[Webkit-unassigned] [Bug 284015] New: In the `websocket::send` implementation, dispatching messages in the worker message loop can lead to recursive function execution, which poses a risk.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Dec 3 19:19:43 PST 2024 

https://bugs.webkit.org/show_bug.cgi?id=284015

            Bug ID: 284015
           Summary: In the `websocket::send` implementation, dispatching
                    messages in the worker message loop can lead to
                    recursive function execution, which poses a risk.
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: haipeng.liu at zoom.us

Dear WebKit Developers,

We have observed a critical issue in Safari's implementation where messages in the worker message loop are dispatched during the execution of WebSocket::send. Specifically, WorkerThreadableWebSocketChannel::Bridge::send invokes waitForMethodCompletion, which in turn calls runLoop.runInMode, thereby dispatching messages from the worker message loop.

This behavior causes a severe problem in our web application. Within the processing of a worker message, our application enters a WebAssembly (Wasm) function call stack, during which a call to WebSocket::send is made. From the entry into the Wasm function to the completion of the WebSocket::send call, there can be a significant delay (approximately 100ms). During this time, it is highly likely that the worker will receive another message requiring the same Wasm function for processing. This results in recursive calls to the Wasm function on the same Wasm call stack.

Since these Wasm functions are not designed to be reentrant, this triggers a memory out-of-bounds error in Wasm, causing our Wasm-based service to crash. Notably, this issue occurs only in Safari and has not been observed in Chrome or Firefox.

We hope the WebKit development team can address and resolve this issue.

Thanks!

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20241204/1659b526/attachment.htm>

More information about the webkit-unassigned mailing list