-
Notifications
You must be signed in to change notification settings - Fork 161
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Commit pull-into descriptors after filling from queue #1326
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure how this fell off my queue. Stellar work as always. Let's work on getting those checkboxes in the OP checked and tests rolled...
See whatwg/streams#1326 for context. This also updates the `transferArrayBufferView` test utility to be synchronous, which slightly changes the timings of some tests in `streams/readable-byte-streams/general.any.js`.
I'll start filing implementation bugs. @domenic Do we need implementer's interest for this? In #1171 (comment) we ruled it wasn't necessary for a bugfix. |
I guess I would feel better if we could get a signoff from at least one of Gecko (@saschanaz? @evilpie?) and Chromium (@ricea). We can assume that WebKit is OK with this since they still don't implement readable byte streams, so they should be happy to write their eventual implementation with bugs fixed. But since Chromium and Gecko would be changing their mitigation strategy slightly to pass the new tests, let's get at least one of them to sign off on it. @ricea is usually pretty responsive anyway. Edit: probably @nidhijaju is more relevant for Chromium since she opened the original bug report. |
…ees correct `byobRequest`, a=testonly Automatic update from web-platform-tests Streams: test whether patched `then()` sees correct `byobRequest` See whatwg/streams#1326 for context. This also updates the `transferArrayBufferView` test utility to be synchronous, which slightly changes the timings of some tests in `streams/readable-byte-streams/general.any.js`. -- wpt-commits: bc9dcbbf1a4c2c741ef47f47d6ede6458f40c4a4 wpt-pr: 48085
Chromium supports. |
+1, thank you for fixing this in the spec! |
…ees correct `byobRequest`, a=testonly Automatic update from web-platform-tests Streams: test whether patched `then()` sees correct `byobRequest` See whatwg/streams#1326 for context. This also updates the `transferArrayBufferView` test utility to be synchronous, which slightly changes the timings of some tests in `streams/readable-byte-streams/general.any.js`. -- wpt-commits: bc9dcbbf1a4c2c741ef47f47d6ede6458f40c4a4 wpt-pr: 48085
…ees correct `byobRequest`, a=testonly Automatic update from web-platform-tests Streams: test whether patched `then()` sees correct `byobRequest` See whatwg/streams#1326 for context. This also updates the `transferArrayBufferView` test utility to be synchronous, which slightly changes the timings of some tests in `streams/readable-byte-streams/general.any.js`. -- wpt-commits: bc9dcbbf1a4c2c741ef47f47d6ede6458f40c4a4 wpt-pr: 48085 UltraBlame original commit: 427adfdff2597708b7034c942818644b0fe69e50
…ees correct `byobRequest`, a=testonly Automatic update from web-platform-tests Streams: test whether patched `then()` sees correct `byobRequest` See whatwg/streams#1326 for context. This also updates the `transferArrayBufferView` test utility to be synchronous, which slightly changes the timings of some tests in `streams/readable-byte-streams/general.any.js`. -- wpt-commits: bc9dcbbf1a4c2c741ef47f47d6ede6458f40c4a4 wpt-pr: 48085 UltraBlame original commit: 427adfdff2597708b7034c942818644b0fe69e50
…ees correct `byobRequest`, a=testonly Automatic update from web-platform-tests Streams: test whether patched `then()` sees correct `byobRequest` See whatwg/streams#1326 for context. This also updates the `transferArrayBufferView` test utility to be synchronous, which slightly changes the timings of some tests in `streams/readable-byte-streams/general.any.js`. -- wpt-commits: bc9dcbbf1a4c2c741ef47f47d6ede6458f40c4a4 wpt-pr: 48085 UltraBlame original commit: 427adfdff2597708b7034c942818644b0fe69e50
This aligns us with the latest streams specification changes to accommodate for the security advisor GHSA-p5g2-876g-95h9. See relevant links: GHSA-p5g2-876g-95h9 whatwg/streams#1326 (comment) Previously we would crash when running the attached test since we have an assert in ReadableByteStreamControllerFillHeadPullIntoDescriptor verifying that controller controller.raw_byob_request() is null. These changes make sure that we postpone calls to ReadableByteStreamControllerCommitPullIntoDescriptor until after all pull-into descriptors have been filled up by ReadableByteStreamControllerProcessPullIntoDescriptorsUsingQueue. The attached test verifies that a pachted then() will see a null byobRequest.
This aligns us with the latest streams specification changes to accommodate for the security advisor GHSA-p5g2-876g-95h9. See relevant links: GHSA-p5g2-876g-95h9 whatwg/streams#1326 Previously we would crash when running the attached test since we have an assert in ReadableByteStreamControllerFillHeadPullIntoDescriptor verifying that controller controller.raw_byob_request() is null. These changes make sure that we postpone calls to ReadableByteStreamControllerCommitPullIntoDescriptor until after all pull-into descriptors have been filled up by ReadableByteStreamControllerProcessPullIntoDescriptorsUsingQueue. The attached test verifies that a pachted then() will see a null byobRequest.
…=arai,smaug This splits ReadableByteStreamControllerCommitPullIntoDescriptor from ReadableByteStreamControllerProcessPullIntoDescriptorsUsingQueue so that close/chunk steps will run only after processing all descriptors, thus preventing user JS from potentially modifying anything during the process. Corresponding to whatwg/streams#1326 with some cleanup in whatwg/streams#1336. Differential Revision: https://phabricator.services.mozilla.com/D232663
…=arai,smaug This splits ReadableByteStreamControllerCommitPullIntoDescriptor from ReadableByteStreamControllerProcessPullIntoDescriptorsUsingQueue so that close/chunk steps will run only after processing all descriptors, thus preventing user JS from potentially modifying anything during the process. Corresponding to whatwg/streams#1326 with some cleanup in whatwg/streams#1336. Differential Revision: https://phabricator.services.mozilla.com/D232663
…=arai,smaug This splits ReadableByteStreamControllerCommitPullIntoDescriptor from ReadableByteStreamControllerProcessPullIntoDescriptorsUsingQueue so that close/chunk steps will run only after processing all descriptors, thus preventing user JS from potentially modifying anything during the process. Corresponding to whatwg/streams#1326 with some cleanup in whatwg/streams#1336. Differential Revision: https://phabricator.services.mozilla.com/D232663
…=arai,smaug This splits ReadableByteStreamControllerCommitPullIntoDescriptor from ReadableByteStreamControllerProcessPullIntoDescriptorsUsingQueue so that close/chunk steps will run only after processing all descriptors, thus preventing user JS from potentially modifying anything during the process. Corresponding to whatwg/streams#1326 with some cleanup in whatwg/streams#1336. Differential Revision: https://phabricator.services.mozilla.com/D232663
This reduces some repetitions, and uses the list size of filledPullIntos instead of a separate counter.
In Chromium bug #339877167, it was discovered that a user could run JavaScript code synchronously during
ReadableStreamFulfillReadIntoRequest
by patchingObject.prototype.then
, and use this gadget to break some invariants withinReadableByteStreamControllerProcessPullIntoDescriptorsUsingQueue
.To prevent this, we now postpone all calls to
ReadableByteStreamControllerCommitPullIntoDescriptor
until after all pull-into descriptors have been filled up byReadableByteStreamControllerProcessPullIntoDescriptorsUsingQueue
. This way, we won't trigger any patchedthen()
method until the stream is in a stable state.Fixes GHSA-p5g2-876g-95h9.
then()
sees correctbyobRequest
web-platform-tests/wpt#48085(See WHATWG Working Mode: Changes for more details.)
Preview | Diff