[webkit-changes] [273139] trunk/Source/WebKit

[commit-queue]

Title: [273139] trunk/Source/WebKit

Revision

273139

Author

commit-qu...@webkit.org

Date

2021-02-19 08:05:20 -0800 (Fri, 19 Feb 2021)

Log Message

RemoteRenderingBackend is accessed in non-thread-safe manner
https://bugs.webkit.org/show_bug.cgi?id=222056

Patch by Kimmo Kinnunen <kkinnu...@apple.com> on 2021-02-19
Reviewed by Chris Dumez.

The class calls Connection::addWorkQueueMessageReceiver() during its
construction, passing 'this' as the receiver.

The virtual function pointer is not fully constructed during the call time.
Connection may start dispatching calls to the work queue. The work queue may
dispatch the task function through that pointer immediately after the call. If a
message comes during the constructor call, it may be dispatched during the
constructor still running, before the virtual function pointer being correctly
set up. Accessing virtual function pointer is not thread safe until it is fully
constructed.

No new tests, unit tests for WebKit not possible ATM.

* GPUProcess/graphics/RemoteRenderingBackend.cpp:
(WebKit::RemoteRenderingBackend::create):
(WebKit::RemoteRenderingBackend::RemoteRenderingBackend):
(WebKit::RemoteRenderingBackend::startListeningForIPC):
* GPUProcess/graphics/RemoteRenderingBackend.h:

Modified Paths

• trunk/Source/WebKit/ChangeLog
• trunk/Source/WebKit/GPUProcess/graphics/RemoteRenderingBackend.cpp
• trunk/Source/WebKit/GPUProcess/graphics/RemoteRenderingBackend.h

Diff

Modified: trunk/Source/WebKit/ChangeLog (273138 => 273139)

--- trunk/Source/WebKit/ChangeLog	2021-02-19 15:51:15 UTC (rev 273138)
+++ trunk/Source/WebKit/ChangeLog	2021-02-19 16:05:20 UTC (rev 273139)
@@ -1,3 +1,29 @@
+2021-02-19  Kimmo Kinnunen  <kkinnu...@apple.com>
+
+        RemoteRenderingBackend is accessed in non-thread-safe manner
+        https://bugs.webkit.org/show_bug.cgi?id=222056
+
+        Reviewed by Chris Dumez.
+
+        The class calls Connection::addWorkQueueMessageReceiver() during its
+        construction, passing 'this' as the receiver.
+
+        The virtual function pointer is not fully constructed during the call time.
+        Connection may start dispatching calls to the work queue. The work queue may
+        dispatch the task function through that pointer immediately after the call. If a
+        message comes during the constructor call, it may be dispatched during the
+        constructor still running, before the virtual function pointer being correctly
+        set up. Accessing virtual function pointer is not thread safe until it is fully
+        constructed.
+
+        No new tests, unit tests for WebKit not possible ATM.
+
+        * GPUProcess/graphics/RemoteRenderingBackend.cpp:
+        (WebKit::RemoteRenderingBackend::create):
+        (WebKit::RemoteRenderingBackend::RemoteRenderingBackend):
+        (WebKit::RemoteRenderingBackend::startListeningForIPC):
+        * GPUProcess/graphics/RemoteRenderingBackend.h:
+
 2021-02-19  Kate Cheney  <katherine_che...@apple.com>
 
         Create SQLite skeleton implementation for PCM fraud prevention

Modified: trunk/Source/WebKit/GPUProcess/graphics/RemoteRenderingBackend.cpp (273138 => 273139)

--- trunk/Source/WebKit/GPUProcess/graphics/RemoteRenderingBackend.cpp	2021-02-19 15:51:15 UTC (rev 273138)
+++ trunk/Source/WebKit/GPUProcess/graphics/RemoteRenderingBackend.cpp	2021-02-19 16:05:20 UTC (rev 273139)
@@ -64,7 +64,9 @@
 
 Ref<RemoteRenderingBackend> RemoteRenderingBackend::create(GPUConnectionToWebProcess& gpuConnectionToWebProcess, RenderingBackendIdentifier identifier, IPC::Semaphore&& resumeDisplayListSemaphore)
 {
-    return adoptRef(*new RemoteRenderingBackend(gpuConnectionToWebProcess, identifier, WTFMove(resumeDisplayListSemaphore)));
+    auto instance = adoptRef(*new RemoteRenderingBackend(gpuConnectionToWebProcess, identifier, WTFMove(resumeDisplayListSemaphore)));
+    instance->startListeningForIPC();
+    return instance;
 }
 
 RemoteRenderingBackend::RemoteRenderingBackend(GPUConnectionToWebProcess& gpuConnectionToWebProcess, RenderingBackendIdentifier identifier, IPC::Semaphore&& resumeDisplayListSemaphore)
@@ -74,9 +76,13 @@
     , m_resumeDisplayListSemaphore(WTFMove(resumeDisplayListSemaphore))
 {
     ASSERT(RunLoop::isMain());
-    gpuConnectionToWebProcess.connection().addWorkQueueMessageReceiver(Messages::RemoteRenderingBackend::messageReceiverName(), m_workQueue, this, m_renderingBackendIdentifier.toUInt64());
 }
 
+void RemoteRenderingBackend::startListeningForIPC()
+{
+    m_gpuConnectionToWebProcess->connection().addWorkQueueMessageReceiver(Messages::RemoteRenderingBackend::messageReceiverName(), m_workQueue, this, m_renderingBackendIdentifier.toUInt64());
+}
+
 RemoteRenderingBackend::~RemoteRenderingBackend()
 {
     // Make sure we destroy the ResourceCache on the WorkQueue since it gets populated on the WorkQueue.

Modified: trunk/Source/WebKit/GPUProcess/graphics/RemoteRenderingBackend.h (273138 => 273139)

--- trunk/Source/WebKit/GPUProcess/graphics/RemoteRenderingBackend.h	2021-02-19 15:51:15 UTC (rev 273138)
+++ trunk/Source/WebKit/GPUProcess/graphics/RemoteRenderingBackend.h	2021-02-19 16:05:20 UTC (rev 273139)
@@ -85,6 +85,7 @@
 
 private:
     RemoteRenderingBackend(GPUConnectionToWebProcess&, RenderingBackendIdentifier, IPC::Semaphore&&);
+    void startListeningForIPC();
 
     Optional<WebCore::DisplayList::ItemHandle> WARN_UNUSED_RETURN decodeItem(const uint8_t* data, size_t length, WebCore::DisplayList::ItemType, uint8_t* handleLocation) override;
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes