[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc
andersca at apple.com
andersca at apple.com
Wed Dec 22 11:47:32 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit 728ef2c6667ed95ee574c4e94757af6c8a83a1eb
Author: andersca at apple.com <andersca at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Fri Aug 6 21:52:03 2010 +0000
Detect invalid CoreIPC messages and call didReceiveInvalidMessage
https://bugs.webkit.org/show_bug.cgi?id=43643
<rdar://problem/7891069>
Reviewed by Adam Roben.
* Platform/CoreIPC/ArgumentDecoder.cpp:
(CoreIPC::ArgumentDecoder::alignBufferPosition):
If we can't correctly align the buffer position, mark the decoder as invalid.
* Platform/CoreIPC/ArgumentDecoder.h:
(CoreIPC::ArgumentDecoder::isInvalid):
Check if the argument decoder is valid.
(CoreIPC::ArgumentDecoder::markInvalid):
Mark the argument decoder as invalid, by setting its buffer position past its end position.
* Platform/CoreIPC/Connection.cpp:
(CoreIPC::Connection::dispatchMessages):
Check if m_client is null before dispatching messages. If an argument decoder was marked invalid, call
Connection::Client::didReceiveInvalidMessage.
* Platform/CoreIPC/Connection.h:
(CoreIPC::Connection::Message::releaseArguments):
Rename destroy to releaseArguments and make it return a PassOwnPtr.
* UIProcess/WebProcessProxy.cpp:
(WebKit::WebProcessProxy::~WebProcessProxy):
Call releaseArguments instead of destroy.
(WebKit::WebProcessProxy::didReceiveInvalidMessage):
Kill the web process and invalidate its connection.
* WebProcess/WebProcess.cpp:
(WebKit::WebProcess::didReceiveInvalidMessage):
Don't do anything, if the UI process is sending invalid messages there's not much we can do.
* WebProcess/WebProcess.h:
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@64871 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/WebKit2/ChangeLog b/WebKit2/ChangeLog
index ed9cddb..0b88a57 100644
--- a/WebKit2/ChangeLog
+++ b/WebKit2/ChangeLog
@@ -2,6 +2,47 @@
Reviewed by Adam Roben.
+ Detect invalid CoreIPC messages and call didReceiveInvalidMessage
+ https://bugs.webkit.org/show_bug.cgi?id=43643
+ <rdar://problem/7891069>
+
+ * Platform/CoreIPC/ArgumentDecoder.cpp:
+ (CoreIPC::ArgumentDecoder::alignBufferPosition):
+ If we can't correctly align the buffer position, mark the decoder as invalid.
+
+ * Platform/CoreIPC/ArgumentDecoder.h:
+ (CoreIPC::ArgumentDecoder::isInvalid):
+ Check if the argument decoder is valid.
+
+ (CoreIPC::ArgumentDecoder::markInvalid):
+ Mark the argument decoder as invalid, by setting its buffer position past its end position.
+
+ * Platform/CoreIPC/Connection.cpp:
+ (CoreIPC::Connection::dispatchMessages):
+ Check if m_client is null before dispatching messages. If an argument decoder was marked invalid, call
+ Connection::Client::didReceiveInvalidMessage.
+
+ * Platform/CoreIPC/Connection.h:
+ (CoreIPC::Connection::Message::releaseArguments):
+ Rename destroy to releaseArguments and make it return a PassOwnPtr.
+
+ * UIProcess/WebProcessProxy.cpp:
+ (WebKit::WebProcessProxy::~WebProcessProxy):
+ Call releaseArguments instead of destroy.
+
+ (WebKit::WebProcessProxy::didReceiveInvalidMessage):
+ Kill the web process and invalidate its connection.
+
+ * WebProcess/WebProcess.cpp:
+ (WebKit::WebProcess::didReceiveInvalidMessage):
+ Don't do anything, if the UI process is sending invalid messages there's not much we can do.
+
+ * WebProcess/WebProcess.h:
+
+2010-08-06 Anders Carlsson <andersca at apple.com>
+
+ Reviewed by Adam Roben.
+
Add CoreIPC::MessageReceiver class
https://bugs.webkit.org/show_bug.cgi?id=43637
diff --git a/WebKit2/Platform/CoreIPC/ArgumentDecoder.cpp b/WebKit2/Platform/CoreIPC/ArgumentDecoder.cpp
index aa4865a..991da0b 100644
--- a/WebKit2/Platform/CoreIPC/ArgumentDecoder.cpp
+++ b/WebKit2/Platform/CoreIPC/ArgumentDecoder.cpp
@@ -69,7 +69,7 @@ bool ArgumentDecoder::alignBufferPosition(unsigned alignment, size_t size)
uint8_t* buffer = roundUpToAlignment(m_bufferPos, alignment);
if (buffer + size > m_bufferEnd) {
// We've walked off the end of this buffer.
- m_bufferPos = m_bufferEnd;
+ markInvalid();
return false;
}
diff --git a/WebKit2/Platform/CoreIPC/ArgumentDecoder.h b/WebKit2/Platform/CoreIPC/ArgumentDecoder.h
index 4718186..f7e409a 100644
--- a/WebKit2/Platform/CoreIPC/ArgumentDecoder.h
+++ b/WebKit2/Platform/CoreIPC/ArgumentDecoder.h
@@ -41,6 +41,9 @@ public:
uint64_t destinationID() const { return m_destinationID; }
+ bool isInvalid() const { return m_bufferPos > m_bufferEnd; }
+ void markInvalid() { m_bufferPos = m_bufferEnd + 1; }
+
bool decodeBytes(Vector<uint8_t>&);
bool decodeBytes(uint8_t*, size_t);
diff --git a/WebKit2/Platform/CoreIPC/Connection.cpp b/WebKit2/Platform/CoreIPC/Connection.cpp
index adcfa16..1866a85 100644
--- a/WebKit2/Platform/CoreIPC/Connection.cpp
+++ b/WebKit2/Platform/CoreIPC/Connection.cpp
@@ -237,8 +237,12 @@ void Connection::dispatchMessages()
// Dispatch messages.
for (size_t i = 0; i < incomingMessages.size(); ++i) {
+ // If someone calls invalidate while we're invalidating messages, we should stop.
+ if (!m_client)
+ return;
+
IncomingMessage& message = incomingMessages[i];
- ArgumentDecoder* arguments = message.arguments();
+ OwnPtr<ArgumentDecoder> arguments = message.releaseArguments();
if (message.messageID().isSync()) {
// Decode the sync request ID.
@@ -253,14 +257,18 @@ void Connection::dispatchMessages()
OwnPtr<ArgumentEncoder> replyEncoder(new ArgumentEncoder(syncRequestID));
// Hand off both the decoder and encoder to the client..
- m_client->didReceiveSyncMessage(this, message.messageID(), arguments, replyEncoder.get());
+ m_client->didReceiveSyncMessage(this, message.messageID(), arguments.get(), replyEncoder.get());
+ // FIXME: If the message was invalid, we should send back a SyncMessageError.
+ ASSERT(!arguments->isInvalid());
+
// Send the reply.
sendMessage(MessageID(CoreIPCMessage::SyncMessageReply), replyEncoder.release());
} else
- m_client->didReceiveMessage(this, message.messageID(), arguments);
+ m_client->didReceiveMessage(this, message.messageID(), arguments.get());
- message.destroy();
+ if (arguments->isInvalid())
+ m_client->didReceiveInvalidMessage(this, message.messageID());
}
}
diff --git a/WebKit2/Platform/CoreIPC/Connection.h b/WebKit2/Platform/CoreIPC/Connection.h
index db341ec..a7e5d0d 100644
--- a/WebKit2/Platform/CoreIPC/Connection.h
+++ b/WebKit2/Platform/CoreIPC/Connection.h
@@ -68,8 +68,9 @@ public:
protected:
virtual ~Client() { }
- public:
+ public:
virtual void didClose(Connection*) = 0;
+ virtual void didReceiveInvalidMessage(Connection*, MessageID) = 0;
};
#if PLATFORM(MAC)
@@ -114,9 +115,12 @@ private:
MessageID messageID() const { return m_messageID; }
T* arguments() const { return m_arguments; }
- void destroy()
+ PassOwnPtr<T> releaseArguments()
{
- delete m_arguments;
+ T* arguments = m_arguments;
+ m_arguments = 0;
+
+ return arguments;
}
private:
diff --git a/WebKit2/UIProcess/WebProcessProxy.cpp b/WebKit2/UIProcess/WebProcessProxy.cpp
index 0c1fa30..d89d025 100644
--- a/WebKit2/UIProcess/WebProcessProxy.cpp
+++ b/WebKit2/UIProcess/WebProcessProxy.cpp
@@ -94,7 +94,7 @@ WebProcessProxy::~WebProcessProxy()
ASSERT(!m_connection);
for (size_t i = 0; i < m_pendingMessages.size(); ++i)
- m_pendingMessages[i].destroy();
+ m_pendingMessages[i].releaseArguments();
if (m_processLauncher) {
m_processLauncher->invalidate();
@@ -398,6 +398,14 @@ void WebProcessProxy::didClose(CoreIPC::Connection*)
WebProcessManager::shared().processDidClose(this, m_context);
}
+void WebProcessProxy::didReceiveInvalidMessage(CoreIPC::Connection*, CoreIPC::MessageID messageID)
+{
+ // We received an invalid message from the web process, invalidate our connection and kill it.
+ m_connection->invalidate();
+
+ terminate();
+}
+
void WebProcessProxy::didBecomeUnresponsive(ResponsivenessTimer*)
{
Vector<RefPtr<WebPageProxy> > pages;
diff --git a/WebKit2/UIProcess/WebProcessProxy.h b/WebKit2/UIProcess/WebProcessProxy.h
index 6808b6f..8c13cf2 100644
--- a/WebKit2/UIProcess/WebProcessProxy.h
+++ b/WebKit2/UIProcess/WebProcessProxy.h
@@ -107,6 +107,7 @@ private:
void didReceiveMessage(CoreIPC::Connection*, CoreIPC::MessageID, CoreIPC::ArgumentDecoder*);
void didReceiveSyncMessage(CoreIPC::Connection*, CoreIPC::MessageID, CoreIPC::ArgumentDecoder*, CoreIPC::ArgumentEncoder*);
void didClose(CoreIPC::Connection*);
+ void didReceiveInvalidMessage(CoreIPC::Connection*, CoreIPC::MessageID);
// ResponsivenessTimer::Client
void didBecomeUnresponsive(ResponsivenessTimer*);
diff --git a/WebKit2/WebProcess/WebProcess.cpp b/WebKit2/WebProcess/WebProcess.cpp
index 25cb4bc..5c30593 100644
--- a/WebKit2/WebProcess/WebProcess.cpp
+++ b/WebKit2/WebProcess/WebProcess.cpp
@@ -332,4 +332,10 @@ void WebProcess::didClose(CoreIPC::Connection*)
m_runLoop->stop();
}
+void WebProcess::didReceiveInvalidMessage(CoreIPC::Connection*, CoreIPC::MessageID)
+{
+ // We received an invalid message, but since this is from the UI process (which we trust),
+ // we'll let it slide.
+}
+
} // namespace WebKit
diff --git a/WebKit2/WebProcess/WebProcess.h b/WebKit2/WebProcess/WebProcess.h
index 1617d74..8a0111c 100644
--- a/WebKit2/WebProcess/WebProcess.h
+++ b/WebKit2/WebProcess/WebProcess.h
@@ -87,6 +87,7 @@ private:
// CoreIPC::Connection::Client
void didReceiveMessage(CoreIPC::Connection*, CoreIPC::MessageID, CoreIPC::ArgumentDecoder*);
void didClose(CoreIPC::Connection*);
+ void didReceiveInvalidMessage(CoreIPC::Connection*, CoreIPC::MessageID);
RefPtr<CoreIPC::Connection> m_connection;
HashMap<uint64_t, RefPtr<WebPage> > m_pageMap;
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list