[webkit-changes] [WebKit/WebKit] 926054: Crash under WebCore::createMainThreadConnection(We...
Chris Dumez
noreply at github.com
Wed Dec 20 16:07:04 PST 2023
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 926054f254028ee2cc29b0e96a50cca42592ce66
https://github.com/WebKit/WebKit/commit/926054f254028ee2cc29b0e96a50cca42592ce66
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-12-20 (Wed, 20 Dec 2023)
Changed paths:
M Source/WebCore/Modules/cache/WorkerCacheStorageConnection.cpp
M Source/WebCore/Modules/cookie-store/CookieStore.cpp
M Source/WebCore/Modules/permissions/Permissions.cpp
M Source/WebCore/Modules/storage/WorkerStorageConnection.cpp
M Source/WebCore/Modules/webaudio/AudioWorkletGlobalScope.cpp
M Source/WebCore/Modules/webaudio/AudioWorkletMessagingProxy.cpp
M Source/WebCore/Modules/webaudio/AudioWorkletThread.cpp
M Source/WebCore/Modules/webaudio/AudioWorkletThread.h
M Source/WebCore/Modules/websockets/WebSocket.cpp
M Source/WebCore/Modules/websockets/WorkerThreadableWebSocketChannel.cpp
M Source/WebCore/dom/BroadcastChannel.cpp
M Source/WebCore/dom/ScriptExecutionContext.cpp
M Source/WebCore/loader/WorkerThreadableLoader.cpp
M Source/WebCore/loader/WorkerThreadableLoader.h
M Source/WebCore/loader/cache/MemoryCache.cpp
M Source/WebCore/page/WorkerNavigator.cpp
M Source/WebCore/workers/WorkerGlobalScope.cpp
M Source/WebCore/workers/WorkerMessagingProxy.cpp
M Source/WebCore/workers/WorkerNotificationClient.cpp
M Source/WebCore/workers/WorkerOrWorkletThread.h
M Source/WebCore/workers/WorkerThread.cpp
M Source/WebCore/workers/WorkerThread.h
M Source/WebCore/workers/service/context/ServiceWorkerThreadProxy.cpp
M Source/WebCore/workers/shared/context/SharedWorkerThreadProxy.cpp
Log Message:
-----------
Crash under WebCore::createMainThreadConnection(WebCore::WorkerGlobalScope&)
https://bugs.webkit.org/show_bug.cgi?id=264222
rdar://117727810
Reviewed by Darin Adler.
We're crashing when calling `createCacheStorageConnection()` on the WorkerLoaderProxy which
we got from the WorkerThread. I believe the WorkerLoaderProxy reference returned by the
WorkerThread is stale, which is possible since it keeps C++ references to its proxies.
To address the issue, I updated WorkerThread to keep raw pointers to its proxies instead of
C++ references. I am also adding a clearProxies() function to clear those raw pointers once
the proxies get destroyed. Finally, I added null checks are proxy use sites now that we null
them out.
In the future, we should convert this raw pointers into CheckedPtrs.
* Source/WebCore/Modules/badge/WorkerBadgeProxy.h:
* Source/WebCore/Modules/cache/WorkerCacheStorageConnection.cpp:
(WebCore::createMainThreadConnection):
* Source/WebCore/Modules/permissions/Permissions.cpp:
(WebCore::Permissions::query):
* Source/WebCore/Modules/storage/WorkerStorageConnection.cpp:
(WebCore::WorkerStorageConnection::getPersisted):
(WebCore::WorkerStorageConnection::getEstimate):
(WebCore::WorkerStorageConnection::fileSystemGetDirectory):
* Source/WebCore/Modules/webaudio/AudioWorkletGlobalScope.cpp:
(WebCore::AudioWorkletGlobalScope::registerProcessor):
* Source/WebCore/Modules/webaudio/AudioWorkletMessagingProxy.cpp:
(WebCore::AudioWorkletMessagingProxy::~AudioWorkletMessagingProxy):
* Source/WebCore/Modules/webaudio/AudioWorkletThread.cpp:
(WebCore::AudioWorkletThread::clearProxies):
(WebCore::AudioWorkletThread::workerLoaderProxy):
(WebCore::AudioWorkletThread::messagingProxy):
* Source/WebCore/Modules/webaudio/AudioWorkletThread.h:
(WebCore::AudioWorkletThread::messagingProxy): Deleted.
* Source/WebCore/Modules/websockets/WebSocket.cpp:
(WebCore::WebSocket::connect):
* Source/WebCore/Modules/websockets/WorkerThreadableWebSocketChannel.cpp:
(WebCore::WorkerThreadableWebSocketChannel::Bridge::Bridge):
(WebCore::WorkerThreadableWebSocketChannel::Bridge::mainThreadInitialize):
* Source/WebCore/dom/BroadcastChannel.cpp:
(WebCore::BroadcastChannel::MainThreadBridge::ensureOnMainThread):
* Source/WebCore/dom/ScriptExecutionContext.cpp:
(WebCore::ScriptExecutionContext::postTaskToResponsibleDocument):
* Source/WebCore/loader/WorkerThreadableLoader.cpp:
(WebCore::WorkerThreadableLoader::WorkerThreadableLoader):
* Source/WebCore/loader/cache/MemoryCache.cpp:
(WebCore::MemoryCache::removeRequestFromSessionCaches):
* Source/WebCore/page/WorkerNavigator.cpp:
(WebCore::WorkerNavigator::setAppBadge):
* Source/WebCore/workers/WorkerDebuggerProxy.h:
* Source/WebCore/workers/WorkerGlobalScope.cpp:
(WebCore::WorkerGlobalScope::~WorkerGlobalScope):
(WebCore::WorkerGlobalScope::createRTCDataChannelRemoteHandlerConnection):
(WebCore::WorkerGlobalScope::close):
(WebCore::WorkerGlobalScope::logExceptionToConsole):
(WebCore::WorkerGlobalScope::wrapCryptoKey):
(WebCore::WorkerGlobalScope::unwrapCryptoKey):
(WebCore::WorkerGlobalScope::reportErrorToWorkerObject):
* Source/WebCore/workers/WorkerLoaderProxy.h:
* Source/WebCore/workers/WorkerMessagingProxy.cpp:
(WebCore::WorkerMessagingProxy::WorkerMessagingProxy):
(WebCore::WorkerMessagingProxy::~WorkerMessagingProxy):
(WebCore::WorkerMessagingProxy::workerGlobalScopeDestroyedInternal):
* Source/WebCore/workers/WorkerNotificationClient.cpp:
(WebCore::WorkerNotificationClient::postToMainThread):
* Source/WebCore/workers/WorkerOrWorkletThread.h:
* Source/WebCore/workers/WorkerReportingProxy.h:
* Source/WebCore/workers/WorkerThread.cpp:
(WebCore::WorkerThread::workerBadgeProxy const):
(WebCore::WorkerThread::workerDebuggerProxy const):
(WebCore::WorkerThread::workerLoaderProxy):
(WebCore::WorkerThread::workerReportingProxy const):
(WebCore::WorkerThread::clearProxies):
* Source/WebCore/workers/WorkerThread.h:
(WebCore::WorkerThread::workerBadgeProxy const): Deleted.
(WebCore::WorkerThread::workerReportingProxy const): Deleted.
* Source/WebCore/workers/service/context/ServiceWorkerThreadProxy.cpp:
(WebCore::ServiceWorkerThreadProxy::~ServiceWorkerThreadProxy):
* Source/WebCore/workers/shared/context/SharedWorkerThreadProxy.cpp:
(WebCore::SharedWorkerThreadProxy::~SharedWorkerThreadProxy):
Originally-landed-as: 267815.537 at safari-7617-branch (4cae7c8ab138). rdar://119598285
Canonical link: https://commits.webkit.org/272389@main
More information about the webkit-changes
mailing list