Title: [237319] branches/safari-606-branch/Source/WebKit
- Revision
- 237319
- Author
- [email protected]
- Date
- 2018-10-22 00:19:36 -0700 (Mon, 22 Oct 2018)
Log Message
Cherry-pick r235739. rdar://problem/45445194
WebKit/Platform/IPC/mac/ConnectionMac.mm:222: _dispatch_bug_kevent_vanished
https://bugs.webkit.org/show_bug.cgi?id=189314
<rdar://problem/41248286>
Reviewed by Anders Carlsson.
There is a short period in time when m_isServer is true, after open() has been
called, but before we've receive the InitializeConnection IPC, where m_receiveSource
has been initialized but m_isConnected is still false. If platformInvalidate() gets
called during this period of time, we would fail to cancel / release m_receiveSource
and we would forcefully deallocate m_receivePort, leading to the libdispatch simulated
crashes.
To address the issue, platformInvalidate() now properly cancels / releases
m_receiveSource if present, and only deallocates m_receivePort manually if m_receiveSource
has not been initialized (i.e. open() has not been called yet).
* Platform/IPC/Connection.h:
* Platform/IPC/mac/ConnectionMac.mm:
(IPC::Connection::platformInvalidate):
(IPC::Connection::clearReceiveSource):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@235739 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Diff
Modified: branches/safari-606-branch/Source/WebKit/ChangeLog (237318 => 237319)
--- branches/safari-606-branch/Source/WebKit/ChangeLog 2018-10-22 07:19:33 UTC (rev 237318)
+++ branches/safari-606-branch/Source/WebKit/ChangeLog 2018-10-22 07:19:36 UTC (rev 237319)
@@ -1,5 +1,58 @@
2018-10-21 Babak Shafiei <[email protected]>
+ Cherry-pick r235739. rdar://problem/45445194
+
+ WebKit/Platform/IPC/mac/ConnectionMac.mm:222: _dispatch_bug_kevent_vanished
+ https://bugs.webkit.org/show_bug.cgi?id=189314
+ <rdar://problem/41248286>
+
+ Reviewed by Anders Carlsson.
+
+ There is a short period in time when m_isServer is true, after open() has been
+ called, but before we've receive the InitializeConnection IPC, where m_receiveSource
+ has been initialized but m_isConnected is still false. If platformInvalidate() gets
+ called during this period of time, we would fail to cancel / release m_receiveSource
+ and we would forcefully deallocate m_receivePort, leading to the libdispatch simulated
+ crashes.
+
+ To address the issue, platformInvalidate() now properly cancels / releases
+ m_receiveSource if present, and only deallocates m_receivePort manually if m_receiveSource
+ has not been initialized (i.e. open() has not been called yet).
+
+ * Platform/IPC/Connection.h:
+ * Platform/IPC/mac/ConnectionMac.mm:
+ (IPC::Connection::platformInvalidate):
+ (IPC::Connection::clearReceiveSource):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@235739 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2018-09-06 Chris Dumez <[email protected]>
+
+ WebKit/Platform/IPC/mac/ConnectionMac.mm:222: _dispatch_bug_kevent_vanished
+ https://bugs.webkit.org/show_bug.cgi?id=189314
+ <rdar://problem/41248286>
+
+ Reviewed by Anders Carlsson.
+
+ There is a short period in time when m_isServer is true, after open() has been
+ called, but before we've receive the InitializeConnection IPC, where m_receiveSource
+ has been initialized but m_isConnected is still false. If platformInvalidate() gets
+ called during this period of time, we would fail to cancel / release m_receiveSource
+ and we would forcefully deallocate m_receivePort, leading to the libdispatch simulated
+ crashes.
+
+ To address the issue, platformInvalidate() now properly cancels / releases
+ m_receiveSource if present, and only deallocates m_receivePort manually if m_receiveSource
+ has not been initialized (i.e. open() has not been called yet).
+
+ * Platform/IPC/Connection.h:
+ * Platform/IPC/mac/ConnectionMac.mm:
+ (IPC::Connection::platformInvalidate):
+ (IPC::Connection::clearReceiveSource):
+
+2018-10-21 Babak Shafiei <[email protected]>
+
Apply patch. rdar://problem/45285649
2018-10-21 Chris Dumez <[email protected]>
Modified: branches/safari-606-branch/Source/WebKit/Platform/IPC/Connection.h (237318 => 237319)
--- branches/safari-606-branch/Source/WebKit/Platform/IPC/Connection.h 2018-10-22 07:19:33 UTC (rev 237318)
+++ branches/safari-606-branch/Source/WebKit/Platform/IPC/Connection.h 2018-10-22 07:19:36 UTC (rev 237319)
@@ -349,6 +349,7 @@
void receiveSourceEventHandler();
void initializeSendSource();
void resumeSendSource();
+ void cancelReceiveSource();
mach_port_t m_sendPort { MACH_PORT_NULL };
dispatch_source_t m_sendSource { nullptr };
Modified: branches/safari-606-branch/Source/WebKit/Platform/IPC/mac/ConnectionMac.mm (237318 => 237319)
--- branches/safari-606-branch/Source/WebKit/Platform/IPC/mac/ConnectionMac.mm 2018-10-22 07:19:33 UTC (rev 237318)
+++ branches/safari-606-branch/Source/WebKit/Platform/IPC/mac/ConnectionMac.mm 2018-10-22 07:19:36 UTC (rev 237319)
@@ -116,11 +116,21 @@
{
if (!m_isConnected) {
if (m_sendPort) {
+ ASSERT(!m_isServer);
deallocateSendRightSafely(m_sendPort);
m_sendPort = MACH_PORT_NULL;
}
+ if (m_receiveSource) {
+ // For a short period of time, when m_isServer is true and open() has been called, m_receiveSource has been initialized
+ // but m_isConnected has not been set to true yet. In this case, we need to cancel m_receiveSource instead of destroying
+ // m_receivePort ourselves.
+ ASSERT(m_isServer);
+ cancelReceiveSource();
+ }
+
if (m_receivePort) {
+ ASSERT(m_isServer);
#if !PLATFORM(WATCHOS)
mach_port_unguard(mach_task_self(), m_receivePort, reinterpret_cast<mach_port_context_t>(this));
#endif
@@ -144,6 +154,11 @@
m_sendSource = nullptr;
m_sendPort = MACH_PORT_NULL;
+ cancelReceiveSource();
+}
+
+void Connection::cancelReceiveSource()
+{
dispatch_source_cancel(m_receiveSource);
dispatch_release(m_receiveSource);
m_receiveSource = nullptr;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
