Changeset 246526 in webkit


Ignore:
Timestamp:
Jun 17, 2019 5:17:24 PM (5 years ago)
Author:
achristensen@apple.com
Message:

Protect StorageManager::m_localStorageNamespaces with a Lock
https://bugs.webkit.org/show_bug.cgi?id=198939
<rdar://problem/51784225>

Reviewed by Geoff Garen.

StorageManager::LocalStorageNamespace::didDestroyStorageArea is called from StorageArea::~StorageArea which is called on the main thread.
All other access of m_localStorageNamespaces is from the non-main thread. Sometimes this causes hash table corruption, so wait for a mutex
before accessing this member variable.

  • NetworkProcess/WebStorage/StorageManager.cpp:

(WebKit::StorageManager::LocalStorageNamespace::didDestroyStorageArea):
(WebKit::StorageManager::cloneSessionStorageNamespace):
(WebKit::StorageManager::getLocalStorageOrigins):
(WebKit::StorageManager::deleteLocalStorageEntriesForOrigin):
(WebKit::StorageManager::deleteLocalStorageOriginsModifiedSince):
(WebKit::StorageManager::deleteLocalStorageEntriesForOrigins):
(WebKit::StorageManager::getOrCreateLocalStorageNamespace):

  • NetworkProcess/WebStorage/StorageManager.h:
Location:
trunk/Source/WebKit
Files:
3 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/WebKit/ChangeLog

    r246521 r246526  
     12019-06-17  Alex Christensen  <achristensen@webkit.org>
     2
     3        Protect StorageManager::m_localStorageNamespaces with a Lock
     4        https://bugs.webkit.org/show_bug.cgi?id=198939
     5        <rdar://problem/51784225>
     6
     7        Reviewed by Geoff Garen.
     8
     9        StorageManager::LocalStorageNamespace::didDestroyStorageArea is called from StorageArea::~StorageArea which is called on the main thread.
     10        All other access of m_localStorageNamespaces is from the non-main thread.  Sometimes this causes hash table corruption, so wait for a mutex
     11        before accessing this member variable.
     12
     13        * NetworkProcess/WebStorage/StorageManager.cpp:
     14        (WebKit::StorageManager::LocalStorageNamespace::didDestroyStorageArea):
     15        (WebKit::StorageManager::cloneSessionStorageNamespace):
     16        (WebKit::StorageManager::getLocalStorageOrigins):
     17        (WebKit::StorageManager::deleteLocalStorageEntriesForOrigin):
     18        (WebKit::StorageManager::deleteLocalStorageOriginsModifiedSince):
     19        (WebKit::StorageManager::deleteLocalStorageEntriesForOrigins):
     20        (WebKit::StorageManager::getOrCreateLocalStorageNamespace):
     21        * NetworkProcess/WebStorage/StorageManager.h:
     22
    1232019-06-17  Alex Christensen  <achristensen@webkit.org>
    224

  • trunk/Source/WebKit/NetworkProcess/WebStorage/StorageManager.cpp

    r246079 r246526  
    377377        return;
    378378
     379    std::lock_guard<Lock> lock(m_storageManager.m_localStorageNamespacesMutex);
    379380    ASSERT(m_storageManager.m_localStorageNamespaces.contains(m_storageNamespaceID));
    380381    m_storageManager.m_localStorageNamespaces.remove(m_storageNamespaceID);
     
    573574
    574575        if (!m_localStorageDatabaseTracker) {
     576            std::lock_guard<Lock> lock(m_localStorageNamespacesMutex);
    575577            if (auto* localStorageNamespace = m_localStorageNamespaces.get(storageNamespaceID)) {
    576578                LocalStorageNamespace* newlocalStorageNamespace = getOrCreateLocalStorageNamespace(newStorageNamespaceID);
     
    663665                origins.add(origin);
    664666        } else {
     667            std::lock_guard<Lock> lock(m_localStorageNamespacesMutex);
    665668            for (const auto& localStorageNameSpace : m_localStorageNamespaces.values()) {
    666669                for (auto& origin : localStorageNameSpace->ephemeralOrigins())
     
    696699{
    697700    m_queue->dispatch([this, protectedThis = makeRef(*this), copiedOrigin = securityOrigin.isolatedCopy()]() mutable {
    698         for (auto& localStorageNamespace : m_localStorageNamespaces.values())
    699             localStorageNamespace->clearStorageAreasMatchingOrigin(copiedOrigin);
     701        {
     702            std::lock_guard<Lock> lock(m_localStorageNamespacesMutex);
     703            for (auto& localStorageNamespace : m_localStorageNamespaces.values())
     704                localStorageNamespace->clearStorageAreasMatchingOrigin(copiedOrigin);
     705        }
    700706
    701707        for (auto& transientLocalStorageNamespace : m_transientLocalStorageNamespaces.values())
     
    717723
    718724            for (const auto& origin : originsToDelete) {
    719                 for (auto& localStorageNamespace : m_localStorageNamespaces.values())
    720                     localStorageNamespace->clearStorageAreasMatchingOrigin(origin);
     725                {
     726                    std::lock_guard<Lock> lock(m_localStorageNamespacesMutex);
     727                    for (auto& localStorageNamespace : m_localStorageNamespaces.values())
     728                        localStorageNamespace->clearStorageAreasMatchingOrigin(origin);
     729                }
    721730               
    722731                m_localStorageDatabaseTracker->deleteDatabaseWithOrigin(origin);
    723732            }
    724733        } else {
     734            std::lock_guard<Lock> lock(m_localStorageNamespacesMutex);
    725735            for (auto& localStorageNamespace : m_localStorageNamespaces.values())
    726736                localStorageNamespace->clearAllStorageAreas();
     
    741751    m_queue->dispatch([this, protectedThis = makeRef(*this), copiedOrigins = WTFMove(copiedOrigins), completionHandler = WTFMove(completionHandler)]() mutable {
    742752        for (auto& origin : copiedOrigins) {
    743             for (auto& localStorageNamespace : m_localStorageNamespaces.values())
    744                 localStorageNamespace->clearStorageAreasMatchingOrigin(origin);
     753            {
     754                std::lock_guard<Lock> lock(m_localStorageNamespacesMutex);
     755                for (auto& localStorageNamespace : m_localStorageNamespaces.values())
     756                    localStorageNamespace->clearStorageAreasMatchingOrigin(origin);
     757            }
    745758
    746759            for (auto& transientLocalStorageNamespace : m_transientLocalStorageNamespaces.values())
     
    10001013StorageManager::LocalStorageNamespace* StorageManager::getOrCreateLocalStorageNamespace(uint64_t storageNamespaceID)
    10011014{
     1015    std::lock_guard<Lock> lock(m_localStorageNamespacesMutex);
    10021016    if (!m_localStorageNamespaces.isValidKey(storageNamespaceID))
    10031017        return nullptr;

  • trunk/Source/WebKit/NetworkProcess/WebStorage/StorageManager.h

    r246132 r246526  
    106106    RefPtr<LocalStorageDatabaseTracker> m_localStorageDatabaseTracker;
    107107    HashMap<uint64_t, RefPtr<LocalStorageNamespace>> m_localStorageNamespaces;
     108    Lock m_localStorageNamespacesMutex;
    108109
    109110    HashMap<std::pair<uint64_t, WebCore::SecurityOriginData>, RefPtr<TransientLocalStorageNamespace>> m_transientLocalStorageNamespaces;
Note: See TracChangeset for help on using the changeset viewer.