Bug 238495 - IPC::Connection::connection(UniqueID) makes thread-safe IPC::Connection harder to implement
Summary: IPC::Connection::connection(UniqueID) makes thread-safe IPC::Connection harde...
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit2 (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Kimmo Kinnunen
URL:
Keywords: InRadar
Depends on:
Blocks: 238515
  Show dependency treegraph
 
Reported: 2022-03-29 02:01 PDT by Kimmo Kinnunen
Modified: 2022-04-05 02:02 PDT (History)
3 users (show)

See Also:

Attachments
Patch (7.27 KB, patch)
2022-03-29 02:05 PDT, Kimmo Kinnunen 		kkinnunen: review?
ews-feeder: commit-queue-
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Kimmo Kinnunen 2022-03-29 02:01:15 PDT 
IPC::Connection::connection(UniqueID) makes thread-safe IPC::Connection harder
Comment 1 Kimmo Kinnunen 2022-03-29 02:05:43 PDT 
Created attachment 456007 [details]
Patch
Comment 2 Chris Dumez 2022-03-31 10:21:06 PDT 
Comment on attachment 456007 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=456007&action=review

> Source/WebKit/NetworkProcess/NetworkBroadcastChannelRegistry.cpp:63
> +    auto& connectionIdentifiersForName = channelsForOrigin.ensure(name, [] { return Vector<IPC::Connection*> { }; }).iterator->value; // NOLINT

Curious, what is this NOLINT about? First time I see it. I am not aware that it is a thing in WebKit?

> Source/WebKit/NetworkProcess/NetworkBroadcastChannelRegistry.h:56
> +    using NameToConnectionIdentifiersMap = HashMap<String, Vector<IPC::Connection*>>;

We don't store raw pointers in containers in WebKit anymore because of UAF risks. We may want to use a WeakPtr<>.
Comment 3 Kimmo Kinnunen 2022-04-04 01:49:00 PDT 
(In reply to Chris Dumez from comment #2)
> Comment on attachment 456007 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=456007&action=review
> 
> > Source/WebKit/NetworkProcess/NetworkBroadcastChannelRegistry.cpp:63
> > +    auto& connectionIdentifiersForName = channelsForOrigin.ensure(name, [] { return Vector<IPC::Connection*> { }; }).iterator->value; // NOLINT
> 
> Curious, what is this NOLINT about? First time I see it. I am not aware that
> it is a thing in WebKit?

git grep NOLINT Source/WebCore Source/WebKit Source/WTF Source/JavaScriptCore | wc -l 
     104

It's a workaround for case where where webkit style check regular expressions fail.
It is implemented in the webkit style checker.

> > Source/WebKit/NetworkProcess/NetworkBroadcastChannelRegistry.h:56
> > +    using NameToConnectionIdentifiersMap = HashMap<String, Vector<IPC::Connection*>>;
> 
> We don't store raw pointers in containers in WebKit anymore because of UAF
> risks. We may want to use a WeakPtr<>.

WeakPtrs of cross-thread objects are an oxymoron.
Comment 4 Kimmo Kinnunen 2022-04-04 06:13:58 PDT 
>> We don't store raw pointers in containers in WebKit anymore because of UAF
>> risks. We may want to use a WeakPtr<>.

> WeakPtrs of cross-thread objects are an oxymoron.

And to elaborate: currently we don't have useful abstraction for holding cross-thread object without a Ref in a thread-safe manner. It is generally a sign of a bug if WeakPtrs are being used for ThreadSafeRefCounted objects.

However, if we don't think that's an issue for today, maybe these objects are only used in main thread, and IPC::Connections are created and destroyed in main thread, so it should work. I can try this if there's no better options and RefPtrs nor raw pointers are appropriate..
Comment 5 Radar WebKit Bug Importer 2022-04-05 02:02:22 PDT 
<rdar://problem/91283581>