MessageEvent::m_data lock is not held when accessed

kkinnunen-apple · mnutt · commit 4dd9ed57b799 · 2023-07-14T21:07:32.000-04:00
https://bugs.webkit.org/show_bug.cgi?id=258806 rdar://111681401 Reviewed by Yusuke Suzuki. The unnamed Locker instance is discarded, releasing the lock. Fix by naming the instance. Add declarations to prevent similar bugs. * Source/WTF/wtf/Locker.h: (WTF::Locker::Locker): Deleted. (WTF::Locker::~Locker): Deleted. (WTF::Locker::tryLock): Deleted. (WTF::Locker::lockable): Deleted. (WTF::Locker::operator bool const): Deleted. (WTF::Locker::unlockEarly): Deleted. (WTF::Locker::operator=): Deleted. (WTF::Locker::unlock): Deleted. (WTF::Locker::lock): Deleted. * Source/WebCore/dom/MessageEvent.cpp: (WebCore::MessageEvent::initMessageEvent): (WebCore::MessageEvent::memoryCost const): * Source/WebCore/dom/MessageEvent.h: Canonical link: https://commits.webkit.org/265732@main
diff --git a/Source/WTF/wtf/Locker.h b/Source/WTF/wtf/Locker.h
@@ -59,7 +59,7 @@ using AdoptLockTag = std::adopt_lock_t;
 constexpr AdoptLockTag AdoptLock;
 
 template<typename T>
-class Locker : public AbstractLocker {
+class [[nodiscard]] Locker : public AbstractLocker { // NOLINT
 public:
     explicit Locker(T& lockable) : m_lockable(&lockable) { lock(); }
     explicit Locker(T* lockable) : m_lockable(lockable) { lock(); }
diff --git a/Source/WebCore/dom/MessageEvent.cpp b/Source/WebCore/dom/MessageEvent.cpp
@@ -113,7 +113,7 @@ void MessageEvent::initMessageEvent(const AtomString& type, bool canBubble, bool
     initEvent(type, canBubble, cancelable);
 
     {
-        Locker { m_concurrentDataAccessLock };
+        Locker locker { m_concurrentDataAccessLock };
         m_data = JSValueTag { };
     }
     // FIXME: This code is wrong: we should emit a write-barrier. Otherwise, GC can collect it.
@@ -134,7 +134,7 @@ EventInterface MessageEvent::eventInterface() const
 
 size_t MessageEvent::memoryCost() const
 {
-    Locker { m_concurrentDataAccessLock };
+    Locker locker { m_concurrentDataAccessLock };
     return WTF::switchOn(m_data, [] (JSValueTag) -> size_t {
         return 0;
     }, [] (const Ref<SerializedScriptValue>& data) -> size_t {
diff --git a/Source/WebCore/dom/MessageEvent.h b/Source/WebCore/dom/MessageEvent.h
@@ -94,7 +94,7 @@ class MessageEvent final : public Event {
 
     EventInterface eventInterface() const final;
 
-    DataType m_data;
+    DataType m_data WTF_GUARDED_BY_LOCK(m_concurrentDataAccessLock);
     String m_origin;
     String m_lastEventId;
     std::optional<MessageEventSource> m_source;

Original file line number	Diff line number	Diff line change
`@@ -113,7 +113,7 @@ void MessageEvent::initMessageEvent(const AtomString& type, bool canBubble, bool`
`113`	`113`	`initEvent(type, canBubble, cancelable);`
`114`	`114`
`115`	`115`	`{`
`116`		`- Locker { m_concurrentDataAccessLock };`
	`116`	`+ Locker locker { m_concurrentDataAccessLock };`
`117`	`117`	`m_data = JSValueTag { };`
`118`	`118`	`}`
`119`	`119`	`// FIXME: This code is wrong: we should emit a write-barrier. Otherwise, GC can collect it.`
`@@ -134,7 +134,7 @@ EventInterface MessageEvent::eventInterface() const`
`134`	`134`
`135`	`135`	`size_t MessageEvent::memoryCost() const`
`136`	`136`	`{`
`137`		`- Locker { m_concurrentDataAccessLock };`
	`137`	`+ Locker locker { m_concurrentDataAccessLock };`
`138`	`138`	`return WTF::switchOn(m_data, [] (JSValueTag) -> size_t {`
`139`	`139`	`return 0;`
`140`	`140`	`}, [] (const Ref<SerializedScriptValue>& data) -> size_t {`