Bug 187654

Summary: WebResourceLoader may try to send a IPC with a destination ID that is 0
Product: WebKit Reporter: Chris Dumez <cdumez>
Component: WebKit2Assignee: Chris Dumez <cdumez>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, beidson, commit-queue, webkit-bug-importer, youennf
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch none

Description Chris Dumez 2018-07-13 12:18:27 PDT
WebResourceLoader may try to send a IPC with a destination ID that is 0:
Exception Type:  EXC_BREAKPOINT (SIGTRAP)
Exception Codes: 0x0000000000000001, 0x00000001b067bee0
Termination Signal: Trace/BPT trap: 5
Termination Reason: Namespace SIGNAL, Code 0x5
Terminating Process: exc handler [5462]
Triggered by Thread:  0
Thread 0 name:  Dispatch queue: com.apple.main-thread
Thread 0 Crashed ↩:
0   WebKit                        	0x00000001b067bee0 WebKit::WebResourceLoader::messageSenderDestinationID() + 56 (WebResourceLoader.cpp:77)
1   WebKit                        	0x00000001b067bebc WebKit::WebResourceLoader::messageSenderDestinationID() + 20 (WebResourceLoader.cpp:76)
2   WebKit                        	0x00000001b067cfa8 WTF::Function<void ()>::CallableWrapper<WebKit::WebResourceLoader::didReceiveResponse(WebCore::ResourceResponse const&, bool)::$_1>::call() + 48 (MessageSender.h:39)
3   WebCore                       	0x00000001aa41f584 WebCore::SubresourceLoader::didReceiveResponsePolicy() + 44 (Function.h:56)
4   WebCore                       	0x00000001aa3d86cc WTF::Function<void (WebCore::PolicyAction)>::CallableWrapper<WebCore::DocumentLoader::responseReceived(WebCore::ResourceResponse const&, WTF::CompletionHandler<void ()>&&)::$_7>::call(WebCore::PolicyAction) + 36 (DocumentLoader.cpp:838)
5   WebKit                        	0x00000001b056254c WebKit::WebFrame::invalidatePolicyListener() + 64 (Function.h:56)
6   WebCore                       	0x00000001aa3cdb70 WebCore::DocumentLoader::detachFromFrame() + 476 (DocumentLoader.cpp:1818)
7   WebCore                       	0x00000001aa3ee2cc WebCore::FrameLoader::clearProvisionalLoad() + 52 (FrameLoader.cpp:1898)
8   WebCore                       	0x00000001aa3ef760 WebCore::FrameLoader::checkLoadCompleteForThisFrame() + 1716 (FrameLoader.cpp:2418)
9   WebCore                       	0x00000001aa3e7af8 WebCore::FrameLoader::checkLoadComplete() + 408 (FrameLoader.cpp:2629)
10  WebCore                       	0x00000001aa3f139c WebCore::FrameLoader::receivedMainResourceError(WebCore::ResourceError const&) + 324 (FrameLoader.cpp:3030)
11  WebCore                       	0x00000001aa44c5e8 WebCore::CachedResource::checkNotify() + 292 (CachedResource.cpp:341)
12  WebCore                       	0x00000001aa41fbe4 WebCore::SubresourceLoader::didFail(WebCore::ResourceError const&) + 264 (SubresourceLoader.cpp:677)
13  WebKit                        	0x00000001b058a51c WebKit::WebLoaderStrategy::internallyFailedLoadTimerFired() + 92 (WebLoaderStrategy.cpp:362)
14  JavaScriptCore                	0x00000001a7dee02c WTF::RunLoop::TimerBase::timerFired(__CFRunLoopTimer*, void*) + 44 (RunLoopCF.cpp:84)
15  CoreFoundation                	0x00000001a00ef148 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 28 (CFRunLoop.c:1830)
16  CoreFoundation                	0x00000001a00eee74 __CFRunLoopDoTimer + 864 (CFRunLoop.c:2417)
17  CoreFoundation                	0x00000001a00ee6a8 __CFRunLoopDoTimers + 248 (CFRunLoop.c:2564)
18  CoreFoundation                	0x00000001a00e9558 __CFRunLoopRun + 1884 (CFRunLoop.c:0)
19  CoreFoundation                	0x00000001a00e8ad8 CFRunLoopRunSpecific + 436 (CFRunLoop.c:3247)
20  Foundation                    	0x00000001a0ada314 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 300 (NSRunLoop.m:367)
21  Foundation                    	0x00000001a0b16328 -[NSRunLoop(NSRunLoop) run] + 88 (NSRunLoop.m:389)
22  libxpc.dylib                  	0x000000019fdba078 _xpc_objc_main + 532 (main.m:170)
23  libxpc.dylib                  	0x000000019fdbcab8 xpc_main + 184 (init.c:1471)
24  com.apple.WebKit.WebContent   	0x00000001009d759c main + 380 (XPCServiceMain.mm:160)
25  libdyld.dylib                 	0x000000019fba9dd8 0x19fba9000 + 3544

This can lead to HashMap corruption on recipient side when trying to lookup a key that is 0.
Comment 1 Chris Dumez 2018-07-13 12:18:38 PDT
<rdar://problem/39265927>
Comment 2 Chris Dumez 2018-07-13 12:26:00 PDT
Created attachment 344966 [details]
Patch
Comment 3 WebKit Commit Bot 2018-07-13 13:40:52 PDT
Comment on attachment 344966 [details]
Patch

Clearing flags on attachment: 344966

Committed r233815: <https://trac.webkit.org/changeset/233815>
Comment 4 WebKit Commit Bot 2018-07-13 13:40:53 PDT
All reviewed patches have been landed.  Closing bug.