Title: [268796] trunk
- Revision
- 268796
- Author
- commit-qu...@webkit.org
- Date
- 2020-10-21 09:01:31 -0700 (Wed, 21 Oct 2020)
Log Message
Don't crash when deallocating WKWebView during TLS handshake
https://bugs.webkit.org/show_bug.cgi?id=218025
<rdar://problem/70225969>
Patch by Alex Christensen <achristen...@webkit.org> on 2020-10-21
Reviewed by Tim Horton.
Source/WebKit:
NetworkProcessProxy::didReceiveAuthenticationChallenge would sometimes dereference an unchecked
Optional<SecurityOriginData> which would result in a null dereference crash. Also, sometimes
Connection::initializeSendSource would assert because it was trying to set up a cancel handler for
a send port that had not been successfully set up yet. I added a test that reproduces both of these
issues most of the time.
* Platform/IPC/cocoa/ConnectionCocoa.mm:
(IPC::Connection::initializeSendSource):
* UIProcess/Network/NetworkProcessProxy.cpp:
(WebKit::NetworkProcessProxy::didReceiveAuthenticationChallenge):
Tools:
* TestWebKitAPI/Tests/WebKitCocoa/Challenge.mm:
(TEST):
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (268795 => 268796)
--- trunk/Source/WebKit/ChangeLog 2020-10-21 15:04:20 UTC (rev 268795)
+++ trunk/Source/WebKit/ChangeLog 2020-10-21 16:01:31 UTC (rev 268796)
@@ -1,3 +1,22 @@
+2020-10-21 Alex Christensen <achristen...@webkit.org>
+
+ Don't crash when deallocating WKWebView during TLS handshake
+ https://bugs.webkit.org/show_bug.cgi?id=218025
+ <rdar://problem/70225969>
+
+ Reviewed by Tim Horton.
+
+ NetworkProcessProxy::didReceiveAuthenticationChallenge would sometimes dereference an unchecked
+ Optional<SecurityOriginData> which would result in a null dereference crash. Also, sometimes
+ Connection::initializeSendSource would assert because it was trying to set up a cancel handler for
+ a send port that had not been successfully set up yet. I added a test that reproduces both of these
+ issues most of the time.
+
+ * Platform/IPC/cocoa/ConnectionCocoa.mm:
+ (IPC::Connection::initializeSendSource):
+ * UIProcess/Network/NetworkProcessProxy.cpp:
+ (WebKit::NetworkProcessProxy::didReceiveAuthenticationChallenge):
+
2020-10-21 Carlos Garcia Campos <cgar...@igalia.com>
WebDriver: add support for wheel actions
Modified: trunk/Source/WebKit/Platform/IPC/cocoa/ConnectionCocoa.mm (268795 => 268796)
--- trunk/Source/WebKit/Platform/IPC/cocoa/ConnectionCocoa.mm 2020-10-21 15:04:20 UTC (rev 268795)
+++ trunk/Source/WebKit/Platform/IPC/cocoa/ConnectionCocoa.mm 2020-10-21 16:01:31 UTC (rev 268796)
@@ -394,12 +394,13 @@
}
});
- ASSERT(MACH_PORT_VALID(m_sendPort));
- mach_port_t sendPort = m_sendPort;
- dispatch_source_set_cancel_handler(m_sendSource, ^{
- // Release our send right.
- deallocateSendRightSafely(sendPort);
- });
+ if (MACH_PORT_VALID(m_sendPort)) {
+ mach_port_t sendPort = m_sendPort;
+ dispatch_source_set_cancel_handler(m_sendSource, ^{
+ // Release our send right.
+ deallocateSendRightSafely(sendPort);
+ });
+ }
}
void Connection::resumeSendSource()
Modified: trunk/Source/WebKit/UIProcess/Network/NetworkProcessProxy.cpp (268795 => 268796)
--- trunk/Source/WebKit/UIProcess/Network/NetworkProcessProxy.cpp 2020-10-21 15:04:20 UTC (rev 268795)
+++ trunk/Source/WebKit/UIProcess/Network/NetworkProcessProxy.cpp 2020-10-21 16:01:31 UTC (rev 268796)
@@ -432,6 +432,11 @@
return;
}
+ if (!topOrigin) {
+ authenticationChallenge->listener().completeChallenge(AuthenticationChallengeDisposition::RejectProtectionSpaceAndContinue);
+ return;
+ }
+
WebPageProxy::forMostVisibleWebPageIfAny(sessionID, *topOrigin, [this, weakThis = makeWeakPtr(this), sessionID, authenticationChallenge = WTFMove(authenticationChallenge), negotiatedLegacyTLS](auto* page) mutable {
if (!weakThis)
return;
Modified: trunk/Tools/ChangeLog (268795 => 268796)
--- trunk/Tools/ChangeLog 2020-10-21 15:04:20 UTC (rev 268795)
+++ trunk/Tools/ChangeLog 2020-10-21 16:01:31 UTC (rev 268796)
@@ -1,3 +1,14 @@
+2020-10-21 Alex Christensen <achristen...@webkit.org>
+
+ Don't crash when deallocating WKWebView during TLS handshake
+ https://bugs.webkit.org/show_bug.cgi?id=218025
+ <rdar://problem/70225969>
+
+ Reviewed by Tim Horton.
+
+ * TestWebKitAPI/Tests/WebKitCocoa/Challenge.mm:
+ (TEST):
+
2020-10-20 Sam Weinig <wei...@apple.com>
Cleanup DumpRenderTree in preparation for supporting arbitrary test header commands
Modified: trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/Challenge.mm (268795 => 268796)
--- trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/Challenge.mm 2020-10-21 15:04:20 UTC (rev 268795)
+++ trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/Challenge.mm 2020-10-21 16:01:31 UTC (rev 268796)
@@ -240,6 +240,29 @@
Util::run(&navigationFinished);
}
+TEST(Challenge, DeallocateDuringChallenge)
+{
+ using namespace TestWebKitAPI;
+ HTTPServer server({{ "/", { "hi" }}}, HTTPServer::Protocol::Https);
+
+ auto delegate = [[TestNavigationDelegate new] autorelease];
+ delegate.didReceiveAuthenticationChallenge = ^(WKWebView *, NSURLAuthenticationChallenge *challenge, void (^completionHandler)(NSURLSessionAuthChallengeDisposition, NSURLCredential *)) {
+ completionHandler(NSURLSessionAuthChallengeUseCredential, [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]);
+ };
+
+ @autoreleasepool {
+ Vector<RetainPtr<WKWebView>> views;
+ for (size_t i = 0; i < 100; i++)
+ views.append(adoptNS([WKWebView new]));
+ for (auto& view : views) {
+ [view setNavigationDelegate:delegate];
+ [view loadRequest:server.request()];
+ }
+ Util::spinRunLoop(10);
+ }
+ Util::spinRunLoop(1000);
+}
+
@interface ClientCertificateDelegate : NSObject <WKNavigationDelegate> {
Vector<RetainPtr<NSString>> _authenticationMethods;
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
