Bug 238495

Summary: IPC::Connection::connection(UniqueID) makes thread-safe IPC::Connection harder to implement
Product: WebKit Reporter: Kimmo Kinnunen <kkinnunen>
Component: WebKit2Assignee: Kimmo Kinnunen <kkinnunen>
Status: NEW ---    
Severity: Normal CC: cdumez, kkinnunen, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 238515    
Attachments:
Description Flags
Patch kkinnunen: review?, ews-feeder: commit-queue-

Description Kimmo Kinnunen 2022-03-29 02:01:15 PDT 
IPC::Connection::connection(UniqueID) makes thread-safe IPC::Connection harder
Comment 1 Kimmo Kinnunen 2022-03-29 02:05:43 PDT 
Created attachment 456007 [details]
Patch
Comment 2 Chris Dumez 2022-03-31 10:21:06 PDT 
Comment on attachment 456007 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=456007&action=review

> Source/WebKit/NetworkProcess/NetworkBroadcastChannelRegistry.cpp:63
> +    auto& connectionIdentifiersForName = channelsForOrigin.ensure(name, [] { return Vector<IPC::Connection*> { }; }).iterator->value; // NOLINT

Curious, what is this NOLINT about? First time I see it. I am not aware that it is a thing in WebKit?

> Source/WebKit/NetworkProcess/NetworkBroadcastChannelRegistry.h:56
> +    using NameToConnectionIdentifiersMap = HashMap<String, Vector<IPC::Connection*>>;

We don't store raw pointers in containers in WebKit anymore because of UAF risks. We may want to use a WeakPtr<>.
Comment 3 Kimmo Kinnunen 2022-04-04 01:49:00 PDT 
(In reply to Chris Dumez from comment #2)
> Comment on attachment 456007 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=456007&action=review
> 
> > Source/WebKit/NetworkProcess/NetworkBroadcastChannelRegistry.cpp:63
> > +    auto& connectionIdentifiersForName = channelsForOrigin.ensure(name, [] { return Vector<IPC::Connection*> { }; }).iterator->value; // NOLINT
> 
> Curious, what is this NOLINT about? First time I see it. I am not aware that
> it is a thing in WebKit?

git grep NOLINT Source/WebCore Source/WebKit Source/WTF Source/JavaScriptCore | wc -l 
     104

It's a workaround for case where where webkit style check regular expressions fail.
It is implemented in the webkit style checker.

> > Source/WebKit/NetworkProcess/NetworkBroadcastChannelRegistry.h:56
> > +    using NameToConnectionIdentifiersMap = HashMap<String, Vector<IPC::Connection*>>;
> 
> We don't store raw pointers in containers in WebKit anymore because of UAF
> risks. We may want to use a WeakPtr<>.

WeakPtrs of cross-thread objects are an oxymoron.
Comment 4 Kimmo Kinnunen 2022-04-04 06:13:58 PDT 
>> We don't store raw pointers in containers in WebKit anymore because of UAF
>> risks. We may want to use a WeakPtr<>.

> WeakPtrs of cross-thread objects are an oxymoron.

And to elaborate: currently we don't have useful abstraction for holding cross-thread object without a Ref in a thread-safe manner. It is generally a sign of a bug if WeakPtrs are being used for ThreadSafeRefCounted objects.

However, if we don't think that's an issue for today, maybe these objects are only used in main thread, and IPC::Connections are created and destroyed in main thread, so it should work. I can try this if there's no better options and RefPtrs nor raw pointers are appropriate..
Comment 5 Radar WebKit Bug Importer 2022-04-05 02:02:22 PDT 
<rdar://problem/91283581>