Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 18f52512761fb98e775ff460eba8715a9ae26d01
https://github.com/WebKit/WebKit/commit/18f52512761fb98e775ff460eba8715a9ae26d01
Author: Chris Dumez <[email protected]>
Date: 2026-03-03 (Tue, 03 Mar 2026)
Changed paths:
M Source/WebCore/platform/SharedMemory.h
M Source/WebKit/Platform/IPC/Connection.h
M Source/WebKit/Platform/IPC/cocoa/ConnectionCocoa.mm
M Source/WebKit/UIProcess/API/Cocoa/WKProcessPool.mm
M Source/WebKit/UIProcess/API/Cocoa/WKProcessPoolPrivate.h
M Tools/TestWebKitAPI/SourcesCocoa.txt
M Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj
A Tools/TestWebKitAPI/Tests/WebKitCocoa/IPCSharedMemoryFallback.mm
Log Message:
-----------
Crash under PC::Connection::sendMessage (MACH_SEND_TOO_LARGE /
NetworkStorageManager_CacheStorageRetrieveRecordsReply)
https://bugs.webkit.org/show_bug.cgi?id=308728
rdar://60344809
Reviewed by Ben Nham and Per Arne Vollan.
IPC messages whose encoder body exceeds inlineMessageMaxSize (4096 bytes)
are sent out-of-line (OOL) via mach_msg_ool_descriptor_t. However,
mach_msg() can still fail with MACH_SEND_TOO_LARGE — the kernel imposes
limits on message size that include descriptor counts, OOL memory
regions, and inline data. We are seeing crashes with this error in the
wild on the CacheStorageRetrieveRecords reply path, where many small
cache records with SharedBuffer bodies below the 4096-byte shared memory
threshold produce a large aggregate encoder body.
To fix this, when mach_msg() returns MACH_SEND_TOO_LARGE, we retry by
placing the encoder body into a shared memory entry (via
mach_make_memory_entry_64 with MAP_MEM_VM_COPY) and sending only the
memory entry port plus its size as inline data. The receiver maps the
shared memory to construct the decoder, making the fallback transparent
to message handlers.
Test: IPC.SharedMemoryFallback
* Source/WebCore/platform/SharedMemory.h:
(WebCore::SharedMemoryHandle::releaseHandle):
* Source/WebKit/Platform/IPC/Connection.h:
* Source/WebKit/Platform/IPC/cocoa/ConnectionCocoa.mm:
(IPC::Connection::setForceUseSharedMemoryForSendingForTesting):
(IPC::Connection::sendMessage):
(IPC::setPortDescriptor):
(IPC::extractPortDescriptorsFromMessage):
(IPC::Connection::sendOutgoingMessage):
(IPC::Connection::retrySendMessageWithSharedMemory):
(IPC::Connection::resumeSendSource):
(IPC::createMessageDecoder):
(IPC::Connection::receiveSourceEventHandler):
* Source/WebKit/UIProcess/API/Cocoa/WKProcessPool.mm:
(+[WKProcessPool _forceUseSharedMemoryForSendingForTesting:]):
* Source/WebKit/UIProcess/API/Cocoa/WKProcessPoolPrivate.h:
* Tools/TestWebKitAPI/SourcesCocoa.txt:
* Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
* Tools/TestWebKitAPI/Tests/WebKitCocoa/IPCSharedMemoryFallback.mm: Added.
(TEST(IPC, SharedMemoryFallback)):
Canonical link: https://commits.webkit.org/308536@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
