Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 412d441c9a9730c43378e2f73201a91fc852e453
https://github.com/WebKit/WebKit/commit/412d441c9a9730c43378e2f73201a91fc852e453
Author: Chris Dumez <[email protected]>
Date: 2025-05-27 (Tue, 27 May 2025)
Changed paths:
M Source/WTF/wtf/StdLibExtras.h
M Source/WTF/wtf/text/ASCIILiteral.h
M Source/WebCore/Modules/encryptedmedia/legacy/LegacyCDM.h
M Source/WebCore/Modules/indexeddb/client/IDBConnectionToServer.cpp
M Source/WebCore/Modules/indexeddb/client/IDBConnectionToServer.h
M Source/WebCore/Modules/mediastream/MediaStreamTrackProcessor.cpp
M Source/WebCore/Modules/mediastream/MediaStreamTrackProcessor.h
M Source/WebCore/Modules/mediastream/PeerConnectionBackend.h
M Source/WebCore/Modules/mediastream/RTCPeerConnection.cpp
M Source/WebCore/Modules/mediastream/RTCPeerConnection.h
M
Source/WebCore/Modules/mediastream/gstreamer/GStreamerPeerConnectionBackend.cpp
M
Source/WebCore/Modules/mediastream/libwebrtc/LibWebRTCPeerConnectionBackend.cpp
M Source/WebCore/Modules/push-api/ServiceWorkerRegistrationPushAPI.cpp
M Source/WebCore/Modules/push-api/ServiceWorkerRegistrationPushAPI.h
M Source/WebCore/SaferCPPExpectations/UncountedCallArgsCheckerExpectations
M Source/WebCore/css/CSSGroupingRule.cpp
M Source/WebCore/css/CSSGroupingRule.h
M Source/WebCore/css/CSSKeyframesRule.cpp
M Source/WebCore/css/CSSKeyframesRule.h
M Source/WebCore/css/CSSStyleRule.cpp
M Source/WebCore/css/CSSStyleRule.h
M Source/WebCore/css/MutableStyleProperties.cpp
M Source/WebCore/css/MutableStyleProperties.h
M Source/WebCore/css/StyleProperties.cpp
M Source/WebCore/dom/DataTransfer.cpp
M Source/WebCore/dom/DataTransfer.h
M Source/WebCore/dom/Document.cpp
M Source/WebCore/dom/Document.h
M Source/WebCore/dom/ElementRareData.h
M Source/WebCore/html/HTMLAnchorElement.cpp
M Source/WebCore/html/HTMLAnchorElement.h
M Source/WebCore/html/HTMLFormElement.cpp
M Source/WebCore/html/HTMLFormElement.h
M Source/WebCore/html/HTMLIFrameElement.cpp
M Source/WebCore/html/HTMLIFrameElement.h
M Source/WebCore/html/HTMLImageElement.h
M Source/WebCore/html/HTMLInputElement.cpp
M Source/WebCore/html/HTMLInputElement.h
M Source/WebCore/html/HTMLLinkElement.cpp
M Source/WebCore/html/HTMLLinkElement.h
M Source/WebCore/html/HTMLOutputElement.cpp
M Source/WebCore/html/HTMLOutputElement.h
M Source/WebCore/html/HTMLPlugInImageElement.cpp
M Source/WebCore/html/HTMLPlugInImageElement.h
M Source/WebCore/html/HTMLStyleElement.cpp
M Source/WebCore/html/HTMLStyleElement.h
M Source/WebCore/html/HTMLVideoElement.cpp
M Source/WebCore/html/HTMLVideoElement.h
M Source/WebCore/page/Page.cpp
M Source/WebCore/page/Page.h
M Source/WebCore/platform/audio/PlatformMediaSessionManager.cpp
M Source/WebCore/platform/audio/PlatformMediaSessionManager.h
M Source/WebCore/platform/audio/cocoa/MediaSessionManagerCocoa.mm
M Source/WebCore/platform/audio/glib/MediaSessionManagerGLib.cpp
M Source/WebCore/platform/audio/ios/MediaSessionManagerIOS.mm
M Source/WebCore/platform/graphics/BitmapImageSource.cpp
M Source/WebCore/platform/graphics/BitmapImageSource.h
M Source/WebCore/platform/mediastream/libwebrtc/LibWebRTCAudioModule.cpp
M Source/WebCore/platform/mediastream/libwebrtc/LibWebRTCAudioModule.h
M Source/WebCore/svg/SVGAElement.cpp
M Source/WebCore/svg/SVGAElement.h
M Source/WebCore/xml/XMLHttpRequest.cpp
M Source/WebCore/xml/XMLHttpRequest.h
M Source/WebKit/GPUProcess/GPUConnectionToWebProcess.cpp
M Source/WebKit/GPUProcess/GPUConnectionToWebProcess.h
M Source/WebKit/NetworkProcess/NetworkProcess.h
M Source/WebKit/UIProcess/API/APIWebsitePolicies.cpp
M Source/WebKit/UIProcess/API/APIWebsitePolicies.h
M Source/WebKit/UIProcess/API/C/mac/WKPagePrivateMac.mm
M Source/WebKit/UIProcess/API/Cocoa/PageLoadStateObserver.h
M Source/WebKit/UIProcess/API/Cocoa/WKBrowsingContextController.mm
M Source/WebKit/UIProcess/API/gtk/WebKitWebViewBase.cpp
M Source/WebKit/UIProcess/API/wpe/WPEWebView.h
M Source/WebKit/UIProcess/Network/NetworkProcessProxy.cpp
M Source/WebKit/UIProcess/Network/NetworkProcessProxy.h
M Source/WebKit/UIProcess/WebPageProxy.cpp
M Source/WebKit/UIProcess/WebPageProxy.h
M Source/WebKit/UIProcess/WebPageProxyInternals.h
M Source/WebKit/UIProcess/WebProcessProxy.cpp
M Source/WebKit/UIProcess/WebProcessProxy.h
M Source/WebKit/UIProcess/ios/WKContentView.mm
M Source/WebKit/UIProcess/ios/WKContentViewInteraction.h
M Source/WebKit/UIProcess/ios/WKContentViewInteraction.mm
M Source/WebKit/UIProcess/playstation/PlayStationWebView.h
M Source/WebKit/UIProcess/win/WebView.h
M Source/WebKit/WebProcess/GPU/GPUProcessConnection.cpp
M Source/WebKit/WebProcess/GPU/GPUProcessConnection.h
M Source/WebKit/WebProcess/WebPage/WebPage.cpp
M Source/WebKit/WebProcess/WebPage/WebPage.h
M Source/WebKit/WebProcess/WebPage/wc/DrawingAreaWC.h
M Source/WebKit/WebProcess/WebProcess.cpp
M Source/WebKit/WebProcess/WebProcess.h
M Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj
A Tools/TestWebKitAPI/Tests/WTF/ASCIILiteral.cpp
Log Message:
-----------
Reduce risk of lifetime issues when forwarding ref-counting from an object to
its "owner"
https://bugs.webkit.org/show_bug.cgi?id=293499
Reviewed by Darin Adler and Geoffrey Garen.
Reduce risk of lifetime issues when forwarding ref-counting from an object to
its "owner".
A common pattern in WebKit is to have an "owner" object create an "ownee"
object lazily
using makeUniqueWithoutRefCountedCheck<>() and then store it as a data member.
The Owner
object then has `ref()` and `deref()` member functions that call `ref()` /
`deref()` on
the owner object. However, this is only safe if the owner never clears its
ownee data
member unique_ptr.
We have had several recent security bugs where the data member would get
cleared and
someone holding a Ref/RefPtr to an object could still do a use-after-free,
despite the
code looking safe and the safer cpp static analysis being happy.
To address the issue, I propose that we update
`makeUniqueWithoutRefCountedCheck<>()`
to return a `const std::unique_ptr<>` instead of a `std::unique_ptr<>` to force
call
sites to store in a const data member and thus prevent reassignments. Call
sites can
still use the `lazyInitialize()` to do lazy initialization of a const data
member.
This PR also fixes a few issues that were found thanks to this new safer
internal
API:
- MediaStreamTrackProcessor::m_readableStreamSource was a classic example of
unsafe
ref-count forwarding since m_readableStreamSource would get cleared in several
places.
We were aware of this bug and had fixed it already on the security branch
(queued for
being cherry-picked back to main).
- PageLoadStateObserver was forwarding its refcount to m_object but m_object
could
get cleared, which was very fragile and not compatible with our new safer API. I
updated the code to not forward the ref-counting and subclass RefCounted
instead.
- WebPageProxyInternals::frameLoadStateObserver was forwarding its ref-count to
its owning page but could get reassigned. This was found thanks to the
assertion in
lazyInitialize().
Canonical link: https://commits.webkit.org/295448@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
