Skip to site navigation (Press enter)

[webkit-changes] [258521] trunk

cdumez Mon, 16 Mar 2020 15:05:29 -0700

Title: [258521] trunk

Revision: 258521
Author: [email protected]
Date: 2020-03-16 15:04:02 -0700 (Mon, 16 Mar 2020)

Log Message

Crash under WebCookieCache::clearForHost()
https://bugs.webkit.org/show_bug.cgi?id=209149
<rdar://problem/60453086>


Reviewed by Alex Christensen.

Source/WebKit:

Make sure WebCookieCache::pruneCacheIfNecessary() keeps alive the host String it is passing
to WebCookieCache::clearForHost(). Previously, it was merely deferencing a HashSet iterator
and passing that to clearForHost(). However, clearForHost() would then drop the String from
the HashSet and the host would no longer be valid.

Change covered by new API test.

* WebProcess/WebPage/WebCookieCache.cpp:
(WebKit::WebCookieCache::pruneCacheIfNecessary):

Tools:

Add API test coverage.

* TestWebKitAPI/Tests/WebKitCocoa/CookiePrivateBrowsing.mm:
(TEST):

Modified Paths

trunk/Source/WebKit/ChangeLog
trunk/Source/WebKit/WebProcess/WebPage/WebCookieCache.cpp
trunk/Tools/ChangeLog
trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/CookiePrivateBrowsing.mm

Diff

Modified: trunk/Source/WebKit/ChangeLog (258520 => 258521)


--- trunk/Source/WebKit/ChangeLog	2020-03-16 21:50:22 UTC (rev 258520)
+++ trunk/Source/WebKit/ChangeLog	2020-03-16 22:04:02 UTC (rev 258521)
@@ -1,3 +1,21 @@
+2020-03-16  Chris Dumez  <[email protected]>
+
+        Crash under WebCookieCache::clearForHost()
+        https://bugs.webkit.org/show_bug.cgi?id=209149
+        <rdar://problem/60453086>
+
+        Reviewed by Alex Christensen.
+
+        Make sure WebCookieCache::pruneCacheIfNecessary() keeps alive the host String it is passing
+        to WebCookieCache::clearForHost(). Previously, it was merely deferencing a HashSet iterator
+        and passing that to clearForHost(). However, clearForHost() would then drop the String from
+        the HashSet and the host would no longer be valid.
+
+        Change covered by new API test.
+
+        * WebProcess/WebPage/WebCookieCache.cpp:
+        (WebKit::WebCookieCache::pruneCacheIfNecessary):
+
 2020-03-16  Per Arne Vollan  <[email protected]>
 
         [macOS] Accessibility sandbox regressions

Modified: trunk/Source/WebKit/WebProcess/WebPage/WebCookieCache.cpp (258520 => 258521)


--- trunk/Source/WebKit/WebProcess/WebPage/WebCookieCache.cpp	2020-03-16 21:50:22 UTC (rev 258520)
+++ trunk/Source/WebKit/WebProcess/WebPage/WebCookieCache.cpp	2020-03-16 22:04:02 UTC (rev 258521)
@@ -118,8 +118,10 @@
     // We may want to raise this limit if we start using the cache for third-party iframes.
     static const unsigned maxCachedHosts = 5;
 
-    while (m_hostsWithInMemoryStorage.size() >= maxCachedHosts)
-        clearForHost(*m_hostsWithInMemoryStorage.random());
+    while (m_hostsWithInMemoryStorage.size() >= maxCachedHosts) {
+        String hostToRemove = *m_hostsWithInMemoryStorage.random();
+        clearForHost(hostToRemove);
+    }
 }
 
 #if !PLATFORM(COCOA)

Modified: trunk/Tools/ChangeLog (258520 => 258521)


--- trunk/Tools/ChangeLog	2020-03-16 21:50:22 UTC (rev 258520)
+++ trunk/Tools/ChangeLog	2020-03-16 22:04:02 UTC (rev 258521)
@@ -1,3 +1,16 @@
+2020-03-16  Chris Dumez  <[email protected]>
+
+        Crash under WebCookieCache::clearForHost()
+        https://bugs.webkit.org/show_bug.cgi?id=209149
+        <rdar://problem/60453086>
+
+        Reviewed by Alex Christensen.
+
+        Add API test coverage.
+
+        * TestWebKitAPI/Tests/WebKitCocoa/CookiePrivateBrowsing.mm:
+        (TEST):
+
 2020-03-16  Keith Rollin  <[email protected]>
 
         Remove support for WebKitSystemInterface

Modified: trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/CookiePrivateBrowsing.mm (258520 => 258521)


--- trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/CookiePrivateBrowsing.mm	2020-03-16 21:50:22 UTC (rev 258520)
+++ trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/CookiePrivateBrowsing.mm	2020-03-16 22:04:02 UTC (rev 258521)
@@ -33,6 +33,7 @@
 #import <WebKit/WKWebView.h>
 #import <WebKit/WKWebViewConfiguration.h>
 #import <wtf/RetainPtr.h>
+#import <wtf/text/StringConcatenateNumbers.h>
 #import <wtf/text/WTFString.h>
 
 static bool receivedAlert;
@@ -128,3 +129,22 @@
     } while (cookieString != "" && timeout < 50);
     EXPECT_WK_STREQ("foo=bar", cookieString);
 }
+
+TEST(WebKit, CookieCachePruning)
+{
+    auto configuration = adoptNS([[WKWebViewConfiguration alloc] init]);
+    auto view = adoptNS([[WKWebView alloc] initWithFrame:NSMakeRect(0, 0, 800, 600) configuration:configuration.get()]);
+
+    for (unsigned i = 0; i < 100; ++i) {
+        [view synchronouslyLoadHTMLString:@"foo" baseURL:[NSURL URLWithString:makeString("http://foo", i, ".example.com/")]];
+
+        __block bool doneEvaluatingJavaScript = false;
+        [view evaluateJavaScript:@"document.cookie;" completionHandler:^(id _Nullable cookie, NSError * _Nullable error) {
+            EXPECT_NULL(error);
+            EXPECT_TRUE([cookie isKindOfClass:[NSString class]]);
+            EXPECT_WK_STREQ("", (NSString *)cookie);
+            doneEvaluatingJavaScript = true;
+        }];
+        TestWebKitAPI::Util::run(&doneEvaluatingJavaScript);
+    }
+}

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes