Title: [269009] branches/safari-611.1.4-branch
- Revision
- 269009
- Author
- [email protected]
- Date
- 2020-10-26 18:13:03 -0700 (Mon, 26 Oct 2020)
Log Message
Cherry-pick r268796. rdar://problem/70702309
Don't crash when deallocating WKWebView during TLS handshake
https://bugs.webkit.org/show_bug.cgi?id=218025
<rdar://problem/70225969>
Patch by Alex Christensen <[email protected]> on 2020-10-21
Reviewed by Tim Horton.
Source/WebKit:
NetworkProcessProxy::didReceiveAuthenticationChallenge would sometimes dereference an unchecked
Optional<SecurityOriginData> which would result in a null dereference crash. Also, sometimes
Connection::initializeSendSource would assert because it was trying to set up a cancel handler for
a send port that had not been successfully set up yet. I added a test that reproduces both of these
issues most of the time.
* Platform/IPC/cocoa/ConnectionCocoa.mm:
(IPC::Connection::initializeSendSource):
* UIProcess/Network/NetworkProcessProxy.cpp:
(WebKit::NetworkProcessProxy::didReceiveAuthenticationChallenge):
Tools:
* TestWebKitAPI/Tests/WebKitCocoa/Challenge.mm:
(TEST):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@268796 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Diff
Modified: branches/safari-611.1.4-branch/Source/WebKit/ChangeLog (269008 => 269009)
--- branches/safari-611.1.4-branch/Source/WebKit/ChangeLog 2020-10-27 01:13:00 UTC (rev 269008)
+++ branches/safari-611.1.4-branch/Source/WebKit/ChangeLog 2020-10-27 01:13:03 UTC (rev 269009)
@@ -1,3 +1,53 @@
+2020-10-26 Alan Coon <[email protected]>
+
+ Cherry-pick r268796. rdar://problem/70702309
+
+ Don't crash when deallocating WKWebView during TLS handshake
+ https://bugs.webkit.org/show_bug.cgi?id=218025
+ <rdar://problem/70225969>
+
+ Patch by Alex Christensen <[email protected]> on 2020-10-21
+ Reviewed by Tim Horton.
+
+ Source/WebKit:
+
+ NetworkProcessProxy::didReceiveAuthenticationChallenge would sometimes dereference an unchecked
+ Optional<SecurityOriginData> which would result in a null dereference crash. Also, sometimes
+ Connection::initializeSendSource would assert because it was trying to set up a cancel handler for
+ a send port that had not been successfully set up yet. I added a test that reproduces both of these
+ issues most of the time.
+
+ * Platform/IPC/cocoa/ConnectionCocoa.mm:
+ (IPC::Connection::initializeSendSource):
+ * UIProcess/Network/NetworkProcessProxy.cpp:
+ (WebKit::NetworkProcessProxy::didReceiveAuthenticationChallenge):
+
+ Tools:
+
+ * TestWebKitAPI/Tests/WebKitCocoa/Challenge.mm:
+ (TEST):
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@268796 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2020-10-21 Alex Christensen <[email protected]>
+
+ Don't crash when deallocating WKWebView during TLS handshake
+ https://bugs.webkit.org/show_bug.cgi?id=218025
+ <rdar://problem/70225969>
+
+ Reviewed by Tim Horton.
+
+ NetworkProcessProxy::didReceiveAuthenticationChallenge would sometimes dereference an unchecked
+ Optional<SecurityOriginData> which would result in a null dereference crash. Also, sometimes
+ Connection::initializeSendSource would assert because it was trying to set up a cancel handler for
+ a send port that had not been successfully set up yet. I added a test that reproduces both of these
+ issues most of the time.
+
+ * Platform/IPC/cocoa/ConnectionCocoa.mm:
+ (IPC::Connection::initializeSendSource):
+ * UIProcess/Network/NetworkProcessProxy.cpp:
+ (WebKit::NetworkProcessProxy::didReceiveAuthenticationChallenge):
+
2020-10-20 Alan Coon <[email protected]>
Revert r268386. rdar://problem/70497386
Modified: branches/safari-611.1.4-branch/Source/WebKit/Platform/IPC/cocoa/ConnectionCocoa.mm (269008 => 269009)
--- branches/safari-611.1.4-branch/Source/WebKit/Platform/IPC/cocoa/ConnectionCocoa.mm 2020-10-27 01:13:00 UTC (rev 269008)
+++ branches/safari-611.1.4-branch/Source/WebKit/Platform/IPC/cocoa/ConnectionCocoa.mm 2020-10-27 01:13:03 UTC (rev 269009)
@@ -394,12 +394,13 @@
}
});
- ASSERT(MACH_PORT_VALID(m_sendPort));
- mach_port_t sendPort = m_sendPort;
- dispatch_source_set_cancel_handler(m_sendSource, ^{
- // Release our send right.
- deallocateSendRightSafely(sendPort);
- });
+ if (MACH_PORT_VALID(m_sendPort)) {
+ mach_port_t sendPort = m_sendPort;
+ dispatch_source_set_cancel_handler(m_sendSource, ^{
+ // Release our send right.
+ deallocateSendRightSafely(sendPort);
+ });
+ }
}
void Connection::resumeSendSource()
Modified: branches/safari-611.1.4-branch/Source/WebKit/UIProcess/Network/NetworkProcessProxy.cpp (269008 => 269009)
--- branches/safari-611.1.4-branch/Source/WebKit/UIProcess/Network/NetworkProcessProxy.cpp 2020-10-27 01:13:00 UTC (rev 269008)
+++ branches/safari-611.1.4-branch/Source/WebKit/UIProcess/Network/NetworkProcessProxy.cpp 2020-10-27 01:13:03 UTC (rev 269009)
@@ -432,6 +432,11 @@
return;
}
+ if (!topOrigin) {
+ authenticationChallenge->listener().completeChallenge(AuthenticationChallengeDisposition::RejectProtectionSpaceAndContinue);
+ return;
+ }
+
WebPageProxy::forMostVisibleWebPageIfAny(sessionID, *topOrigin, [this, weakThis = makeWeakPtr(this), sessionID, authenticationChallenge = WTFMove(authenticationChallenge), negotiatedLegacyTLS](auto* page) mutable {
if (!weakThis)
return;
Modified: branches/safari-611.1.4-branch/Tools/ChangeLog (269008 => 269009)
--- branches/safari-611.1.4-branch/Tools/ChangeLog 2020-10-27 01:13:00 UTC (rev 269008)
+++ branches/safari-611.1.4-branch/Tools/ChangeLog 2020-10-27 01:13:03 UTC (rev 269009)
@@ -1,3 +1,45 @@
+2020-10-26 Alan Coon <[email protected]>
+
+ Cherry-pick r268796. rdar://problem/70702309
+
+ Don't crash when deallocating WKWebView during TLS handshake
+ https://bugs.webkit.org/show_bug.cgi?id=218025
+ <rdar://problem/70225969>
+
+ Patch by Alex Christensen <[email protected]> on 2020-10-21
+ Reviewed by Tim Horton.
+
+ Source/WebKit:
+
+ NetworkProcessProxy::didReceiveAuthenticationChallenge would sometimes dereference an unchecked
+ Optional<SecurityOriginData> which would result in a null dereference crash. Also, sometimes
+ Connection::initializeSendSource would assert because it was trying to set up a cancel handler for
+ a send port that had not been successfully set up yet. I added a test that reproduces both of these
+ issues most of the time.
+
+ * Platform/IPC/cocoa/ConnectionCocoa.mm:
+ (IPC::Connection::initializeSendSource):
+ * UIProcess/Network/NetworkProcessProxy.cpp:
+ (WebKit::NetworkProcessProxy::didReceiveAuthenticationChallenge):
+
+ Tools:
+
+ * TestWebKitAPI/Tests/WebKitCocoa/Challenge.mm:
+ (TEST):
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@268796 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2020-10-21 Alex Christensen <[email protected]>
+
+ Don't crash when deallocating WKWebView during TLS handshake
+ https://bugs.webkit.org/show_bug.cgi?id=218025
+ <rdar://problem/70225969>
+
+ Reviewed by Tim Horton.
+
+ * TestWebKitAPI/Tests/WebKitCocoa/Challenge.mm:
+ (TEST):
+
2020-10-22 Alan Coon <[email protected]>
Revert r268616. rdar://problem/70578639
Modified: branches/safari-611.1.4-branch/Tools/TestWebKitAPI/Tests/WebKitCocoa/Challenge.mm (269008 => 269009)
--- branches/safari-611.1.4-branch/Tools/TestWebKitAPI/Tests/WebKitCocoa/Challenge.mm 2020-10-27 01:13:00 UTC (rev 269008)
+++ branches/safari-611.1.4-branch/Tools/TestWebKitAPI/Tests/WebKitCocoa/Challenge.mm 2020-10-27 01:13:03 UTC (rev 269009)
@@ -240,6 +240,29 @@
Util::run(&navigationFinished);
}
+TEST(Challenge, DeallocateDuringChallenge)
+{
+ using namespace TestWebKitAPI;
+ HTTPServer server({{ "/", { "hi" }}}, HTTPServer::Protocol::Https);
+
+ auto delegate = [[TestNavigationDelegate new] autorelease];
+ delegate.didReceiveAuthenticationChallenge = ^(WKWebView *, NSURLAuthenticationChallenge *challenge, void (^completionHandler)(NSURLSessionAuthChallengeDisposition, NSURLCredential *)) {
+ completionHandler(NSURLSessionAuthChallengeUseCredential, [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]);
+ };
+
+ @autoreleasepool {
+ Vector<RetainPtr<WKWebView>> views;
+ for (size_t i = 0; i < 100; i++)
+ views.append(adoptNS([WKWebView new]));
+ for (auto& view : views) {
+ [view setNavigationDelegate:delegate];
+ [view loadRequest:server.request()];
+ }
+ Util::spinRunLoop(10);
+ }
+ Util::spinRunLoop(1000);
+}
+
@interface ClientCertificateDelegate : NSObject <WKNavigationDelegate> {
Vector<RetainPtr<NSString>> _authenticationMethods;
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
