739)
@@ -116,11 +116,21 @@
 {
     if (!m_isConnected) {
         if (m_sendPort) {
+            ASSERT(!m_isServer);
             deallocateSendRightSafely(m_sendPort);
             m_sendPort = MACH_PORT_NULL;
         }
 
+        if (m_receiveSource) {
+            // For a short period of time, when m_isServer is true and open() has been called, m_receiveSource has been initialized
+            // but m_isConnected has not been set to true yet. In this case, we need to cancel m_receiveSource instead of destroying
+            // m_receivePort ourselves.
+            ASSERT(m_isServer);
+            cancelReceiveSource();
+        }
+
         if (m_receivePort) {
+            ASSERT(m_isServer);
 #if !PLATFORM(WATCHOS)
             mach_port_unguard(mach_task_self(), m_receivePort, reinterpret_cast<mach_port_context_t>(this));
 #endif
@@ -144,6 +154,11 @@
     m_sendSource = nullptr;
     m_sendPort = MACH_PORT_NULL;
 
+    cancelReceiveSource();
+}
+
+void Connection::cancelReceiveSource()
+{
     dispatch_source_cancel(m_receiveSource);
     dispatch_release(m_receiveSource);
     m_receiveSource = nullptr;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes