Title: [278422] trunk/Source/WebKit
- Revision
- 278422
- Author
- cdu...@apple.com
- Date
- 2021-06-03 14:47:21 -0700 (Thu, 03 Jun 2021)
Log Message
[Hardening] Stop storing raw pointers inside WebIDBServer::m_connections
https://bugs.webkit.org/show_bug.cgi?id=226595
Reviewed by Ryosuke Niwa.
Stop storing raw pointers inside WebIDBServer::m_connections and use a WeakHashSet instead.
* NetworkProcess/IndexedDB/WebIDBServer.cpp:
(WebKit::WebIDBServer::addConnection):
(WebKit::WebIDBServer::removeConnection):
(WebKit::WebIDBServer::close):
(WebKit::WebIDBServer::tryClose):
* NetworkProcess/IndexedDB/WebIDBServer.h:
* Platform/IPC/Connection.h:
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (278421 => 278422)
--- trunk/Source/WebKit/ChangeLog 2021-06-03 21:39:45 UTC (rev 278421)
+++ trunk/Source/WebKit/ChangeLog 2021-06-03 21:47:21 UTC (rev 278422)
@@ -1,5 +1,22 @@
2021-06-03 Chris Dumez <cdu...@apple.com>
+ [Hardening] Stop storing raw pointers inside WebIDBServer::m_connections
+ https://bugs.webkit.org/show_bug.cgi?id=226595
+
+ Reviewed by Ryosuke Niwa.
+
+ Stop storing raw pointers inside WebIDBServer::m_connections and use a WeakHashSet instead.
+
+ * NetworkProcess/IndexedDB/WebIDBServer.cpp:
+ (WebKit::WebIDBServer::addConnection):
+ (WebKit::WebIDBServer::removeConnection):
+ (WebKit::WebIDBServer::close):
+ (WebKit::WebIDBServer::tryClose):
+ * NetworkProcess/IndexedDB/WebIDBServer.h:
+ * Platform/IPC/Connection.h:
+
+2021-06-03 Chris Dumez <cdu...@apple.com>
+
Move protector earlier in NetworkProcessProxy::networkProcessDidTerminate()
https://bugs.webkit.org/show_bug.cgi?id=226594
Modified: trunk/Source/WebKit/NetworkProcess/IndexedDB/WebIDBServer.cpp (278421 => 278422)
--- trunk/Source/WebKit/NetworkProcess/IndexedDB/WebIDBServer.cpp 2021-06-03 21:39:45 UTC (rev 278421)
+++ trunk/Source/WebKit/NetworkProcess/IndexedDB/WebIDBServer.cpp 2021-06-03 21:47:21 UTC (rev 278422)
@@ -369,7 +369,7 @@
Locker locker { m_serverLock };
m_server->registerConnection(iter->value->connectionToClient());
});
- m_connections.add(&connection);
+ m_connections.add(connection);
connection.addThreadMessageReceiver(Messages::WebIDBServer::messageReceiverName(), this);
}
@@ -377,11 +377,10 @@
{
ASSERT(RunLoop::isMain());
- auto* takenConnection = m_connections.take(&connection);
- if (!takenConnection)
+ if (!m_connections.remove(connection))
return;
- takenConnection->removeThreadMessageReceiver(Messages::WebIDBServer::messageReceiverName());
+ connection.removeThreadMessageReceiver(Messages::WebIDBServer::messageReceiverName());
postTask([this, protectedThis = makeRef(*this), connectionID = connection.uniqueID()] {
auto connection = m_connectionMap.take(connectionID);
@@ -413,8 +412,8 @@
return;
// Remove the references held by IPC::Connection.
- for (auto* connection : m_connections)
- connection->removeThreadMessageReceiver(Messages::WebIDBServer::messageReceiverName());
+ for (auto& connection : m_connections)
+ connection.removeThreadMessageReceiver(Messages::WebIDBServer::messageReceiverName());
CrossThreadTaskHandler::setCompletionCallback([this, protectedThis = makeRef(*this)]() mutable {
ASSERT(!RunLoop::isMain());
@@ -446,7 +445,7 @@
void WebIDBServer::tryClose()
{
- if (!m_connections.isEmpty() || m_dataTaskCounter.value())
+ if (!m_connections.computesEmpty() || m_dataTaskCounter.value())
return;
close();
Modified: trunk/Source/WebKit/NetworkProcess/IndexedDB/WebIDBServer.h (278421 => 278422)
--- trunk/Source/WebKit/NetworkProcess/IndexedDB/WebIDBServer.h 2021-06-03 21:39:45 UTC (rev 278421)
+++ trunk/Source/WebKit/NetworkProcess/IndexedDB/WebIDBServer.h 2021-06-03 21:47:21 UTC (rev 278422)
@@ -32,6 +32,7 @@
#include <WebCore/StorageQuotaManager.h>
#include <wtf/CrossThreadTaskHandler.h>
#include <wtf/RefCounter.h>
+#include <wtf/WeakHashSet.h>
namespace WebCore {
class StorageQuotaManager;
@@ -102,7 +103,7 @@
bool m_isSuspended { false };
HashMap<IPC::Connection::UniqueID, std::unique_ptr<WebIDBConnectionToClient>> m_connectionMap;
- HashSet<IPC::Connection*> m_connections;
+ WeakHashSet<IPC::Connection> m_connections; // Only used on the main thread.
enum DataTaskCounterType { };
using DataTaskCounter = RefCounter<DataTaskCounterType>;
Modified: trunk/Source/WebKit/Platform/IPC/Connection.h (278421 => 278422)
--- trunk/Source/WebKit/Platform/IPC/Connection.h 2021-06-03 21:39:45 UTC (rev 278421)
+++ trunk/Source/WebKit/Platform/IPC/Connection.h 2021-06-03 21:47:21 UTC (rev 278422)
@@ -104,7 +104,7 @@
class MachMessage;
class UnixMessage;
-class Connection : public ThreadSafeRefCounted<Connection, WTF::DestructionThread::MainRunLoop> {
+class Connection : public ThreadSafeRefCounted<Connection, WTF::DestructionThread::MainRunLoop>, public CanMakeWeakPtr<Connection> {
public:
enum SyncRequestIDType { };
using SyncRequestID = ObjectIdentifier<SyncRequestIDType>;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
