[webkit-changes] [287489] trunk

[jya]

Title: [287489] trunk

Revision

287489

Author

j...@apple.com

Date

2021-12-30 19:20:12 -0800 (Thu, 30 Dec 2021)

Log Message

SharedBuffer::takeData() is still dangerous
https://bugs.webkit.org/show_bug.cgi?id=234724
rdar://problem/86957233

Reviewed by Darin Adler.

Source/WebCore:

Similar to bug 228161; however we only take the content of the DataSegment
if its refcount is 1.
DataSegments can be shared across multiple SharedBuffer and so we can't
assume that when the SharedBuffer refcount is 1 that it is safe to use
the DataSegment.
This use of SharedBuffer::extractData will need to be revisited when
SharedBuffer are used across different threads as the operation isn't
thread-safe.

API tests added.

* platform/SharedBuffer.cpp:
(WebCore::FragmentedSharedBuffer::takeData):

Tools:

* TestWebKitAPI/Tests/WebCore/SharedBuffer.cpp:
(TestWebKitAPI::TEST_F):

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/platform/SharedBuffer.cpp
• trunk/Tools/ChangeLog
• trunk/Tools/TestWebKitAPI/Tests/WebCore/SharedBuffer.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (287488 => 287489)

--- trunk/Source/WebCore/ChangeLog	2021-12-31 01:32:32 UTC (rev 287488)
+++ trunk/Source/WebCore/ChangeLog	2021-12-31 03:20:12 UTC (rev 287489)
@@ -1,3 +1,25 @@
+2021-12-30  Jean-Yves Avenard  <j...@apple.com>
+
+        SharedBuffer::takeData() is still dangerous
+        https://bugs.webkit.org/show_bug.cgi?id=234724
+        rdar://problem/86957233
+
+        Reviewed by Darin Adler.
+
+        Similar to bug 228161; however we only take the content of the DataSegment
+        if its refcount is 1.
+        DataSegments can be shared across multiple SharedBuffer and so we can't
+        assume that when the SharedBuffer refcount is 1 that it is safe to use
+        the DataSegment.
+        This use of SharedBuffer::extractData will need to be revisited when
+        SharedBuffer are used across different threads as the operation isn't
+        thread-safe.
+
+        API tests added.
+
+        * platform/SharedBuffer.cpp:
+        (WebCore::FragmentedSharedBuffer::takeData):
+
 2021-12-30  Tim Nguyen  <n...@apple.com>
 
         REGRESSION(r286955): Fix painting text-decorations with combined text

Modified: trunk/Source/WebCore/platform/SharedBuffer.cpp (287488 => 287489)

--- trunk/Source/WebCore/platform/SharedBuffer.cpp	2021-12-31 01:32:32 UTC (rev 287488)
+++ trunk/Source/WebCore/platform/SharedBuffer.cpp	2021-12-31 03:20:12 UTC (rev 287489)
@@ -137,7 +137,7 @@
         return { };
 
     Vector<uint8_t> combinedData;
-    if (hasOneSegment() && std::holds_alternative<Vector<uint8_t>>(m_segments[0].segment->m_immutableData))
+    if (hasOneSegment() && std::holds_alternative<Vector<uint8_t>>(m_segments[0].segment->m_immutableData) && m_segments[0].segment->hasOneRef())
         combinedData = std::exchange(std::get<Vector<uint8_t>>(m_segments[0].segment->m_immutableData), Vector<uint8_t>());
     else
         combinedData = combineSegmentsData(m_segments, m_size);

Modified: trunk/Tools/ChangeLog (287488 => 287489)

--- trunk/Tools/ChangeLog	2021-12-31 01:32:32 UTC (rev 287488)
+++ trunk/Tools/ChangeLog	2021-12-31 03:20:12 UTC (rev 287489)
@@ -1,3 +1,14 @@
+2021-12-30  Jean-Yves Avenard  <j...@apple.com>
+
+        SharedBuffer::takeData() is still dangerous
+        https://bugs.webkit.org/show_bug.cgi?id=234724
+        rdar://problem/86957233
+
+        Reviewed by Darin Adler.
+
+        * TestWebKitAPI/Tests/WebCore/SharedBuffer.cpp:
+        (TestWebKitAPI::TEST_F):
+
 2021-12-28  Sam Weinig  <wei...@apple.com>
 
         Enhance Vector::map to allow specifying what kind of Vector to return (e.g. inline capacity, overflow, etc.)

Modified: trunk/Tools/TestWebKitAPI/Tests/WebCore/SharedBuffer.cpp (287488 => 287489)

--- trunk/Tools/TestWebKitAPI/Tests/WebCore/SharedBuffer.cpp	2021-12-31 01:32:32 UTC (rev 287488)
+++ trunk/Tools/TestWebKitAPI/Tests/WebCore/SharedBuffer.cpp	2021-12-31 03:20:12 UTC (rev 287489)
@@ -199,7 +199,7 @@
 {
     // expected is null terminated, buffer is not.
     size_t length = strlen(expected);
-    EXPECT_EQ(length, bufferLength);
+    ASSERT_EQ(length, bufferLength);
     for (size_t i = 0; i < length; ++i)
         EXPECT_EQ(buffer[i], expected[i]);
 }
@@ -303,6 +303,18 @@
     check(builder.take());
 }
 
+TEST_F(FragmentedSharedBufferTest, extractData)
+{
+    const char* const simpleText = "This is a simple test.";
+    auto original = SharedBuffer::create(simpleText, strlen(simpleText));
+    auto copy = original->copy();
+    auto vector = copy->extractData();
+    EXPECT_TRUE(copy->isEmpty());
+    EXPECT_FALSE(original->isEmpty());
+    ASSERT_TRUE(original->hasOneSegment());
+    EXPECT_GT(original->begin()->segment->size(), 0u);
+}
+
 #if ENABLE(MHTML)
 // SharedBufferChunkReader unit-tests -------------------------------------
 template< typename T, size_t N >

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes