[webkit-changes] [WebKit/WebKit] eece79: Shared memory IPC sometimes fails under Rosetta

bnham noreply at github.com
Wed Nov 9 15:16:26 PST 2022 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: eece793cfe01232ecbbf6a69457b83fcbfac896a
      https://github.com/WebKit/WebKit/commit/eece793cfe01232ecbbf6a69457b83fcbfac896a
  Author: Ben Nham <nham at apple.com>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M Source/WebKit/Platform/cocoa/SharedMemoryCocoa.cpp

  Log Message:
  -----------
  Shared memory IPC sometimes fails under Rosetta
https://bugs.webkit.org/show_bug.cgi?id=247691
rdar://99827403

Reviewed by Geoffrey Garen.

Sending a SharedMemory object over IPC sometimes fails when the sending process runs under Rosetta
and the receiving process is ARM64. This is due to the Rosetta process using a 4KB page size and the
receiving process using a 16KB page size. On the sending side, SharedMemory calls `safeRoundPage` on
the actual size to round the allocation up to a 4KB boundary. On the receiving side, SharedMemory
calls `safeRoundPage` again on the actual size, but now rounds up to a 16KB boundary. This means the
receiving side might try to ask the kernel to map a larger memory region that was created on the
sending side. This causes `mach_vm_map` to fail with an invalid argument error.

One easy way to trigger this issue is to implement a URL scheme handler in a Rosetta UIProcess that
returns some small payload. This will result in a buffer being sent to an ARM WebContent process.

To fix this, the kernel team recommended that we:

1. Stop rounding the page size in user space. The syscalls we use here (e.g. mach_vm_allocate) are
already documented to handle page rounding for you.

2. Defensively handle the case where we might try to share a non-page-aligned region. (This actually
doesn't apply in our case since `SharedMemory::allocate` is always returning a page-aligned region
but it's good to do in case someone adds that capability in the future.) We do this by using
`MAP_MEM_USE_DATA_ADDR` with `mach_make_memory_entry_64` and `VM_FLAGS_RETURN_DATA_ADDR` with
`mach_vm_map`.

This patch implements those recommendations.

To test this, I ran `URLSchemeHandler.Basic` under Rosetta. Before this patch, WebContent crashed
with the assert `Received invalid message: 'WebPage_URLSchemeTaskDidReceiveData'`. After this patch,
the test no longer crashes.

* Source/WebKit/Platform/cocoa/SharedMemoryCocoa.cpp:
(WebKit::SharedMemory::Handle::decode):
(WebKit::SharedMemory::allocate):
(WebKit::makeMemoryEntry):
(WebKit::SharedMemory::map):
(WebKit::SharedMemory::~SharedMemory):
(WebKit::SharedMemory::createHandle):
(WebKit::safeRoundPage): Deleted.

Canonical link: https://commits.webkit.org/256505@main

More information about the webkit-changes mailing list