Open Bug 1695866 Opened 4 years ago Updated 8 hours ago

Warning: 'kIOSurfaceIsGlobal' is deprecated: first deprecated in macOS 10.11 - Global surfaces are insecure [-Wdeprecated-declarations]

Categories

(Core :: Widget: Cocoa, defect, P3)

Product:
Core
Component:
Widget: Cocoa
Type:
defect

Tracking

()

People

(Reporter: whimboo, Assigned: bradwerth)

References

(Depends on 2 open bugs)

Details

(Whiteboard: [mac:deprecated])

Attachments

(15 files, 2 obsolete files)

WIP: Bug 1695866 Part 1: Change SurfaceDescriptorMacIOSurface to use IOSurfacePort.
48 bytes, text/x-phabricator-request
Details | Review
Bug 1695866 Part 2: Make Maybe conditionally compile some methods for copyable types.
48 bytes, text/x-phabricator-request
Details | Review
WIP: Bug 1695866: Claude 2d changes.
48 bytes, text/x-phabricator-request
Details | Review
WIP: Bug 1695866: Claude layers changes.
48 bytes, text/x-phabricator-request
Details | Review
WIP: Bug 1695866 Part 7: Update GL and layers OpenGL classes for move-only SurfaceDescriptors.
48 bytes, text/x-phabricator-request
Details | Review
WIP: Bug 1695866 Part 8: Update canvas classes for move-only SurfaceDescriptor.
48 bytes, text/x-phabricator-request
Details | Review
WIP: Bug 1695866 Part 9: Update SVG classes for move-only SurfaceDescriptor.
48 bytes, text/x-phabricator-request
Details | Review
WIP: Bug 1695866 Part 11: Update VR classes for move-only SurfaceDescriptor.
48 bytes, text/x-phabricator-request
Details | Review
WIP: Bug 1695866 Part 10: Update webgpu classes for move-only SurfaceDescriptor.
48 bytes, text/x-phabricator-request
Details | Review
WIP: Bug 1695866 Part 2: Update media actors for move-only SurfaceDescriptor.
48 bytes, text/x-phabricator-request
Details | Review
WIP: Bug 1695866 Part 6: Update layers classes for move-only SurfaceDescriptor.
48 bytes, text/x-phabricator-request
Details | Review
WIP: Bug 1695866 Part 3: Update layers texture client for move-only SurfaceDescriptors.
48 bytes, text/x-phabricator-request
Details | Review
WIP: Bug 1695866 Part 4: Update layers ipc actors for move-only SurfaceDescriptors.
48 bytes, text/x-phabricator-request
Details | Review
WIP: Bug 1695866 Part 5: Update layers composite texture hosts for move-only SurfaceDescriptors.
48 bytes, text/x-phabricator-request
Details | Review
WIP: Bug 1695866 Part 6: Update layers for move-only SurfaceDescriptors.
48 bytes, text/x-phabricator-request
Details | Review

When compiling Firefox I can see the following deprecation and insecure compiler output:

15:51.05 /Users/henrik/code/gecko/dom/media/platforms/apple/AppleVTDecoder.cpp:624:34: warning: 'kIOSurfaceIsGlobal' is deprecated: first deprecated in macOS 10.11 - Global surfaces are insecure [-Wdeprecated-declarations]
15:51.05   const void* IOSurfaceKeys[] = {kIOSurfaceIsGlobal};
15:51.05                                  ^
15:51.05 /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/Frameworks/IOSurface.framework/Headers/IOSurfaceRef.h:101:26: note: 'kIOSurfaceIsGlobal' has been explicitly marked deprecated here
15:51.05 extern const CFStringRef kIOSurfaceIsGlobal                                 API_DEPRECATED("Global surfaces are insecure",macos(10.6,10.11), ios(11.0,11.0), watchos(4.0,4.0), tvos(11.0,11.0));

A query on searchfox reveales usages in DOM and GFX:
https://searchfox.org/mozilla-central/search?q=kIOSurfaceIsGlobal&path=

Markus, is that something we should be worried about, or what does insecure actually mean in this context?

Flags: needinfo?(mstange.moz)

I think "insecure" means that other processes that are running on the system can read and write to our surfaces, so the can see and change the pixels that we put on the screen. So fixing this is an opportunity to strengthen our sandbox.
Furthermore, there is a non-zero chance that macOS might eventually remove support for global IOSurfaces entirely.

It might not be very easy to fix; I think we'll need to send mach_ports for the surfaces, and I'm not sure how straightforward that is with our IPC mechanism.

Flags: needinfo?(mstange.moz)
Whiteboard: [mac:deprecated]
See Also: → 901050
Severity: -- → S2
Priority: -- → P3
Severity: S2 → S3
Assignee: nobody → bwerth

We should try to change the places which send an integer to send a mozilla::UniqueMachSendRight(IOSurfaceCreateMachPort(surface)) instead.

Depends on: 1992515

This fails to compile because it causes SurfaceDescriptor to implcitly
delete its copy constructor, which is required by type declarations like
Maybe<SurfaceDescriptor>. In theory, Maybe should work correctly with
move types, but that's not happening here. Example of compile errors:

error: call to implicitly-deleted copy constructor of 'NonConstT' (aka 'mozilla::layers::SurfaceDescriptor')
note: copy constructor is implicitly deleted because 'SurfaceDescriptor' has a user-declared move constructor
MOZ_IMPLICIT SurfaceDescriptor(SurfaceDescriptor&& aOther);
Attachment #9536503 - Attachment description: WIP: Bug 1695866: Change SurfaceDescriptorMacIOSurface to use IOSurfacePort. → WIP: Bug 1695866 Part 1: Change SurfaceDescriptorMacIOSurface to use IOSurfacePort.
Attachment #9542451 - Attachment description: WIP: Bug 1695866: Claude Maybe changes. → Bug 1695866: Claude Maybe changes.
Attachment #9542451 - Attachment description: Bug 1695866: Claude Maybe changes. → Bug 1695866 Part 2: Make Maybe conditionally compile some methods for copyable types.
Attachment #9542452 - Attachment description: WIP: Bug 1695866: Claude IPC changes. → WIP: Bug 1695866 Part 3: Unify the IPC ParamTraits::Write methods for const ref and rvalue params.

This simplifies some compilation challenges but is otherwise a
non-functional change. It keeps some Apple headers out of IOSurfacePort.h.

This is most of the Texture and TextureHost classes that use a
SurfaceDescriptor, as well as some of the gfx Bridge actors.

The patches are still a bit of a mess. I'm going to split out the patches into individual blocker Bugs to make each piece easier to reason about -- and to review.

Depends on: 2016533

Comment on attachment 9544092 [details]
WIP: Bug 1695866 Part 4: Split IOSurfacePort.h into a cpp definition.

Revision D282739 was moved to bug 2016533. Setting attachment 9544092 [details] to obsolete.

Attachment #9544092 - Attachment is obsolete: true
Depends on: 2016562

Comment on attachment 9542452 [details]
WIP: Bug 1695866 Part 3: Unify the IPC ParamTraits::Write methods for const ref and rvalue params.

Revision D281835 was moved to bug 2016562. Setting attachment 9542452 [details] to obsolete.

Attachment #9542452 - Attachment is obsolete: true
Attachment #9544093 - Attachment description: WIP: Bug 1695866 Part 5: Update media classes for move-only SurfaceDescriptor. → WIP: Bug 1695866 Part 2: Update media actors for move-only SurfaceDescriptor.
Attachment #9542455 - Attachment description: WIP: Bug 1695866: Claude GL changes. → WIP: Bug 1695866 Part 7: Update GL and layers OpenGL classes for move-only SurfaceDescriptors.
Attachment #9542456 - Attachment description: WIP: Bug 1695866: Claude canvas changes. → WIP: Bug 1695866 Part 8: Update canvas classes for move-only SurfaceDescriptor.
Attachment #9542457 - Attachment description: WIP: Bug 1695866: Claude SVG changes. → WIP: Bug 1695866 Part 9: Update SVG classes for move-only SurfaceDescriptor.
Attachment #9542459 - Attachment description: WIP: Bug 1695866: Claude webgpu changes. → WIP: Bug 1695866 Part 10: Update webgpu classes for move-only SurfaceDescriptor.
Attachment #9542458 - Attachment description: WIP: Bug 1695866: Claude VR changes. → WIP: Bug 1695866 Part 11: Update VR classes for move-only SurfaceDescriptor.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: