147227 2015-07-23 09:54:52 -0700 Crash in WebPlatformStrategies::createPingHandle - Deref a null NetworkingContext 2022-03-01 02:46:53 -0800 1 1 1 Unclassified WebKit WebKit2 528+ (Nightly build) All All RESOLVED FIXED InRadar P2 Normal --- 1 beidson webkit-unassigned andersca ap commit-queue dbates kling koivisto mkwst msaboff simon.fraser thorton oldest_to_newest 1111654 0 beidson 2015-07-23 09:54:52 -0700 Crash in WebPlatformStrategies::createPingHandle - Deref a null NetworkingContext 0 com.apple.WebKit 0x00007fff9152d6e8 WebKit::WebFrameNetworkingContext::webFrameLoaderClient() const + 6 1 com.apple.WebKit 0x00007fff9159b224 WebKit::WebPlatformStrategies::createPingHandle(WebCore::NetworkingContext*, WebCore::ResourceRequest&, bool) + 64 2 com.apple.WebCore 0x00007fff97c7a696 WebCore::PingLoader::startPingLoad(WebCore::Frame&, WebCore::ResourceRequest&) + 566 3 com.apple.WebCore 0x00007fff97c7b0f6 WebCore::PingLoader::sendViolationReport(WebCore::Frame&, WebCore::URL const&, WTF::PassRefPtr<WebCore::FormData>) + 918 4 com.apple.WebCore 0x00007fff974f7fe2 WebCore::ContentSecurityPolicy::reportViolation(WTF::String const&, WTF::String const&, WTF::String const&, WebCore::URL const&, WTF::Vector<WebCore::URL, 0ul, WTF::CrashOnOverflow, 16ul> const&, WTF::String const&, WTF::String const&, WTF::OrdinalNumber const&, JSC::ExecState*) const + 3554 5 com.apple.WebCore 0x00007fff974f71c8 WebCore::CSPDirectiveList::reportViolation(WTF::String const&, WTF::String const&, WTF::String const&, WebCore::URL const&, WTF::String const&, WTF::OrdinalNumber const&, JSC::ExecState*) const + 280 ... 30 com.apple.WebCore 0x00007fff9713f482 WebCore::FrameLoader::init() + 770 31 com.apple.WebKit 0x00007fff91392fe9 WebKit::WebFrame::createSubframe(WebKit::WebPage*, WTF::String const&, WebCore::HTMLFrameOwnerElement*) + 381 32 com.apple.WebKit 0x00007fff9152a639 WebKit::WebFrameLoaderClient::createFrame(WebCore::URL const&, WTF::String const&, WebCore::HTMLFrameOwnerElement*, WTF::String const&, bool, int, int) + 63 33 com.apple.WebCore 0x00007fff97ece1db WebCore::SubframeLoader::loadSubframe(WebCore::HTMLFrameOwnerElement&, WebCore::URL const&, WTF::String const&, WTF::String const&) + 283 UserStyleSheet, with a font-src rule, injected into the initial empty document for a new frame, but with CSP blocking the font load, and triggering a violation report. Wow! Easy to repro with a layout test, though. Radar - <rdar://problem/21949735> 1111655 1 beidson 2015-07-23 09:56:00 -0700 In WK2, it would actually be possible to bypass the need for the networking context and start the load in the Networking Process. But it's a bit unclear what we should be doing in the initial-empty-document case. Previously, this precise violation report would not start a ping because of the null networking context, so for now let's restore that behavior. 1111656 2 257354 beidson 2015-07-23 10:01:55 -0700 Created attachment 257354 Patch v1 1111659 3 257354 ap 2015-07-23 10:32:04 -0700 Comment on attachment 257354 Patch v1 View in context: https://bugs.webkit.org/attachment.cgi?id=257354&action=review Hrmpf. Nice. > LayoutTests/http/tests/security/contentSecurityPolicy/user-style-sheet-font-crasher-expected.txt:3 > +CONSOLE MESSAGE: Refused to load the font 'http://127.0.0.1:8000/security/contentSecurityPolicy/example_font.woff' because it violates the following Content Security Policy directive: "font-src http://webkit.org". > + > +CONSOLE MESSAGE: Refused to load the font 'http://127.0.0.1:8000/security/contentSecurityPolicy/example_font.woff' because it violates the following Content Security Policy directive: "font-src http://webkit.org". Why is this logged twice, do we have a bug? > LayoutTests/http/tests/security/contentSecurityPolicy/user-style-sheet-font-crasher.html:8 > + testRunner.addUserStyleSheet("@font-face { font-family: ExampleFont; src: url(example_font.woff); }", true); I wonder if this can also be reproduced with something like <iframe src="http://www.apple.com"></iframe> <script> frames[0].document.write(theStylesheet); </script> > Source/WebKit2/WebProcess/WebCoreSupport/WebPlatformStrategies.cpp:255 > + // We shouldn't be sending ping loads during that process anyways. What do other browsers do? I wonder if "shouldn't" may be too assertive. It feels like we shouldn't apply user stylesheets in initial documents, what do you think? 1111666 4 beidson 2015-07-23 11:11:01 -0700 (In reply to comment #3) > Comment on attachment 257354 [details] > Patch v1 > > View in context: > https://bugs.webkit.org/attachment.cgi?id=257354&action=review > > Hrmpf. Nice. > > > LayoutTests/http/tests/security/contentSecurityPolicy/user-style-sheet-font-crasher-expected.txt:3 > > +CONSOLE MESSAGE: Refused to load the font 'http://127.0.0.1:8000/security/contentSecurityPolicy/example_font.woff' because it violates the following Content Security Policy directive: "font-src http://webkit.org". > > + > > +CONSOLE MESSAGE: Refused to load the font 'http://127.0.0.1:8000/security/contentSecurityPolicy/example_font.woff' because it violates the following Content Security Policy directive: "font-src http://webkit.org". > > Why is this logged twice, do we have a bug? No - the style sheet is injected into both frames, so the CSP fires twice. > > > LayoutTests/http/tests/security/contentSecurityPolicy/user-style-sheet-font-crasher.html:8 > > + testRunner.addUserStyleSheet("@font-face { font-family: ExampleFont; src: url(example_font.woff); }", true); > > I wonder if this can also be reproduced with something like > > <iframe src="http://www.apple.com"></iframe> > <script> > frames[0].document.write(theStylesheet); > </script> > That wouldn't do it, because initial document creation is synchronous, and completed by the time you get to document.write. By the time you get there, you'd have the networking context and wouldn't repro the crash. > > Source/WebKit2/WebProcess/WebCoreSupport/WebPlatformStrategies.cpp:255 > > + // We shouldn't be sending ping loads during that process anyways. > > What do other browsers do? I wonder if "shouldn't" may be too assertive. > > It feels like we shouldn't apply user stylesheets in initial documents, what > do you think? Perhaps it is too assertive. I'll relax it before landing. I postulated at least one other solution in the radar but it seems much higher risk. I'm not sure whether or not user sheets should apply to the initial empty document - I'd want Simon, Antti, Andreas, etc to comment. As is, this patch restores precisely the behavior we had before https://trac.webkit.org/changeset/186530 - I'm pretty confident in that interim step while we explore what we should *really* be doing here. 1111715 5 beidson 2015-07-23 13:20:31 -0700 https://trac.webkit.org/changeset/187248 1111922 6 ap 2015-07-23 21:59:27 -0700 This test fails on Windows every time (maybe unsupported testRunner functionality?) 1111925 7 beidson 2015-07-23 22:32:21 -0700 (In reply to comment #6) > This test fails on Windows every time (maybe unsupported testRunner > functionality?) Probably. Will take a look. 1111927 8 beidson 2015-07-23 22:36:14 -0700 Hmmmm, the message comes from: - (void)webView:(WebView *)sender addMessageToConsole:(NSDictionary *)dictionary withSource:(NSString *)source ...in Mac DRT, and: "willAddMessageToConsole" ...in WK2 WKTR. There is a "CONSOLE MESSAGE" string in DRT Win, in: HRESULT UIDelegate::webViewAddMessageToConsole(IWebView* /*sender*/, BSTR message, int lineNumber, BSTR url, BOOL isError) I guess that's not getting called (or its bailing out early?) 1111928 9 ap 2015-07-23 22:52:51 -0700 I suspected that addUserStyleSheet wasn't implemented, but looks like it is. 1111929 10 beidson 2015-07-23 22:57:11 -0700 (In reply to comment #9) > I suspected that addUserStyleSheet wasn't implemented, but looks like it is. Is CSP not working in WebKitWin? That would explain it, too. 257354 2015-07-23 10:01:55 -0700 2022-03-01 02:46:53 -0800 Patch v1 patch text/plain 4394 beidson ZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL0NoYW5nZUxvZyBiL0xheW91dFRlc3RzL0NoYW5nZUxv ZwppbmRleCBjMWIyZjBjLi4xMGI5YmMzIDEwMDY0NAotLS0gYS9MYXlvdXRUZXN0cy9DaGFuZ2VM b2cKKysrIGIvTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMTMgQEAKKzIwMTUtMDct MjMgIEJyYWR5IEVpZHNvbiAgPGJlaWRzb25AYXBwbGUuY29tPgorCisgICAgICAgIENyYXNoIGlu IFdlYlBsYXRmb3JtU3RyYXRlZ2llczo6Y3JlYXRlUGluZ0hhbmRsZSAtIERlcmVmIGEgbnVsbCBO ZXR3b3JraW5nQ29udGV4dC4KKyAgICAgICAgPHJkYXI6Ly9wcm9ibGVtLzIxOTQ5NzM1PiBhbmQg aHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTE0NzIyNworCisgICAgICAg IFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgICogaHR0cC90ZXN0cy9zZWN1 cml0eS9jb250ZW50U2VjdXJpdHlQb2xpY3kvdXNlci1zdHlsZS1zaGVldC1mb250LWNyYXNoZXIt ZXhwZWN0ZWQudHh0OiBBZGRlZC4KKyAgICAgICAgKiBodHRwL3Rlc3RzL3NlY3VyaXR5L2NvbnRl bnRTZWN1cml0eVBvbGljeS91c2VyLXN0eWxlLXNoZWV0LWZvbnQtY3Jhc2hlci5odG1sOiBBZGRl ZC4KKwogMjAxNS0wNy0yMyAgTWljaGFlbCBTYWJvZmYgIDxtc2Fib2ZmQGFwcGxlLmNvbT4KIAog ICAgICAgICBBcHBsaWNhdGlvbiBjYWNoZSBhYm9ydCgpIHRlc3RzIGFyZSBmbGFreQpkaWZmIC0t Z2l0IGEvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS9jb250ZW50U2VjdXJpdHlQb2xp Y3kvdXNlci1zdHlsZS1zaGVldC1mb250LWNyYXNoZXItZXhwZWN0ZWQudHh0IGIvTGF5b3V0VGVz dHMvaHR0cC90ZXN0cy9zZWN1cml0eS9jb250ZW50U2VjdXJpdHlQb2xpY3kvdXNlci1zdHlsZS1z aGVldC1mb250LWNyYXNoZXItZXhwZWN0ZWQudHh0Cm5ldyBmaWxlIG1vZGUgMTAwNjQ0CmluZGV4 IDAwMDAwMDAuLjEzYmM5YzcKLS0tIC9kZXYvbnVsbAorKysgYi9MYXlvdXRUZXN0cy9odHRwL3Rl c3RzL3NlY3VyaXR5L2NvbnRlbnRTZWN1cml0eVBvbGljeS91c2VyLXN0eWxlLXNoZWV0LWZvbnQt Y3Jhc2hlci1leHBlY3RlZC50eHQKQEAgLTAsMCArMSw2IEBACitDT05TT0xFIE1FU1NBR0U6IFJl ZnVzZWQgdG8gbG9hZCB0aGUgZm9udCAnaHR0cDovLzEyNy4wLjAuMTo4MDAwL3NlY3VyaXR5L2Nv bnRlbnRTZWN1cml0eVBvbGljeS9leGFtcGxlX2ZvbnQud29mZicgYmVjYXVzZSBpdCB2aW9sYXRl cyB0aGUgZm9sbG93aW5nIENvbnRlbnQgU2VjdXJpdHkgUG9saWN5IGRpcmVjdGl2ZTogImZvbnQt c3JjIGh0dHA6Ly93ZWJraXQub3JnIi4KKworQ09OU09MRSBNRVNTQUdFOiBSZWZ1c2VkIHRvIGxv YWQgdGhlIGZvbnQgJ2h0dHA6Ly8xMjcuMC4wLjE6ODAwMC9zZWN1cml0eS9jb250ZW50U2VjdXJp dHlQb2xpY3kvZXhhbXBsZV9mb250LndvZmYnIGJlY2F1c2UgaXQgdmlvbGF0ZXMgdGhlIGZvbGxv d2luZyBDb250ZW50IFNlY3VyaXR5IFBvbGljeSBkaXJlY3RpdmU6ICJmb250LXNyYyBodHRwOi8v d2Via2l0Lm9yZyIuCisKK1RoZSBpZnJhbWUgYmVsb3cgdHJpZ2dlcnMgYSB2aW9sYXRpb24gcmVw b3J0IGNyZWF0aW5nIHRoZSBpbml0aWFsIGVtcHR5IGRvY3VtZW50LiBJdCBzaG91bGQgbm90IGNy YXNoIHRoZSB3ZWIgcHJvY2Vzcy4KKwpkaWZmIC0tZ2l0IGEvTGF5b3V0VGVzdHMvaHR0cC90ZXN0 cy9zZWN1cml0eS9jb250ZW50U2VjdXJpdHlQb2xpY3kvdXNlci1zdHlsZS1zaGVldC1mb250LWNy YXNoZXIuaHRtbCBiL0xheW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkvY29udGVudFNlY3Vy aXR5UG9saWN5L3VzZXItc3R5bGUtc2hlZXQtZm9udC1jcmFzaGVyLmh0bWwKbmV3IGZpbGUgbW9k ZSAxMDA2NDQKaW5kZXggMDAwMDAwMC4uOWM2YzE2YQotLS0gL2Rldi9udWxsCisrKyBiL0xheW91 dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkvY29udGVudFNlY3VyaXR5UG9saWN5L3VzZXItc3R5 bGUtc2hlZXQtZm9udC1jcmFzaGVyLmh0bWwKQEAgLTAsMCArMSwxNiBAQAorPGh0bWw+Cis8aGVh ZD4KKzxtZXRhIGNvbnRlbnQ9ImZvbnQtc3JjIGh0dHA6Ly93ZWJraXQub3JnOyByZXBvcnQtdXJp IGh0dHA6Ly93ZWJraXQub3JnL3JlcG9ydDsiIGh0dHAtZXF1aXY9IkNvbnRlbnQtU2VjdXJpdHkt UG9saWN5Ij4KKzxzY3JpcHQ+CitpZiAod2luZG93LnRlc3RSdW5uZXIpIHsKKyAgICB0ZXN0UnVu bmVyLmR1bXBBc1RleHQoKTsKKyAgICB0ZXN0UnVubmVyLndhaXRVbnRpbERvbmUoKTsKKyAgICB0 ZXN0UnVubmVyLmFkZFVzZXJTdHlsZVNoZWV0KCJAZm9udC1mYWNlIHsgZm9udC1mYW1pbHk6IEV4 YW1wbGVGb250OyBzcmM6IHVybChleGFtcGxlX2ZvbnQud29mZik7IH0iLCB0cnVlKTsKK30KKzwv c2NyaXB0PgorPC9oZWFkPgorPGJvZHk+CitUaGUgaWZyYW1lIGJlbG93IHRyaWdnZXJzIGEgdmlv bGF0aW9uIHJlcG9ydCBjcmVhdGluZyB0aGUgaW5pdGlhbCBlbXB0eSBkb2N1bWVudC4gSXQgc2hv dWxkIG5vdCBjcmFzaCB0aGUgd2ViIHByb2Nlc3MuPGJyPgorPGlmcmFtZSBzcmM9Imh0dHA6Ly8x MjcuMC4wLjE6ODAwMC9yZXNvdXJjZXMvbm90aWZ5LWRvbmUuaHRtbCI+PC9pZnJhbWU+Cis8L2Jv ZHk+Cis8L2h0bWw+CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViS2l0Mi9DaGFuZ2VMb2cgYi9Tb3Vy Y2UvV2ViS2l0Mi9DaGFuZ2VMb2cKaW5kZXggODQ0MTE5OS4uMDA5MmZmMSAxMDA2NDQKLS0tIGEv U291cmNlL1dlYktpdDIvQ2hhbmdlTG9nCisrKyBiL1NvdXJjZS9XZWJLaXQyL0NoYW5nZUxvZwpA QCAtMSwzICsxLDEzIEBACisyMDE1LTA3LTIzICBCcmFkeSBFaWRzb24gIDxiZWlkc29uQGFwcGxl LmNvbT4KKworICAgICAgICBDcmFzaCBpbiBXZWJQbGF0Zm9ybVN0cmF0ZWdpZXM6OmNyZWF0ZVBp bmdIYW5kbGUgLSBEZXJlZiBhIG51bGwgTmV0d29ya2luZ0NvbnRleHQuCisgICAgICAgIDxyZGFy Oi8vcHJvYmxlbS8yMTk0OTczNT4gYW5kIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVn LmNnaT9pZD0xNDcyMjcKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKwor ICAgICAgICAqIFdlYlByb2Nlc3MvV2ViQ29yZVN1cHBvcnQvV2ViUGxhdGZvcm1TdHJhdGVnaWVz LmNwcDoKKyAgICAgICAgKFdlYktpdDo6V2ViUGxhdGZvcm1TdHJhdGVnaWVzOjpjcmVhdGVQaW5n SGFuZGxlKTogU2tpcCBpdCBpZiB0aGVyZSdzIGEgbnVsbCBOZXR3b3JraW5nQ29udGV4dC4KKwog MjAxNS0wNy0yMyAgVGltIEhvcnRvbiAgPHRpbW90aHlfaG9ydG9uQGFwcGxlLmNvbT4KIAogICAg ICAgICBSZW1vdmUgZmlsZXMgdGhhdCB3ZXJlIG1lYW50IHRvIGJlIHJlbW92ZWQgaW4gcjE3Mzky OQpkaWZmIC0tZ2l0IGEvU291cmNlL1dlYktpdDIvV2ViUHJvY2Vzcy9XZWJDb3JlU3VwcG9ydC9X ZWJQbGF0Zm9ybVN0cmF0ZWdpZXMuY3BwIGIvU291cmNlL1dlYktpdDIvV2ViUHJvY2Vzcy9XZWJD b3JlU3VwcG9ydC9XZWJQbGF0Zm9ybVN0cmF0ZWdpZXMuY3BwCmluZGV4IGFlNGI2NTcuLjk0NmE5 MWZjIDEwMDY0NAotLS0gYS9Tb3VyY2UvV2ViS2l0Mi9XZWJQcm9jZXNzL1dlYkNvcmVTdXBwb3J0 L1dlYlBsYXRmb3JtU3RyYXRlZ2llcy5jcHAKKysrIGIvU291cmNlL1dlYktpdDIvV2ViUHJvY2Vz cy9XZWJDb3JlU3VwcG9ydC9XZWJQbGF0Zm9ybVN0cmF0ZWdpZXMuY3BwCkBAIC0yNTEsNiArMjUx LDExIEBAIHZvaWQgV2ViUGxhdGZvcm1TdHJhdGVnaWVzOjpsb2FkUmVzb3VyY2VTeW5jaHJvbm91 c2x5KE5ldHdvcmtpbmdDb250ZXh0KiBjb250ZXh0CiAKIHZvaWQgV2ViUGxhdGZvcm1TdHJhdGVn aWVzOjpjcmVhdGVQaW5nSGFuZGxlKE5ldHdvcmtpbmdDb250ZXh0KiBuZXR3b3JraW5nQ29udGV4 dCwgUmVzb3VyY2VSZXF1ZXN0JiByZXF1ZXN0LCBib29sIHNob3VsZFVzZUNyZWRlbnRpYWxTdG9y YWdlKQogeworICAgIC8vIEl0J3MgcG9zc2libGUgdGhhdCBjYWxsIHRvIGNyZWF0ZVBpbmdIYW5k bGUgbWlnaHQgYmUgbWFkZSBkdXJpbmcgaW5pdGlhbCBlbXB0eSBEb2N1bWVudCBjcmVhdGlvbiBi ZWZvcmUgYSBOZXR3b3JraW5nQ29udGV4dCBleGlzdHMuCisgICAgLy8gV2Ugc2hvdWxkbid0IGJl IHNlbmRpbmcgcGluZyBsb2FkcyBkdXJpbmcgdGhhdCBwcm9jZXNzIGFueXdheXMuCisgICAgaWYg KCFuZXR3b3JraW5nQ29udGV4dCkKKyAgICAgICAgcmV0dXJuOworCiAgICAgYXV0byYgd2ViUHJv Y2VzcyA9IFdlYlByb2Nlc3M6OnNpbmdsZXRvbigpOwogICAgIGlmICghd2ViUHJvY2Vzcy51c2Vz TmV0d29ya1Byb2Nlc3MoKSkgewogICAgICAgICBMb2FkZXJTdHJhdGVneTo6Y3JlYXRlUGluZ0hh bmRsZShuZXR3b3JraW5nQ29udGV4dCwgcmVxdWVzdCwgc2hvdWxkVXNlQ3JlZGVudGlhbFN0b3Jh Z2UpOwo=