Closed Bug 1359461 Opened 3 years ago Closed 3 years ago

Assert that SharedArrayBuffer is never structured-cloned cross-process

Categories

(Core :: JavaScript Engine, enhancement)

enhancement
Not set

Tracking

()

RESOLVED FIXED
mozilla55
Tracking Status
firefox55 --- fixed

People

(Reporter: lth, Assigned: lth)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

There are structures in place that allow client code to tell the structured clone algorithm that a SharedArrayBuffer should be rejected, for policy or safety reasons.  The main safety reason is that SABs cannot be transmitted across process boundaries.

We should release-assert that this safety guarantee is not violated by checking the clone scope when we attempt to read or write a SharedArrayBuffer in the StructuredClone algorithm.
The writing side seems straightforward: the scope must be SameProcess.

The reading side is more subtle.  Here I'm checking that the scope submitted with the data is SameProcess.  Given the assert in the writer that would seem to be vacuously true, but it allows for there to be other producers of SC data than the writer in this file.  Also, this check seems to be in the spirit of readHeader(), which lets the reader's scope be wider than the writer's scope.
Attachment #8861480 - Flags: review?(sphink)
Comment on attachment 8861480 [details] [diff] [review]
bug1359461-assert-no-xprocess-sab.patch

Review of attachment 8861480 [details] [diff] [review]:
-----------------------------------------------------------------

asserts good
Attachment #8861480 - Flags: review?(sphink) → review+
Keywords: checkin-needed
Pushed by ihsiao@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/d12f352d634d
Assert that SAB values are not cloned cross-process. r=sfink
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/d12f352d634d
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
You need to log in before you can comment on or make changes to this bug.