[webkit-changes] [WebKit/WebKit] 8e3c2c: Fix bad cases of refcounted objects being stored i...
Chris Dumez
noreply at github.com
Thu Nov 9 19:07:57 PST 2023
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 8e3c2c07a923c2834343cbf3ffd9b6d2c659c100
https://github.com/WebKit/WebKit/commit/8e3c2c07a923c2834343cbf3ffd9b6d2c659c100
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-11-09 (Thu, 09 Nov 2023)
Changed paths:
M Source/JavaScriptCore/wasm/WasmWorklist.cpp
M Source/JavaScriptCore/wasm/WasmWorklist.h
M Source/WTF/wtf/StdLibExtras.h
M Source/WebCore/Modules/indexeddb/client/IDBConnectionToServer.cpp
M Source/WebCore/Modules/push-api/ServiceWorkerRegistrationPushAPI.cpp
M Source/WebCore/css/CSSGroupingRule.cpp
M Source/WebCore/css/CSSKeyframesRule.cpp
M Source/WebCore/css/CSSStyleRule.cpp
M Source/WebCore/dom/DataTransfer.cpp
M Source/WebCore/dom/Document.cpp
M Source/WebCore/dom/Element.cpp
M Source/WebCore/html/HTMLAnchorElement.cpp
M Source/WebCore/html/HTMLCanvasElement.cpp
M Source/WebCore/html/HTMLFormElement.cpp
M Source/WebCore/html/HTMLIFrameElement.cpp
M Source/WebCore/html/HTMLLinkElement.cpp
M Source/WebCore/html/HTMLOutputElement.cpp
M Source/WebCore/svg/SVGAElement.cpp
M Source/WebCore/xml/XMLHttpRequest.cpp
M Source/WebKit/WebProcess/GPU/GPUProcessConnection.cpp
M Source/WebKit/WebProcess/GPU/media/RemoteImageDecoderAVFManager.cpp
M Source/WebKit/WebProcess/GPU/media/RemoteImageDecoderAVFManager.h
M Source/WebKit/WebProcess/GPU/media/RemoteMediaPlayerManager.cpp
M Source/WebKit/WebProcess/GPU/media/RemoteMediaPlayerManager.h
M Source/WebKit/WebProcess/WebPage/WebPage.cpp
M Source/WebKit/WebProcess/WebPage/wc/DrawingAreaWC.cpp
M Source/WebKit/WebProcess/WebProcess.cpp
M Source/WebKit/WebProcess/WebProcess.h
M Tools/TestWebKitAPI/Tests/WTF/HashMap.cpp
M Tools/TestWebKitAPI/Tests/WTF/HashSet.cpp
M Tools/TestWebKitAPI/Tests/WTF/RobinHoodHashMap.cpp
M Tools/TestWebKitAPI/Tests/WTF/RobinHoodHashSet.cpp
Log Message:
-----------
Fix bad cases of refcounted objects being stored in std::unique_ptr
https://bugs.webkit.org/show_bug.cgi?id=261280
rdar://115122287
Reviewed by David Kilzer and Alex Christensen.
In Bug 261224, I fixed a security bug where an object was refcounted but was
incorrectly stored in a std::unique_ptr<>, leading to use-after-frees.
In this patch, I am adding a check to WTF::makeUnique<T>() to fail if T::ref()
exists. This founds bugs / unsafe code, which I am fixing in this patch.
There is also a common pattern in our code where an object implements ref() &
deref() to forward the refcounting to their owner. In turn, the owner then owns
the object via a std::unique_ptr<>. This is obviously tripping my check and yet
this is usually safe. As a result, I am introducing a
makeUniqueWithoutRefCountedCheck() for these cases.
* Source/JavaScriptCore/wasm/WasmWorklist.cpp:
(JSC::Wasm::Worklist::Worklist):
* Source/JavaScriptCore/wasm/WasmWorklist.h:
* Source/WTF/wtf/StdLibExtras.h:
(WTF::makeUnique):
(WTF::makeUniqueWithoutRefCountedCheck):
(WTF::makeUniqueWithoutFastMallocCheck):
* Source/WebCore/Modules/indexeddb/client/IDBConnectionToServer.cpp:
(WebCore::IDBClient::IDBConnectionToServer::IDBConnectionToServer):
* Source/WebCore/Modules/push-api/ServiceWorkerRegistrationPushAPI.cpp:
(WebCore::ServiceWorkerRegistrationPushAPI::pushManager):
* Source/WebCore/css/CSSGroupingRule.cpp:
(WebCore::CSSGroupingRule::cssRules const):
* Source/WebCore/css/CSSKeyframesRule.cpp:
(WebCore::CSSKeyframesRule::cssRules):
* Source/WebCore/css/CSSStyleRule.cpp:
(WebCore::CSSStyleRule::cssRules const):
* Source/WebCore/dom/DataTransfer.cpp:
(WebCore::DataTransfer::items):
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::implementation):
* Source/WebCore/dom/Element.cpp:
(WebCore::Element::attributes const):
(WebCore::Element::classList):
(WebCore::Element::part):
(WebCore::Element::dataset):
(WebCore::Element::ensureFormAssociatedCustomElement):
* Source/WebCore/html/HTMLAnchorElement.cpp:
(WebCore::HTMLAnchorElement::relList):
* Source/WebCore/html/HTMLCanvasElement.cpp:
(WebCore::HTMLCanvasElement::transferControlToOffscreen):
* Source/WebCore/html/HTMLFormElement.cpp:
(WebCore::HTMLFormElement::relList):
* Source/WebCore/html/HTMLIFrameElement.cpp:
(WebCore::HTMLIFrameElement::sandbox):
* Source/WebCore/html/HTMLLinkElement.cpp:
(WebCore::HTMLLinkElement::sizes):
(WebCore::HTMLLinkElement::relList):
* Source/WebCore/html/HTMLOutputElement.cpp:
(WebCore::HTMLOutputElement::htmlFor):
* Source/WebCore/svg/SVGAElement.cpp:
(WebCore::SVGAElement::relList):
* Source/WebCore/xml/XMLHttpRequest.cpp:
(WebCore::XMLHttpRequest::upload):
* Source/WebKit/WebProcess/GPU/GPUProcessConnection.cpp:
(WebKit::GPUProcessConnection::mediaPlayerManager):
(WebKit::GPUProcessConnection::dispatchMessage):
* Source/WebKit/WebProcess/GPU/media/RemoteImageDecoderAVFManager.cpp:
(WebKit::RemoteImageDecoderAVFManager::create):
(WebKit::RemoteImageDecoderAVFManager::RemoteImageDecoderAVFManager): Deleted.
(WebKit::RemoteImageDecoderAVFManager::supplementName): Deleted.
* Source/WebKit/WebProcess/GPU/media/RemoteImageDecoderAVFManager.h:
* Source/WebKit/WebProcess/GPU/media/RemoteMediaPlayerManager.cpp:
(WebKit::RemoteMediaPlayerManager::create):
(WebKit::RemoteMediaPlayerManager::RemoteMediaPlayerManager): Deleted.
(WebKit::RemoteMediaPlayerManager::~RemoteMediaPlayerManager): Deleted.
(WebKit::RemoteMediaPlayerManager::supplementName): Deleted.
* Source/WebKit/WebProcess/GPU/media/RemoteMediaPlayerManager.h:
* Source/WebKit/WebProcess/WebPage/WebPage.cpp:
(WebKit::WebPage::updatePreferences):
* Source/WebKit/WebProcess/WebProcess.cpp:
(WebKit::WebProcess::WebProcess):
(WebKit::WebProcess::initializeWebProcess):
* Source/WebKit/WebProcess/WebProcess.h:
(WebKit::WebProcess::remoteMediaPlayerManager):
(WebKit::WebProcess::remoteImageDecoderAVFManager):
* Tools/TestWebKitAPI/Tests/WTF/RobinHoodHashMap.cpp:
(TestWebKitAPI::TEST):
* Tools/TestWebKitAPI/Tests/WTF/RobinHoodHashSet.cpp:
(TestWebKitAPI::TEST):
Originally-landed-as: 265870.533 at safari-7616-branch (f5992c6c2848). rdar://118127983
Canonical link: https://commits.webkit.org/270498@main
More information about the webkit-changes
mailing list