Bug 191762

Summary: EXC_BAD_ACCESS when invoking a DownloadProxy's destination decision handler after the download has been canceled
Product: WebKit Reporter: David Quesada <david_quesada>
Component: WebKit2Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, ap, beidson, commit-queue, dino, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Test case
none
Patch none

David Quesada
Reported 2018-11-16 11:48:41 PST
Created attachment 355089 [details] Test case If a DownloadProxy is invalidated while the DownloadClient is deciding the destination, then the app will crash when the decision handler is called. The troublesome line of code is in DownloadProxy::decideDestinationWithSuggestedFilenameAsync: if (auto* networkProcess = m_processPool->networkProcess()) m_processPool is null (due to the DownloadProxyMap invalidating the proxy when the download is canceled), so you get an invalid memory access trying to get the process pool's m_networkProcess. So if you get unlucky and the UI process gets notified that the download has been canceled while the destination decision handler is still outstanding, you have three terrible options: - Call the decision handler and crash. - Don't call the decision handler, and crash due to CompletionHandlerCallChecker getting upset. - Strategically deallocate the handler block and @try/@catch the resulting exception to stay alive. The code in decideDestinationWithSuggestedFilenameAsync()'s handler should check that m_processPool in non-null before trying to access its network process.
Attachments
Test case (1.29 KB, text/x-objcsrc)
2018-11-16 11:48 PST, David Quesada 		no flags
Details
Patch (14.71 KB, patch)
2018-11-19 00:48 PST, David Quesada 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2018-11-17 12:22:36 PST
<rdar://problem/46151509>
David Quesada
Comment 2 2018-11-19 00:48:25 PST
Created attachment 355258 [details] Patch
WebKit Commit Bot
Comment 3 2018-11-19 14:52:49 PST
Comment on attachment 355258 [details] Patch Clearing flags on attachment: 355258 Committed r238381: <https://trac.webkit.org/changeset/238381>
WebKit Commit Bot
Comment 4 2018-11-19 14:52:50 PST
All reviewed patches have been landed. Closing bug.
Alex Christensen
Comment 5 2018-11-26 09:22:24 PST
Comment on attachment 355258 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=355258&action=review > Tools/TestWebKitAPI/Tests/WebKitCocoa/Download.mm:30 > +#if PLATFORM(MAC) || PLATFORM(IOS) Let's just remove this.
Note You need to log in before you can comment on or make changes to this bug.