[webkit-changes] [WebKit/WebKit] eece79: Shared memory IPC sometimes fails under Rosetta

[bnham]

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: eece793cfe01232ecbbf6a69457b83fcbfac896a
      
https://github.com/WebKit/WebKit/commit/eece793cfe01232ecbbf6a69457b83fcbfac896a
  Author: Ben Nham <n...@apple.com>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M Source/WebKit/Platform/cocoa/SharedMemoryCocoa.cpp

  Log Message:
  -----------
  Shared memory IPC sometimes fails under Rosetta
https://bugs.webkit.org/show_bug.cgi?id=247691
rdar://99827403

Reviewed by Geoffrey Garen.

Sending a SharedMemory object over IPC sometimes fails when the sending process 
runs under Rosetta
and the receiving process is ARM64. This is due to the Rosetta process using a 
4KB page size and the
receiving process using a 16KB page size. On the sending side, SharedMemory 
calls `safeRoundPage` on
the actual size to round the allocation up to a 4KB boundary. On the receiving 
side, SharedMemory
calls `safeRoundPage` again on the actual size, but now rounds up to a 16KB 
boundary. This means the
receiving side might try to ask the kernel to map a larger memory region that 
was created on the
sending side. This causes `mach_vm_map` to fail with an invalid argument error.

One easy way to trigger this issue is to implement a URL scheme handler in a 
Rosetta UIProcess that
returns some small payload. This will result in a buffer being sent to an ARM 
WebContent process.

To fix this, the kernel team recommended that we:

1. Stop rounding the page size in user space. The syscalls we use here (e.g. 
mach_vm_allocate) are
already documented to handle page rounding for you.

2. Defensively handle the case where we might try to share a non-page-aligned 
region. (This actually
doesn't apply in our case since `SharedMemory::allocate` is always returning a 
page-aligned region
but it's good to do in case someone adds that capability in the future.) We do 
this by using
`MAP_MEM_USE_DATA_ADDR` with `mach_make_memory_entry_64` and 
`VM_FLAGS_RETURN_DATA_ADDR` with
`mach_vm_map`.

This patch implements those recommendations.

To test this, I ran `URLSchemeHandler.Basic` under Rosetta. Before this patch, 
WebContent crashed
with the assert `Received invalid message: 
'WebPage_URLSchemeTaskDidReceiveData'`. After this patch,
the test no longer crashes.

* Source/WebKit/Platform/cocoa/SharedMemoryCocoa.cpp:
(WebKit::SharedMemory::Handle::decode):
(WebKit::SharedMemory::allocate):
(WebKit::makeMemoryEntry):
(WebKit::SharedMemory::map):
(WebKit::SharedMemory::~SharedMemory):
(WebKit::SharedMemory::createHandle):
(WebKit::safeRoundPage): Deleted.

Canonical link: https://commits.webkit.org/256505@main


_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes