Bug 203620

Summary: [SOUP] HSTS Support causes page loading to fail with "Operation was cancelled"
Product: WebKit Reporter: Patrick Griffis <pgriffis>
Component: WebKitGTKAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: bugs-noreply, cgarcia, csaavedra, mcatanzaro
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=204736
Attachments:
Description Flags
Patch mcatanzaro: review+

Description Patrick Griffis 2019-10-30 11:26:16 PDT 
Steps to reproduce:

Load HSTS using site like `http://google.com`, upon redirection it will often but not always fail.

It also hits the soupRequest assertion in `NetworkDataTaskSoup::sendRequestCallback()` in these cases.



Modifying libsoup to never return a policy made the issue go away.

This was originally reported against GLib: https://gitlab.gnome.org/GNOME/glib/issues/1891
Comment 1 Claudio Saavedra 2019-10-31 03:42:33 PDT 
I can hit this in ephy but not in minibrowser.
Comment 2 Michael Catanzaro 2019-11-08 06:55:35 PST 
Just hit this bug twice in a row when loading http://webkitgtk.org. On the third attempt, the load worked. I can no longer reproduce.
Comment 3 Claudio Saavedra 2019-11-11 04:53:01 PST 
MiniBrowser or Epiphany?
Comment 4 Michael Catanzaro 2019-11-11 05:24:49 PST 
Epiphany
Comment 5 Claudio Saavedra 2019-11-11 05:29:24 PST 
I'm wondering if it's possible that the issue is in Epiphany.. because I couldn't reproduce this at all in MiniBrowser.
Comment 6 Michael Catanzaro 2019-11-11 06:31:14 PST 
(In reply to Patrick Griffis from comment #0)
> Steps to reproduce:
> 
> Load HSTS using site like `http://google.com`, upon redirection it will
> often but not always fail.
> 
> It also hits the soupRequest assertion in
> `NetworkDataTaskSoup::sendRequestCallback()` in these cases.

Well you're hitting an assertion in WebKit network process. That's definitely not Epiphany's fault.
Comment 7 Patrick Griffis 2019-11-11 14:47:33 PST 
Also I used Cog+WPE for reproducing this, Epiphany isn't relevant.
Comment 8 Michael Catanzaro 2019-12-09 12:47:42 PST 
Ping, this is important....
Comment 9 Carlos Garcia Campos 2019-12-16 01:47:07 PST 
I've never seen this error and I can't reproduce it.
Comment 10 Michael Catanzaro 2019-12-16 05:47:24 PST 
It has never been reproducible. But fortunately, Patrick has already debugged it fairly well:

(In reply to Patrick Griffis from comment #0)
> It also hits the soupRequest assertion in
> `NetworkDataTaskSoup::sendRequestCallback()` in these cases.
> 
> 
> 
> Modifying libsoup to never return a policy made the issue go away.
Comment 11 Patrick Griffis 2019-12-16 19:53:44 PST 
With wpewebkit-2.27.1 I can reproduce extremely consistently.

Changing no deps but running against r253428 (git ac429352178b2ff4460e775cfd4b1fb79621d4ad) I cannot reproduce at all.

So I'm inclined to believe it was resolved unless Michael can reproduce it against trunk.
Comment 12 Michael Catanzaro 2019-12-17 08:07:41 PST 
I've never been able to reproduce it consistently. So if you're confident it's solved, then that's great. It's very weird an issue like this would just resolve itself, though.
Comment 13 Michael Catanzaro 2019-12-17 08:11:10 PST 
(In reply to Michael Catanzaro from comment #12)
> I've never been able to reproduce it consistently.

I went back and built WebKitGTK 2.27.1, deleted my HSTS database, and loaded http://google.com. I was successfully redirected to https. Then I closed Epiphany, deleted my HSTS database again, and repeated the process several times. I was never able to reproduce. So we'll need to rely on your observations here.

Of course, I'll reopen if I see it again.
Comment 14 Carlos Garcia Campos 2020-01-03 07:14:32 PST 
I can reproduce this now with WPE MiniBrowser and cog. The problem is that we are assuming that request cancellation happens synchronously, but it can happen that the async ready callback for the previous request is called after the new one has started.
Comment 15 Carlos Garcia Campos 2020-01-03 07:16:52 PST 
Created attachment 386681 [details]
Patch
Comment 16 Michael Catanzaro 2020-01-03 09:00:26 PST 
Comment on attachment 386681 [details]
Patch

Aha, nice find!

One problem though: the user data parameter NetworkDataTaskSoup* task is passed to this callback using leakRef(), but now you've added this new early return before the ref is adopted, causing the task to leak. So this needs to go down below that at least. How about like this:

RefPtr<NetworkDataTaskSoup> protectedThis = adoptRef(task);
if (soupRequest != task->m_soupRequest.get()) {
    // ...
}
if (task->state() == State::Canceling || task->state() == State::Completed || !task->m_client) {
    // ...
}
Comment 17 Michael Catanzaro 2020-01-03 09:02:28 PST 
(In reply to Michael Catanzaro from comment #16)
> RefPtr<NetworkDataTaskSoup> protectedThis = adoptRef(task);

Well, also protectedThis is the wrong name because it's not a protector, it's just required to adopt the ref.
Comment 18 Michael Catanzaro 2020-01-03 20:49:02 PST 
Comment on attachment 386681 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=386681&action=review

> Source/WebKit/NetworkProcess/soup/NetworkDataTaskSoup.cpp:310
>      RefPtr<NetworkDataTaskSoup> protectedThis = adoptRef(task);

Maybe we should do a global search to see if we have more places where the words "protected" or "protector" and "adopt" appear on the same line. Seems that will almost always indicate either a misnamed variable or, potentially, a bug. If it really *was* a protector (no adopt), then your change would have been fine as-is. I think you got tricked by the incorrect name.
Comment 19 Carlos Garcia Campos 2020-01-05 05:20:17 PST 
You are right, and it was indeed the name protectedThis what confused me.
Comment 20 Carlos Garcia Campos 2020-01-07 01:58:08 PST 
Committed r254119: <https://trac.webkit.org/changeset/254119>