Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: f43860e90c4cdd6d7208a591028a18b682b0a681
https://github.com/WebKit/WebKit/commit/f43860e90c4cdd6d7208a591028a18b682b0a681
Author: Rupin Mittal <[email protected]>
Date: 2026-03-11 (Wed, 11 Mar 2026)
Changed paths:
M Source/WebKit/NetworkProcess/NetworkProcess.cpp
Log Message:
-----------
StabilityTracer: Crash in callback of async IPC sent by
WebKit::NetworkProcess::findPendingDownloadLocation
https://bugs.webkit.org/show_bug.cgi?id=309695
rdar://172248665
Reviewed by Ben Nham and Per Arne Vollan.
It looks like the crash is due to a null pointer deference. It seems like the
completion handler on this line:
return completionHandler(PolicyAction::Ignore);
in NetworkProcess::findPendingDownloadLocation is null.
This completion handler is called as part of the reply of the async IPC to sent
to
DownloadProxy::DecideDestinationWithSuggestedFilename.
Given that NetworkProcess::findPendingDownloadLocation receives the
completionHandler
as an rvalue reference and then moves it into the lambda, it's likely not null
to
begin with. But the IPC message is sent with the IPC::Connection* returned by
downloadProxyConnection(), which can be a nullptr. That would cause undefined
behavior
and could result in this crash.
So we speculatively fix this by early returning if the connection doesn't exist.
* Source/WebKit/NetworkProcess/NetworkProcess.cpp:
(WebKit::NetworkProcess::findPendingDownloadLocation):
Canonical link: https://commits.webkit.org/309114@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
