Bug 184468

Summary: Crash in SchemeRegistry::registerURLSchemeAsLocal
Product: WebKit Reporter: Cédric Bellegarde <cedric.bellegarde>
Component: WebKitGTKAssignee: Nobody <webkit-unassigned>
Status: RESOLVED INVALID    
Severity: Normal CC: bugs-noreply, cdumez, dbates, mcatanzaro
Priority: P2    
Version: Other   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=183197
Attachments:
Description Flags
full bt none

Cédric Bellegarde
Reported 2018-04-10 14:16:53 PDT
Created attachment 337635 [details] full bt ArchLinux, WebKitGTK 2.20.1. If backtrace is not ok(looks strange) and bug is reproducible, will try to get backtrace on Fedora 28.
Attachments
full bt (136.44 KB, text/plain)
2018-04-10 14:16 PDT, Cédric Bellegarde 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Michael Catanzaro
Comment 1 2018-04-10 18:17:23 PDT
Ugh, it's related to bug #183197... feels like whack-a-mole here. I really thought we had this fixed by r230205 "Make SecurityOrigin safe to create and use from any thread" but that fix is already present in 2.20.1. Thanks for reporting so quickly.
Michael Catanzaro
Comment 2 2018-04-10 18:38:19 PDT
It's easy to verify that both builtinLocalURLSchemes and localURLSchemes are never used except when guarded by schemeRegistryLock. From the backtrace, I see eolie is calling webkit_security_manager_register_uri_scheme_as_local() from the main thread at the time of the crash, which should be perfectly safe. And I see the scheme you're registering is scheme=0x563a63202c10 "file", so clearly nothing wrong with the memory you're passing in. I notice the same String is being added to WebProcessPool::m_schemesToRegisterAsLocal by registerSecurityPolicyForURIScheme in WebKitSecurityManager.cpp. That should be perfectly safe, though.
Chris Dumez
Comment 3 2018-04-10 18:51:20 PDT
Odd indeed. Interestingly, the scheme being passed is "file" which already should be in the HashSet since it is one of the builtin schemes. Therefore, I would have expected adding "file" to be a no-op.
Cédric Bellegarde
Comment 4 2018-05-25 08:17:25 PDT
Closing: https://gitlab.gnome.org/gnumdk/eolie/commit/9f5dad3a5aa1fa64fe1bf1082b81c26840b02578 If it happens again without this line, I will reopen an issue.
Michael Catanzaro
Comment 5 2018-05-25 08:37:51 PDT
That should be safe, though, it's a WebKit bug if it crashes.
Note You need to log in before you can comment on or make changes to this bug.