Commit pull-into descriptors after filling from queue #1326
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
MattiasBuelens
commented
Sep 10, 2024
domenic
approved these changes
Nov 27, 2024
domenic
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Nov 27, 2024
See whatwg/streams#1326 for context. This also updates the `transferArrayBufferView` test utility to be synchronous, which slightly changes the timings of some tests in `streams/readable-byte-streams/general.any.js`.
|
I'll start filing implementation bugs. @domenic Do we need implementer's interest for this? In #1171 (comment) we ruled it wasn't necessary for a bugfix. |
This was referenced Nov 27, 2024
|
I guess I would feel better if we could get a signoff from at least one of Gecko (@saschanaz? @evilpie?) and Chromium (@ricea). We can assume that WebKit is OK with this since they still don't implement readable byte streams, so they should be happy to write their eventual implementation with bugs fixed. But since Chromium and Gecko would be changing their mitigation strategy slightly to pass the new tests, let's get at least one of them to sign off on it. @ricea is usually pretty responsive anyway. Edit: probably @nidhijaju is more relevant for Chromium since she opened the original bug report. |
moz-v2v-gh
pushed a commit
to mozilla/gecko-dev
that referenced
this pull request
Nov 28, 2024
…ees correct `byobRequest`, a=testonly Automatic update from web-platform-tests Streams: test whether patched `then()` sees correct `byobRequest` See whatwg/streams#1326 for context. This also updates the `transferArrayBufferView` test utility to be synchronous, which slightly changes the timings of some tests in `streams/readable-byte-streams/general.any.js`. -- wpt-commits: bc9dcbbf1a4c2c741ef47f47d6ede6458f40c4a4 wpt-pr: 48085
|
Chromium supports. |
|
+1, thank you for fixing this in the spec! |
i3roly
pushed a commit
to i3roly/firefox-dynasty
that referenced
this pull request
Nov 30, 2024
…ees correct `byobRequest`, a=testonly Automatic update from web-platform-tests Streams: test whether patched `then()` sees correct `byobRequest` See whatwg/streams#1326 for context. This also updates the `transferArrayBufferView` test utility to be synchronous, which slightly changes the timings of some tests in `streams/readable-byte-streams/general.any.js`. -- wpt-commits: bc9dcbbf1a4c2c741ef47f47d6ede6458f40c4a4 wpt-pr: 48085
gecko-dev-updater
pushed a commit
to marco-c/gecko-dev-wordified-and-comments-removed
that referenced
this pull request
Dec 1, 2024
…ees correct `byobRequest`, a=testonly Automatic update from web-platform-tests Streams: test whether patched `then()` sees correct `byobRequest` See whatwg/streams#1326 for context. This also updates the `transferArrayBufferView` test utility to be synchronous, which slightly changes the timings of some tests in `streams/readable-byte-streams/general.any.js`. -- wpt-commits: bc9dcbbf1a4c2c741ef47f47d6ede6458f40c4a4 wpt-pr: 48085 UltraBlame original commit: 427adfdff2597708b7034c942818644b0fe69e50
gecko-dev-updater
pushed a commit
to marco-c/gecko-dev-comments-removed
that referenced
this pull request
Dec 1, 2024
…ees correct `byobRequest`, a=testonly Automatic update from web-platform-tests Streams: test whether patched `then()` sees correct `byobRequest` See whatwg/streams#1326 for context. This also updates the `transferArrayBufferView` test utility to be synchronous, which slightly changes the timings of some tests in `streams/readable-byte-streams/general.any.js`. -- wpt-commits: bc9dcbbf1a4c2c741ef47f47d6ede6458f40c4a4 wpt-pr: 48085 UltraBlame original commit: 427adfdff2597708b7034c942818644b0fe69e50
gecko-dev-updater
pushed a commit
to marco-c/gecko-dev-wordified
that referenced
this pull request
Dec 1, 2024
…ees correct `byobRequest`, a=testonly Automatic update from web-platform-tests Streams: test whether patched `then()` sees correct `byobRequest` See whatwg/streams#1326 for context. This also updates the `transferArrayBufferView` test utility to be synchronous, which slightly changes the timings of some tests in `streams/readable-byte-streams/general.any.js`. -- wpt-commits: bc9dcbbf1a4c2c741ef47f47d6ede6458f40c4a4 wpt-pr: 48085 UltraBlame original commit: 427adfdff2597708b7034c942818644b0fe69e50
kennethmyhra
added a commit
to kennethmyhra/ladybird
that referenced
this pull request
Dec 1, 2024
This aligns us with the latest streams specification changes to accommodate for the security advisor GHSA-p5g2-876g-95h9. See relevant links: GHSA-p5g2-876g-95h9 whatwg/streams#1326 (comment) Previously we would crash when running the attached test since we have an assert in ReadableByteStreamControllerFillHeadPullIntoDescriptor verifying that controller controller.raw_byob_request() is null. These changes make sure that we postpone calls to ReadableByteStreamControllerCommitPullIntoDescriptor until after all pull-into descriptors have been filled up by ReadableByteStreamControllerProcessPullIntoDescriptorsUsingQueue. The attached test verifies that a pachted then() will see a null byobRequest.
kennethmyhra
added a commit
to kennethmyhra/ladybird
that referenced
this pull request
Dec 1, 2024
This aligns us with the latest streams specification changes to accommodate for the security advisor GHSA-p5g2-876g-95h9. See relevant links: GHSA-p5g2-876g-95h9 whatwg/streams#1326 Previously we would crash when running the attached test since we have an assert in ReadableByteStreamControllerFillHeadPullIntoDescriptor verifying that controller controller.raw_byob_request() is null. These changes make sure that we postpone calls to ReadableByteStreamControllerCommitPullIntoDescriptor until after all pull-into descriptors have been filled up by ReadableByteStreamControllerProcessPullIntoDescriptorsUsingQueue. The attached test verifies that a pachted then() will see a null byobRequest.
saschanaz
added a commit
to saschanaz/streams-1
that referenced
this pull request
Dec 20, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In Chromium bug #339877167, it was discovered that a user could run JavaScript code synchronously during
ReadableStreamFulfillReadIntoRequestby patchingObject.prototype.then, and use this gadget to break some invariants withinReadableByteStreamControllerProcessPullIntoDescriptorsUsingQueue.To prevent this, we now postpone all calls to
ReadableByteStreamControllerCommitPullIntoDescriptoruntil after all pull-into descriptors have been filled up byReadableByteStreamControllerProcessPullIntoDescriptorsUsingQueue. This way, we won't trigger any patchedthen()method until the stream is in a stable state.Fixes GHSA-p5g2-876g-95h9.
then()sees correctbyobRequestweb-platform-tests/wpt#48085(See WHATWG Working Mode: Changes for more details.)
Preview | Diff