Bug 191762

Summary: EXC_BAD_ACCESS when invoking a DownloadProxy's destination decision handler after the download has been canceled
Product: WebKit Reporter: David Quesada <david_quesada>
Component: WebKit2Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, ap, beidson, commit-queue, dino, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Test case
none
Patch none

Description David Quesada 2018-11-16 11:48:41 PST 
Created attachment 355089 [details]
Test case

If a DownloadProxy is invalidated while the DownloadClient is deciding the destination, then the app will crash when the decision handler is called. The troublesome line of code is in DownloadProxy::decideDestinationWithSuggestedFilenameAsync:

    if (auto* networkProcess = m_processPool->networkProcess())

m_processPool is null (due to the DownloadProxyMap invalidating the proxy when the download is canceled), so you get an invalid memory access trying to get the process pool's m_networkProcess.

So if you get unlucky and the UI process gets notified that the download has been canceled while the destination decision handler is still outstanding, you have three terrible options:
- Call the decision handler and crash.
- Don't call the decision handler, and crash due to CompletionHandlerCallChecker getting upset.
- Strategically deallocate the handler block and @try/@catch the resulting exception to stay alive.

The code in decideDestinationWithSuggestedFilenameAsync()'s handler should check that m_processPool in non-null before trying to access its network process.
Comment 1 Radar WebKit Bug Importer 2018-11-17 12:22:36 PST 
<rdar://problem/46151509>
Comment 2 David Quesada 2018-11-19 00:48:25 PST 
Created attachment 355258 [details]
Patch
Comment 3 WebKit Commit Bot 2018-11-19 14:52:49 PST 
Comment on attachment 355258 [details]
Patch

Clearing flags on attachment: 355258

Committed r238381: <https://trac.webkit.org/changeset/238381>
Comment 4 WebKit Commit Bot 2018-11-19 14:52:50 PST 
All reviewed patches have been landed.  Closing bug.
Comment 5 Alex Christensen 2018-11-26 09:22:24 PST 
Comment on attachment 355258 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=355258&action=review

> Tools/TestWebKitAPI/Tests/WebKitCocoa/Download.mm:30
> +#if PLATFORM(MAC) || PLATFORM(IOS)

Let's just remove this.