Commit pull-into descriptors after filling from queue #1326
Conversation
| if (SafeCopyDataBlockBytes(pullIntoDescriptor.buffer, destStart, headOfQueue.buffer, headOfQueue.byteOffset, | ||
| bytesToCopy) === false) { | ||
| // This should never happen. Please report an issue if it does! https://github.com/whatwg/streams/issues | ||
| const e = new TypeError('Invalid buffer'); | ||
| ReadableByteStreamControllerError(controller, e); | ||
| return false; | ||
| } |
There was a problem hiding this comment.
This SafeCopyDataBlockBytes check should always return true, so we can't write a test to check if an implementation correctly handles the case where it's false. That said, this check is our last chance to prevent a potential memory corruption bug.
Is it better to have a bit of untestable code here, or to only keep it as an assertion and hope that we don't break this again in the future? @domenic @saschanaz
There was a problem hiding this comment.
My preference is an assertion. Perhaps in the spec it's an assertion with a big <p class="warning"> suggesting that implementers really might want to consider crashing if the assertions somehow gets violated?
There was a problem hiding this comment.
I changed it to an assertion with a big warning.
In Chromium bug #339877167, it was discovered that a user could run JavaScript code synchronously during
ReadableStreamFulfillReadIntoRequestby patchingObject.prototype.then, and use this gadget to break some invariants withinReadableByteStreamControllerProcessPullIntoDescriptorsUsingQueue.To prevent this, this PR postpones all calls to
ReadableByteStreamControllerCommitPullIntoDescriptoruntil after all pull-into descriptors have been filled up byReadableByteStreamControllerProcessPullIntoDescriptorsUsingQueue. This way, we won't trigger any patchedthen()method until the stream is in a stable state.Fixes GHSA-p5g2-876g-95h9.
then()sees correctbyobRequestweb-platform-tests/wpt#48085(See WHATWG Working Mode: Changes for more details.)
Preview | Diff