Changeset 227789 in webkit

Timestamp:

Jan 30, 2018, 9:21:49 AM (7 years ago)

Author:

Chris Dumez

Message:

Make sure we never create a WebSWClientConnection with an invalid sessionID
​https://bugs.webkit.org/show_bug.cgi?id=182276
<rdar://problem/36582633>

Reviewed by Alex Christensen.

Make sure we never create a WebSWClientConnection with an invalid sessionID as this
could corrupt our hash tables.

Source/WebCore:

• dom/Document.cpp:

(WebCore::Document::privateBrowsingStateDidChange):

• workers/service/ServiceWorker.cpp:

(WebCore::ServiceWorker::postMessage):

• workers/service/ServiceWorkerContainer.cpp:

(WebCore::ServiceWorkerContainer::ready):
(WebCore::ServiceWorkerContainer::getRegistration):
(WebCore::ServiceWorkerContainer::didFinishGetRegistrationRequest):
(WebCore::ServiceWorkerContainer::getRegistrations):
(WebCore::ServiceWorkerContainer::didFinishGetRegistrationsRequest):
(WebCore::ServiceWorkerContainer::jobResolvedWithRegistration):
(WebCore::ServiceWorkerContainer::ensureSWClientConnection):

Source/WebKit:

• StorageProcess/StorageProcess.cpp:

(WebKit::StorageProcess::swServerForSession):

• UIProcess/WebProcessPool.cpp:

(WebKit::WebProcessPool::establishWorkerContextConnectionToStorageProcess):

• WebProcess/Storage/WebSWClientConnection.cpp:

(WebKit::WebSWClientConnection::WebSWClientConnection):

• WebProcess/Storage/WebServiceWorkerProvider.cpp:

(WebKit::WebServiceWorkerProvider::serviceWorkerConnectionForSession):
(WebKit::WebServiceWorkerProvider::existingServiceWorkerConnectionForSession):

• WebProcess/Storage/WebToStorageProcessConnection.cpp:

(WebKit::WebToStorageProcessConnection::serviceWorkerConnectionForSession):

Location:

trunk/Source

Files:

• WebCore/ChangeLog (modified) (1 diff)
• WebCore/dom/Document.cpp (modified) (1 diff)
• WebCore/workers/service/ServiceWorker.cpp (modified) (1 diff)
• WebCore/workers/service/ServiceWorkerContainer.cpp (modified) (9 diffs)
• WebKit/ChangeLog (modified) (1 diff)
• WebKit/StorageProcess/StorageProcess.cpp (modified) (1 diff)
• WebKit/UIProcess/WebProcessPool.cpp (modified) (1 diff)
• WebKit/WebProcess/Storage/WebSWClientConnection.cpp (modified) (1 diff)
• WebKit/WebProcess/Storage/WebServiceWorkerProvider.cpp (modified) (2 diffs)
• WebKit/WebProcess/Storage/WebToStorageProcessConnection.cpp (modified) (1 diff)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2018-01-30  Chris Dumez  <cdumez@apple.com>
+
+        Make sure we never create a WebSWClientConnection with an invalid sessionID
+        https://bugs.webkit.org/show_bug.cgi?id=182276
+        <rdar://problem/36582633>
+
+        Reviewed by Alex Christensen.
+
+        Make sure we never create a WebSWClientConnection with an invalid sessionID as this
+        could corrupt our hash tables.
+
+        * dom/Document.cpp:
+        (WebCore::Document::privateBrowsingStateDidChange):
+        * workers/service/ServiceWorker.cpp:
+        (WebCore::ServiceWorker::postMessage):
+        * workers/service/ServiceWorkerContainer.cpp:
+        (WebCore::ServiceWorkerContainer::ready):
+        (WebCore::ServiceWorkerContainer::getRegistration):
+        (WebCore::ServiceWorkerContainer::didFinishGetRegistrationRequest):
+        (WebCore::ServiceWorkerContainer::getRegistrations):
+        (WebCore::ServiceWorkerContainer::didFinishGetRegistrationsRequest):
+        (WebCore::ServiceWorkerContainer::jobResolvedWithRegistration):
+        (WebCore::ServiceWorkerContainer::ensureSWClientConnection):
+
 2018-01-30  Antti Koivisto  <antti@apple.com>
 

trunk/Source/WebCore/dom/Document.cpp

@@ -4997 +4997 @@
 
 #if ENABLE(SERVICE_WORKER)
-    if (RuntimeEnabledFeatures::sharedFeatures().serviceWorkerEnabled() && m_serviceWorkerConnection)
+    ASSERT(sessionID().isValid());
+    if (RuntimeEnabledFeatures::sharedFeatures().serviceWorkerEnabled() && m_serviceWorkerConnection && sessionID().isValid())
         setServiceWorkerConnection(&ServiceWorkerProvider::singleton().serviceWorkerConnectionForSession(sessionID()));
 #endif

trunk/Source/WebCore/workers/service/ServiceWorker.cpp

@@ -96 +96 @@
 ExceptionOr<void> ServiceWorker::postMessage(ScriptExecutionContext& context, JSC::JSValue messageValue, Vector<JSC::Strong<JSC::JSObject>>&& transfer)
 {
-    if (m_isStopped)
+    if (m_isStopped || !context.sessionID().isValid())
         return Exception { InvalidStateError };
 

trunk/Source/WebCore/workers/service/ServiceWorkerContainer.cpp

@@ -87 +87 @@
         m_readyPromise = std::make_unique<ReadyPromise>();
 
-        auto* context = scriptExecutionContext();
-        if (!context)
+        if (m_isStopped || !scriptExecutionContext()->sessionID().isValid())
             return *m_readyPromise;
 
+        auto& context = *scriptExecutionContext();
         auto contextIdentifier = this->contextIdentifier();
-        callOnMainThread([this, connection = makeRef(ensureSWClientConnection()), topOrigin = context->topOrigin().isolatedCopy(), clientURL = context->url().isolatedCopy(), contextIdentifier]() mutable {
+        callOnMainThread([this, connection = makeRef(ensureSWClientConnection()), topOrigin = context.topOrigin().isolatedCopy(), clientURL = context.url().isolatedCopy(), contextIdentifier]() mutable {
             connection->whenRegistrationReady(topOrigin, clientURL, [this, contextIdentifier](auto&& registrationData) {
                 ScriptExecutionContext::postTaskTo(contextIdentifier, [this, registrationData = crossThreadCopy(registrationData)](auto&) mutable {
-                    if (m_isStopped)
+                    if (m_isStopped || !scriptExecutionContext()->sessionID().isValid())
                         return;
 
@@ -250 +250 @@
 void ServiceWorkerContainer::getRegistration(const String& clientURL, Ref<DeferredPromise>&& promise)
 {
-    if (m_isStopped) {
+    auto* context = scriptExecutionContext();
+    if (m_isStopped || !context->sessionID().isValid()) {
         promise->reject(Exception { InvalidStateError });
         return;
     }
 
-    ASSERT(scriptExecutionContext());
-    auto& context = *scriptExecutionContext();
-
-    URL parsedURL = context.completeURL(clientURL);
-    if (!protocolHostAndPortAreEqual(parsedURL, context.url())) {
+    URL parsedURL = context->completeURL(clientURL);
+    if (!protocolHostAndPortAreEqual(parsedURL, context->url())) {
         promise->reject(Exception { SecurityError, ASCIILiteral("Origin of clientURL is not client's origin") });
         return;
@@ -269 +267 @@
 
     auto contextIdentifier = this->contextIdentifier();
-    callOnMainThread([connection = makeRef(ensureSWClientConnection()), this, topOrigin = context.topOrigin().isolatedCopy(), parsedURL = parsedURL.isolatedCopy(), contextIdentifier, pendingPromiseIdentifier]() mutable {
+    callOnMainThread([connection = makeRef(ensureSWClientConnection()), this, topOrigin = context->topOrigin().isolatedCopy(), parsedURL = parsedURL.isolatedCopy(), contextIdentifier, pendingPromiseIdentifier]() mutable {
         connection->matchRegistration(topOrigin, parsedURL, [this, contextIdentifier, pendingPromiseIdentifier] (auto&& result) mutable {
             ScriptExecutionContext::postTaskTo(contextIdentifier, [this, pendingPromiseIdentifier, result = crossThreadCopy(result)](ScriptExecutionContext&) mutable {
@@ -288 +286 @@
         return;
 
-    ASSERT(!m_isStopped);
+    if (m_isStopped || !scriptExecutionContext()->sessionID().isValid()) {
+        pendingPromise->promise->reject(Exception { InvalidStateError });
+        return;
+    }
 
     if (!result) {
@@ -317 +318 @@
 void ServiceWorkerContainer::getRegistrations(Ref<DeferredPromise>&& promise)
 {
-    if (m_isStopped) {
+    auto* context = scriptExecutionContext();
+    if (m_isStopped || !context->sessionID().isValid()) {
         promise->reject(Exception { InvalidStateError });
         return;
     }
-
-    ASSERT(scriptExecutionContext());
-    auto& context = *scriptExecutionContext();
 
     uint64_t pendingPromiseIdentifier = ++m_lastPendingPromiseIdentifier;
@@ -330 +329 @@
 
     auto contextIdentifier = this->contextIdentifier();
-    auto contextURL = context.url();
-    callOnMainThread([connection = makeRef(ensureSWClientConnection()), this, topOrigin = context.topOrigin().isolatedCopy(), contextURL = contextURL.isolatedCopy(), contextIdentifier, pendingPromiseIdentifier]() mutable {
+    auto contextURL = context->url();
+    callOnMainThread([connection = makeRef(ensureSWClientConnection()), this, topOrigin = context->topOrigin().isolatedCopy(), contextURL = contextURL.isolatedCopy(), contextIdentifier, pendingPromiseIdentifier]() mutable {
         connection->getRegistrations(topOrigin, contextURL, [this, contextIdentifier, pendingPromiseIdentifier] (auto&& registrationDatas) mutable {
             ScriptExecutionContext::postTaskTo(contextIdentifier, [this, pendingPromiseIdentifier, registrationDatas = crossThreadCopy(registrationDatas)](ScriptExecutionContext&) mutable {
@@ -350 +349 @@
         return;
 
-    ASSERT(!m_isStopped);
+    if (m_isStopped || !scriptExecutionContext()->sessionID().isValid()) {
+        pendingPromise->promise->reject(Exception { InvalidStateError });
+        return;
+    }
 
     auto registrations = WTF::map(WTFMove(registrationDatas), [&] (auto&& registrationData) {
@@ -435 +437 @@
 
     scriptExecutionContext()->postTask([this, protectedThis = makeRef(*this), job = makeRef(job), data = WTFMove(data), notifyWhenResolvedIfNeeded = WTFMove(notifyWhenResolvedIfNeeded)](ScriptExecutionContext& context) mutable {
-        if (isStopped()) {
+        if (isStopped() || !context.sessionID().isValid()) {
             notifyWhenResolvedIfNeeded();
             return;
@@ -556 +558 @@
 SWClientConnection& ServiceWorkerContainer::ensureSWClientConnection()
 {
+    ASSERT(scriptExecutionContext());
+    ASSERT(scriptExecutionContext()->sessionID().isValid());
     if (!m_swConnection) {
         ASSERT(scriptExecutionContext());

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2018-01-30  Chris Dumez  <cdumez@apple.com>
+
+        Make sure we never create a WebSWClientConnection with an invalid sessionID
+        https://bugs.webkit.org/show_bug.cgi?id=182276
+        <rdar://problem/36582633>
+
+        Reviewed by Alex Christensen.
+
+        Make sure we never create a WebSWClientConnection with an invalid sessionID as this
+        could corrupt our hash tables.
+
+        * StorageProcess/StorageProcess.cpp:
+        (WebKit::StorageProcess::swServerForSession):
+        * UIProcess/WebProcessPool.cpp:
+        (WebKit::WebProcessPool::establishWorkerContextConnectionToStorageProcess):
+        * WebProcess/Storage/WebSWClientConnection.cpp:
+        (WebKit::WebSWClientConnection::WebSWClientConnection):
+        * WebProcess/Storage/WebServiceWorkerProvider.cpp:
+        (WebKit::WebServiceWorkerProvider::serviceWorkerConnectionForSession):
+        (WebKit::WebServiceWorkerProvider::existingServiceWorkerConnectionForSession):
+        * WebProcess/Storage/WebToStorageProcessConnection.cpp:
+        (WebKit::WebToStorageProcessConnection::serviceWorkerConnectionForSession):
+
 2018-01-30  Basuke Suzuki  <Basuke.Suzuki@sony.com>
 

trunk/Source/WebKit/StorageProcess/StorageProcess.cpp

@@ -405 +405 @@
 SWServer& StorageProcess::swServerForSession(PAL::SessionID sessionID)
 {
+    ASSERT(sessionID.isValid());
     auto result = m_swServers.add(sessionID, nullptr);
     if (!result.isNewEntry) {

trunk/Source/WebKit/UIProcess/WebProcessPool.cpp

@@ -613 +613 @@
     auto serviceWorkerProcessProxy = ServiceWorkerProcessProxy::create(*this, *websiteDataStore);
     m_serviceWorkerProcess = serviceWorkerProcessProxy.ptr();
-    sendToAllProcesses(Messages::WebProcess::RegisterServiceWorkerClients { websiteDataStore->sessionID() });
+    ASSERT(websiteDataStore->sessionID().isValid());
+    if (websiteDataStore->sessionID().isValid())
+        sendToAllProcesses(Messages::WebProcess::RegisterServiceWorkerClients { websiteDataStore->sessionID() });
 
     updateProcessAssertions();

trunk/Source/WebKit/WebProcess/Storage/WebSWClientConnection.cpp

@@ -54 +54 @@
     , m_swOriginTable(makeUniqueRef<WebSWOriginTable>())
 {
+    ASSERT(sessionID.isValid());
     bool result = sendSync(Messages::StorageToWebProcessConnection::EstablishSWServerConnection(sessionID), Messages::StorageToWebProcessConnection::EstablishSWServerConnection::Reply(m_identifier), Seconds::infinity(), IPC::SendSyncOption::DoNotProcessIncomingMessagesWhenWaitingForSyncReply);
 

trunk/Source/WebKit/WebProcess/Storage/WebServiceWorkerProvider.cpp

@@ -57 +57 @@
 WebCore::SWClientConnection& WebServiceWorkerProvider::serviceWorkerConnectionForSession(SessionID sessionID)
 {
+    ASSERT(sessionID.isValid());
     return WebProcess::singleton().ensureWebToStorageProcessConnection(sessionID).serviceWorkerConnectionForSession(sessionID);
 }
@@ -62 +63 @@
 WebCore::SWClientConnection* WebServiceWorkerProvider::existingServiceWorkerConnectionForSession(SessionID sessionID)
 {
+    ASSERT(sessionID.isValid());
     auto* webToStorageProcessConnection = WebProcess::singleton().existingWebToStorageProcessConnection();
     if (!webToStorageProcessConnection)

trunk/Source/WebKit/WebProcess/Storage/WebToStorageProcessConnection.cpp

@@ -141 +141 @@
 WebSWClientConnection& WebToStorageProcessConnection::serviceWorkerConnectionForSession(SessionID sessionID)
 {
+    ASSERT(sessionID.isValid());
     return *m_swConnectionsBySession.ensure(sessionID, [&] {
         auto connection = WebSWClientConnection::create(m_connection, sessionID);