Modified: branches/safari-608-branch/Source/WebCore/ChangeLog (248067 => 248068)
--- branches/safari-608-branch/Source/WebCore/ChangeLog 2019-07-31 20:56:44 UTC (rev 248067)
+++ branches/safari-608-branch/Source/WebCore/ChangeLog 2019-07-31 20:56:46 UTC (rev 248068)
@@ -1,5 +1,64 @@
2019-07-31 Alan Coon <[email protected]>
+ Cherry-pick r248024. rdar://problem/53764047
+
+ WorkerGlobalScope::wrapCryptoKey/unwrapCryptoKey should use local heap objects for replies
+ https://bugs.webkit.org/show_bug.cgi?id=200179
+ <rdar://problem/52334658>
+
+ Reviewed by Brent Fulgham.
+
+ Based on the patch by Jiewen Tan.
+
+ WorkerGlobalScope::wrapCryptoKey and WorkerGlobalScope::unwrapCryptoKey had a bug that they could exit
+ the function before the main thread had finished writing to the result vector passed in to these functions
+ when the worker's runloop receives MessageQueueTerminated before the main thread finishes writing.
+
+ Fixed the bug by creating a new temporary Vector inside a ThreadSafeRefCounted object shared between
+ the main thread and the worker thread, which extends the lifetime of the Vector until when the worker thread
+ receives the result or when the main thread finishes writing to the Vector, whichever happens last.
+
+ Unfortunately no new tests since there is no reproducible test case, and this crash is highly racy.
+
+ * workers/WorkerGlobalScope.cpp:
+ (WebCore::CryptoBufferContainer): Added.
+ (WebCore::CryptoBufferContainer::create): Added.
+ (WebCore::CryptoBufferContainer::buffer): Added.
+ (WebCore::WorkerGlobalScope::wrapCryptoKey):
+ (WebCore::WorkerGlobalScope::unwrapCryptoKey):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@248024 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2019-07-29 Ryosuke Niwa <[email protected]>
+
+ WorkerGlobalScope::wrapCryptoKey/unwrapCryptoKey should use local heap objects for replies
+ https://bugs.webkit.org/show_bug.cgi?id=200179
+ <rdar://problem/52334658>
+
+ Reviewed by Brent Fulgham.
+
+ Based on the patch by Jiewen Tan.
+
+ WorkerGlobalScope::wrapCryptoKey and WorkerGlobalScope::unwrapCryptoKey had a bug that they could exit
+ the function before the main thread had finished writing to the result vector passed in to these functions
+ when the worker's runloop receives MessageQueueTerminated before the main thread finishes writing.
+
+ Fixed the bug by creating a new temporary Vector inside a ThreadSafeRefCounted object shared between
+ the main thread and the worker thread, which extends the lifetime of the Vector until when the worker thread
+ receives the result or when the main thread finishes writing to the Vector, whichever happens last.
+
+ Unfortunately no new tests since there is no reproducible test case, and this crash is highly racy.
+
+ * workers/WorkerGlobalScope.cpp:
+ (WebCore::CryptoBufferContainer): Added.
+ (WebCore::CryptoBufferContainer::create): Added.
+ (WebCore::CryptoBufferContainer::buffer): Added.
+ (WebCore::WorkerGlobalScope::wrapCryptoKey):
+ (WebCore::WorkerGlobalScope::unwrapCryptoKey):
+
+2019-07-31 Alan Coon <[email protected]>
+
Cherry-pick r248018. rdar://problem/53764057
REGRESSION(r241288): Text on Yahoo Japan mobile looks too bold
Modified: branches/safari-608-branch/Source/WebCore/workers/WorkerGlobalScope.cpp (248067 => 248068)
--- branches/safari-608-branch/Source/WebCore/workers/WorkerGlobalScope.cpp 2019-07-31 20:56:44 UTC (rev 248067)
+++ branches/safari-608-branch/Source/WebCore/workers/WorkerGlobalScope.cpp 2019-07-31 20:56:46 UTC (rev 248068)
@@ -385,12 +385,22 @@
#if ENABLE(WEB_CRYPTO)
+class CryptoBufferContainer : public ThreadSafeRefCounted<CryptoBufferContainer> {
+public:
+ static Ref<CryptoBufferContainer> create() { return adoptRef(*new CryptoBufferContainer); }
+ Vector<uint8_t>& buffer() { return m_buffer; }
+
+private:
+ Vector<uint8_t> m_buffer;
+};
+
bool WorkerGlobalScope::wrapCryptoKey(const Vector<uint8_t>& key, Vector<uint8_t>& wrappedKey)
{
bool result = false;
- bool done = false;
- m_thread.workerLoaderProxy().postTaskToLoader([&result, &key, &wrappedKey, &done, workerGlobalScope = this](ScriptExecutionContext& context) {
- result = context.wrapCryptoKey(key, wrappedKey);
+ std::atomic<bool> done = false;
+ auto container = CryptoBufferContainer::create();
+ m_thread.workerLoaderProxy().postTaskToLoader([&result, key, containerRef = container.copyRef(), &done, workerGlobalScope = this](ScriptExecutionContext& context) {
+ result = context.wrapCryptoKey(key, containerRef->buffer());
done = true;
workerGlobalScope->postTask([](ScriptExecutionContext& context) {
ASSERT_UNUSED(context, context.isWorkerGlobalScope());
@@ -401,14 +411,18 @@
while (!done && waitResult != MessageQueueTerminated)
waitResult = m_thread.runLoop().runInMode(this, WorkerRunLoop::defaultMode());
+ if (done)
+ wrappedKey.swap(container->buffer());
return result;
}
bool WorkerGlobalScope::unwrapCryptoKey(const Vector<uint8_t>& wrappedKey, Vector<uint8_t>& key)
{
- bool result = false, done = false;
- m_thread.workerLoaderProxy().postTaskToLoader([&result, &wrappedKey, &key, &done, workerGlobalScope = this](ScriptExecutionContext& context) {
- result = context.unwrapCryptoKey(wrappedKey, key);
+ bool result = false;
+ std::atomic<bool> done = false;
+ auto container = CryptoBufferContainer::create();
+ m_thread.workerLoaderProxy().postTaskToLoader([&result, wrappedKey, containerRef = container.copyRef(), &done, workerGlobalScope = this](ScriptExecutionContext& context) {
+ result = context.unwrapCryptoKey(wrappedKey, containerRef->buffer());
done = true;
workerGlobalScope->postTask([](ScriptExecutionContext& context) {
ASSERT_UNUSED(context, context.isWorkerGlobalScope());
@@ -419,6 +433,8 @@
while (!done && waitResult != MessageQueueTerminated)
waitResult = m_thread.runLoop().runInMode(this, WorkerRunLoop::defaultMode());
+ if (done)
+ key.swap(container->buffer());
return result;
}
