Changeset 171526 in webkit

Timestamp:

Jul 24, 2014 2:37:43 PM (10 years ago)

Author:

psolanki@apple.com

Message:

Sharing SharedBuffer between WebCore and ImageIO is racy and crash prone
​https://bugs.webkit.org/show_bug.cgi?id=135069
<rdar://problem/17470655>

Reviewed by Simon Fraser.

When passing image data to ImageIO for decoding, we pass an NSData subclass that is a wraper
around SharedBuffer. This can be a problem when ImageIO tries to access the data on the CA
thread. End result is data corruption on large image loads and potential crashes. The fix is
to have SharedBuffer create a copy of its data if the data has been passed to ImageIO and
might be accessed concurrently.

Since Vector is not refcounted, we do this by having a new refcounted object in SharedBuffer
that contains the buffer and we pass that in our NSData subclass WebCoreSharedBufferData.
Code that would result in the Vector memory moving e.g. append(), resize(), now checks to
see if the buffer was shared and if so, will create a new copy of the vector. This ensures
that the main thread does not end up invalidating the vector memory that we have passed it
to ImageIO.

No new tests because no functional changes.

• loader/cache/CachedResource.cpp:

(WebCore::CachedResource::makePurgeable):

Remove early return - createPurgeableMemory() has the correct check now.

• platform/SharedBuffer.cpp:

(WebCore::SharedBuffer::SharedBuffer):
(WebCore::SharedBuffer::adoptVector):
(WebCore::SharedBuffer::createPurgeableBuffer):

Don't create purgeable buffer if we are sharing the buffer.

(WebCore::SharedBuffer::append):
(WebCore::SharedBuffer::clear):
(WebCore::SharedBuffer::copy):
(WebCore::SharedBuffer::duplicateDataBufferIfNecessary): Added.

Create a new copy of the data if we have shared the buffer and if appending to it would
exceed the capacity of the vector resulting in memmove.

(WebCore::SharedBuffer::appendToInternalBuffer): Added.
(WebCore::SharedBuffer::clearInternalBuffer): Added.
(WebCore::SharedBuffer::buffer):

Create a new copy of the buffer if we have shared it.

(WebCore::SharedBuffer::getSomeData):

• platform/SharedBuffer.h:
• platform/cf/SharedBufferCF.cpp:

(WebCore::SharedBuffer::SharedBuffer):
(WebCore::SharedBuffer::singleDataArrayBuffer):
(WebCore::SharedBuffer::maybeAppendDataArray):

• platform/mac/SharedBufferMac.mm:

Pass the InternalBuffer object to WebCoreSharedBufferData

(-[WebCoreSharedBufferData dealloc]):
(-[WebCoreSharedBufferData initWithSharedBufferInternalBuffer:]):
(-[WebCoreSharedBufferData length]):
(-[WebCoreSharedBufferData bytes]):
(WebCore::SharedBuffer::createNSData):

Call createCFData() instead of duplicating code.

(WebCore::SharedBuffer::createCFData):

If the data is in purgeable memory, make a copy of it since m_buffer was cleared when
creating the purgeable buffer.

(-[WebCoreSharedBufferData initWithSharedBuffer:]): Deleted.

Location:

trunk/Source/WebCore

Files:

• ChangeLog (modified) (1 diff)
• loader/cache/CachedResource.cpp (modified) (1 diff)
• platform/SharedBuffer.cpp (modified) (14 diffs)
• platform/SharedBuffer.h (modified) (3 diffs)
• platform/cf/SharedBufferCF.cpp (modified) (4 diffs)
• platform/mac/SharedBufferMac.mm (modified) (6 diffs)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2014-07-24  Pratik Solanki  <psolanki@apple.com>
+
+        Sharing SharedBuffer between WebCore and ImageIO is racy and crash prone
+        https://bugs.webkit.org/show_bug.cgi?id=135069
+        <rdar://problem/17470655>
+
+        Reviewed by Simon Fraser.
+
+        When passing image data to ImageIO for decoding, we pass an NSData subclass that is a wraper
+        around SharedBuffer. This can be a problem when ImageIO tries to access the data on the CA
+        thread. End result is data corruption on large image loads and potential crashes. The fix is
+        to have SharedBuffer create a copy of its data if the data has been passed to ImageIO and
+        might be accessed concurrently.
+
+        Since Vector is not refcounted, we do this by having a new refcounted object in SharedBuffer
+        that contains the buffer and we pass that in our NSData subclass WebCoreSharedBufferData.
+        Code that would result in the Vector memory moving e.g. append(), resize(), now checks to
+        see if the buffer was shared and if so, will create a new copy of the vector. This ensures
+        that the main thread does not end up invalidating the vector memory that we have passed it
+        to ImageIO.
+
+        No new tests because no functional changes.
+
+        * loader/cache/CachedResource.cpp:
+        (WebCore::CachedResource::makePurgeable):
+            Remove early return - createPurgeableMemory() has the correct check now.
+        * platform/SharedBuffer.cpp:
+        (WebCore::SharedBuffer::SharedBuffer):
+        (WebCore::SharedBuffer::adoptVector):
+        (WebCore::SharedBuffer::createPurgeableBuffer):
+            Don't create purgeable buffer if we are sharing the buffer.
+        (WebCore::SharedBuffer::append):
+        (WebCore::SharedBuffer::clear):
+        (WebCore::SharedBuffer::copy):
+        (WebCore::SharedBuffer::duplicateDataBufferIfNecessary): Added.
+            Create a new copy of the data if we have shared the buffer and if appending to it would
+            exceed the capacity of the vector resulting in memmove.
+        (WebCore::SharedBuffer::appendToInternalBuffer): Added.
+        (WebCore::SharedBuffer::clearInternalBuffer): Added.
+        (WebCore::SharedBuffer::buffer):
+            Create a new copy of the buffer if we have shared it.
+        (WebCore::SharedBuffer::getSomeData):
+        * platform/SharedBuffer.h:
+        * platform/cf/SharedBufferCF.cpp:
+        (WebCore::SharedBuffer::SharedBuffer):
+        (WebCore::SharedBuffer::singleDataArrayBuffer):
+        (WebCore::SharedBuffer::maybeAppendDataArray):
+        * platform/mac/SharedBufferMac.mm:
+            Pass the InternalBuffer object to WebCoreSharedBufferData
+        (-[WebCoreSharedBufferData dealloc]):
+        (-[WebCoreSharedBufferData initWithSharedBufferInternalBuffer:]):
+        (-[WebCoreSharedBufferData length]):
+        (-[WebCoreSharedBufferData bytes]):
+        (WebCore::SharedBuffer::createNSData):
+            Call createCFData() instead of duplicating code.
+        (WebCore::SharedBuffer::createCFData):
+            If the data is in purgeable memory, make a copy of it since m_buffer was cleared when
+            creating the purgeable buffer.
+        (-[WebCoreSharedBufferData initWithSharedBuffer:]): Deleted.
+
 2014-07-24  peavo@outlook.com  <peavo@outlook.com>
 

trunk/Source/WebCore/loader/cache/CachedResource.cpp

@@ -812 +812 @@
             return false;
         
-        // Should not make buffer purgeable if it has refs other than this since we don't want two copies.
-        if (!m_data->hasOneRef())
-            return false;
-
         m_data->createPurgeableBuffer();
         if (!m_data->hasPurgeableBuffer())

trunk/Source/WebCore/platform/SharedBuffer.cpp

@@ -66 +66 @@
 SharedBuffer::SharedBuffer()
     : m_size(0)
+    , m_buffer(adoptRef(new DataBuffer))
     , m_shouldUsePurgeableMemory(false)
 #if ENABLE(DISK_IMAGE_CACHE)
@@ -78 +79 @@
 SharedBuffer::SharedBuffer(unsigned size)
     : m_size(size)
-    , m_buffer(size)
+    , m_buffer(adoptRef(new DataBuffer))
     , m_shouldUsePurgeableMemory(false)
 #if ENABLE(DISK_IMAGE_CACHE)
@@ -91 +92 @@
 SharedBuffer::SharedBuffer(const char* data, unsigned size)
     : m_size(0)
+    , m_buffer(adoptRef(new DataBuffer))
     , m_shouldUsePurgeableMemory(false)
 #if ENABLE(DISK_IMAGE_CACHE)
@@ -104 +106 @@
 SharedBuffer::SharedBuffer(const unsigned char* data, unsigned size)
     : m_size(0)
+    , m_buffer(adoptRef(new DataBuffer))
     , m_shouldUsePurgeableMemory(false)
 #if ENABLE(DISK_IMAGE_CACHE)
@@ -130 +133 @@
 {
     RefPtr<SharedBuffer> buffer = create();
-    buffer->m_buffer.swap(vector);
-    buffer->m_size = buffer->m_buffer.size();
+    buffer->m_buffer->data.swap(vector);
+    buffer->m_size = buffer->m_buffer->data.size();
     return buffer.release();
 }
@@ -233 +236 @@
 #endif
 
-    if (!hasOneRef())
+    if (!m_buffer->hasOneRef())
         return;
 
@@ -243 +246 @@
     if (!m_purgeableBuffer)
         return;
-    unsigned bufferSize = m_buffer.size();
+    unsigned bufferSize = m_buffer->data.size();
     if (bufferSize) {
-        memcpy(destination, m_buffer.data(), bufferSize);
+        memcpy(destination, m_buffer->data.data(), bufferSize);
         destination += bufferSize;
-        m_buffer.clear();
+        (const_cast<SharedBuffer*>(this))->clearDataBuffer();
     }
     copyBufferAndClear(destination, m_size - bufferSize);
@@ -324 +327 @@
 
 #if !USE(NETWORK_CFDATA_ARRAY_CALLBACK)
-    unsigned positionInSegment = offsetInSegment(m_size - m_buffer.size());
+    unsigned positionInSegment = offsetInSegment(m_size - m_buffer->data.size());
     m_size += length;
 
     if (m_size <= segmentSize) {
         // No need to use segments for small resource data
-        if (m_buffer.isEmpty())
-            m_buffer.reserveInitialCapacity(length);
-        m_buffer.append(data, length);
+        if (m_buffer->data.isEmpty())
+            m_buffer->data.reserveInitialCapacity(length);
+        appendToDataBuffer(data, length);
         return;
     }
@@ -357 +360 @@
     }
 #else
-    if (m_buffer.isEmpty())
-        m_buffer.reserveInitialCapacity(length);
-    m_buffer.append(data, length);
     m_size += length;
+    if (m_buffer->data.isEmpty())
+        m_buffer->data.reserveInitialCapacity(length);
+    appendToDataBuffer(data, length);
 #endif
 }
@@ -383 +386 @@
 
     m_size = 0;
-    m_buffer.clear();
+    clearDataBuffer();
     m_purgeableBuffer.clear();
 }
@@ -396 +399 @@
 
     clone->m_size = m_size;
-    clone->m_buffer.reserveCapacity(m_size);
-    clone->m_buffer.append(m_buffer.data(), m_buffer.size());
+    clone->m_buffer->data.reserveCapacity(m_size);
+    clone->m_buffer->data.append(m_buffer->data.data(), m_buffer->data.size());
 #if !USE(NETWORK_CFDATA_ARRAY_CALLBACK)
     for (unsigned i = 0; i < m_segments.size(); ++i)
-        clone->m_buffer.append(m_segments[i], segmentSize);
+        clone->m_buffer->data.append(m_segments[i], segmentSize);
 #else
     for (unsigned i = 0; i < m_dataArray.size(); ++i)
@@ -412 +415 @@
     ASSERT(hasOneRef()); 
     return m_purgeableBuffer.release(); 
+}
+
+void SharedBuffer::duplicateDataBufferIfNecessary() const
+{
+    if (m_buffer->hasOneRef() || m_size <= m_buffer->data.capacity())
+        return;
+
+    RefPtr<DataBuffer> newBuffer = adoptRef(new DataBuffer);
+    newBuffer->data.reserveInitialCapacity(m_size);
+    newBuffer->data = m_buffer->data;
+    m_buffer = newBuffer.release();
+}
+
+void SharedBuffer::appendToDataBuffer(const char *data, unsigned length) const
+{
+    duplicateDataBufferIfNecessary();
+    m_buffer->data.append(data, length);
+}
+
+void SharedBuffer::clearDataBuffer()
+{
+    if (!m_buffer->hasOneRef())
+        m_buffer = adoptRef(new DataBuffer);
+    else
+        m_buffer->data.clear();
 }
 
@@ -433 +461 @@
     ASSERT(!isMemoryMapped());
 #endif
-    unsigned bufferSize = m_buffer.size();
+    unsigned bufferSize = m_buffer->data.size();
     if (m_size > bufferSize) {
-        m_buffer.resize(m_size);
-        copyBufferAndClear(m_buffer.data() + bufferSize, m_size - bufferSize);
-    }
-    return m_buffer;
+        duplicateDataBufferIfNecessary();
+        m_buffer->data.resize(m_size);
+        copyBufferAndClear(m_buffer->data.data() + bufferSize, m_size - bufferSize);
+    }
+    return m_buffer->data;
 }
 
@@ -465 +494 @@
 
     ASSERT_WITH_SECURITY_IMPLICATION(position < m_size);
-    unsigned consecutiveSize = m_buffer.size();
+    unsigned consecutiveSize = m_buffer->data.size();
     if (position < consecutiveSize) {
-        someData = m_buffer.data() + position;
+        someData = m_buffer->data.data() + position;
         return consecutiveSize - position;
     }

trunk/Source/WebCore/platform/SharedBuffer.h

@@ -32 +32 @@
 #include <wtf/OwnPtr.h>
 #include <wtf/RefCounted.h>
+#include <wtf/ThreadSafeRefCounted.h>
 #include <wtf/Vector.h>
 #include <wtf/text/WTFString.h>
@@ -159 +160 @@
     bool hasPlatformData() const;
 
+    struct DataBuffer : public ThreadSafeRefCounted<DataBuffer> {
+        Vector<char> data;
+    };
+
 private:
     SharedBuffer();
@@ -178 +183 @@
     void copyBufferAndClear(char* destination, unsigned bytesToCopy) const;
 
+    void appendToDataBuffer(const char *, unsigned) const;
+    void duplicateDataBufferIfNecessary() const;
+    void clearDataBuffer();
+
     unsigned m_size;
-    mutable Vector<char> m_buffer;
+    mutable RefPtr<DataBuffer> m_buffer;
+
     bool m_shouldUsePurgeableMemory;
     mutable OwnPtr<PurgeableBuffer> m_purgeableBuffer;

trunk/Source/WebCore/platform/cf/SharedBufferCF.cpp

@@ -40 +40 @@
 SharedBuffer::SharedBuffer(CFDataRef cfData)
     : m_size(0)
+    , m_buffer(adoptRef(new DataBuffer))
     , m_shouldUsePurgeableMemory(false)
 #if ENABLE(DISK_IMAGE_CACHE)
@@ -129 +130 @@
 SharedBuffer::SharedBuffer(CFArrayRef cfDataArray)
     : m_size(0)
+    , m_buffer(adoptRef(new DataBuffer))
     , m_shouldUsePurgeableMemory(false)
 #if ENABLE(DISK_IMAGE_CACHE)
@@ -188 +190 @@
     // If we had previously copied data into m_buffer in copyDataArrayAndClear() or some other
     // function, then we can't return a pointer to the CFDataRef buffer.
-    if (m_buffer.size())
+    if (m_buffer->data.size())
         return 0;
 
@@ -199 +201 @@
 bool SharedBuffer::maybeAppendDataArray(SharedBuffer* data)
 {
-    if (m_buffer.size() || m_cfData || !data->m_dataArray.size())
+    if (m_buffer->data.size() || m_cfData || !data->m_dataArray.size())
         return false;
 #if !ASSERT_DISABLED

trunk/Source/WebCore/platform/mac/SharedBufferMac.mm

@@ -33 +33 @@
 #include <wtf/PassRefPtr.h>
 
-
 using namespace WebCore;
 
 @interface WebCoreSharedBufferData : NSData
 {
-    RefPtr<SharedBuffer> sharedBuffer;
+    RefPtr<SharedBuffer::DataBuffer> buffer;
 }
 
-- (id)initWithSharedBuffer:(SharedBuffer*)buffer;
+- (id)initWithSharedBufferDataBuffer:(SharedBuffer::DataBuffer*)dataBuffer;
 @end
 
@@ -59 +58 @@
     if (WebCoreObjCScheduleDeallocateOnMainThread([WebCoreSharedBufferData class], self))
         return;
-    
+
     [super dealloc];
 }
@@ -68 +67 @@
 }
 
-- (id)initWithSharedBuffer:(SharedBuffer*)buffer
+- (id)initWithSharedBufferDataBuffer:(SharedBuffer::DataBuffer*)dataBuffer
 {
     self = [super init];
     
     if (self)
-        sharedBuffer = buffer;
-    
+        buffer = dataBuffer;
+
     return self;
 }
@@ -80 +79 @@
 - (NSUInteger)length
 {
-    return sharedBuffer->size();
+    return buffer->data.size();
 }
 
 - (const void *)bytes
 {
-    return reinterpret_cast<const void*>(sharedBuffer->data());
+    return reinterpret_cast<const void*>(buffer->data.data());
 }
 
@@ -99 +98 @@
 RetainPtr<NSData> SharedBuffer::createNSData()
 {
-    return adoptNS([[WebCoreSharedBufferData alloc] initWithSharedBuffer:this]);
+    return adoptNS((NSData *)createCFData().leakRef());
 }
 
@@ -107 +106 @@
         return m_cfData;
 
-    return adoptCF((CFDataRef)adoptNS([[WebCoreSharedBufferData alloc] initWithSharedBuffer:this]).leakRef());
+    data(); // Force data into m_buffer from segments or data array.
+    if (hasPurgeableBuffer()) {
+        RefPtr<SharedBuffer::DataBuffer> copiedBuffer = adoptRef(new DataBuffer);
+        copiedBuffer->data.append(data(), size());
+        return adoptCF(reinterpret_cast<CFDataRef>([[WebCoreSharedBufferData alloc] initWithSharedBufferDataBuffer:copiedBuffer.get()]));
+    }
+
+    return adoptCF(reinterpret_cast<CFDataRef>([[WebCoreSharedBufferData alloc] initWithSharedBufferDataBuffer:m_buffer.get()]));
 }