Bug 46536

Summary: REGRESSION (r68260): Crash in PlatformCertificateInfo::~PlatformCertificateInfo when navigating away from Gmail
Product: WebKit Reporter: Adam Roben (:aroben) <aroben>
Component: WebKit2Assignee: Adam Roben (:aroben) <aroben>
Status: RESOLVED FIXED    
Severity: Normal CC: sam
Priority: P2 Keywords: InRadar, PlatformOnly, Regression
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Windows XP   
Attachments:
Description Flags
Don't double-free CERT_CONTEXTs when copying PlatformCertificateInfos on Windows
none
Don't double-free CERT_CONTEXTs when copying PlatformCertificateInfos on Windows sam: review+

Description Adam Roben (:aroben) 2010-09-24 16:14:37 PDT 
To reproduce:

1. Go to http://gmail.com/ in WebKit2
2. Go to some other page

You'll crash in PlatformCertificateInfo::~PlatformCertificateInfo. Here's the backtrace:


 	crypt32.dll!ReleaseContextElement()  + 0x18 bytes	
 	crypt32.dll!_CertFreeCertificateContext@4()  + 0x15 bytes	
>	WebKit.dll!WebKit::PlatformCertificateInfo::~PlatformCertificateInfo()  Line 63 + 0xe bytes	C++
 	WebKit.dll!WebKit::WebCertificateInfo::~WebCertificateInfo()  + 0x19 bytes	C++
 	WebKit.dll!WebKit::WebCertificateInfo::`scalar deleting destructor'()  + 0x16 bytes	C++
 	WebKit.dll!WTF::RefCounted<WebKit::APIObject>::deref()  Line 139 + 0x3a bytes	C++
 	WebKit.dll!WTF::derefIfNotNull<WebKit::WebCertificateInfo>(WebKit::WebCertificateInfo * ptr=0x099888e8)  Line 59	C++
 	WebKit.dll!WTF::RefPtr<WebKit::WebCertificateInfo>::operator=(const WTF::PassRefPtr<WebKit::WebCertificateInfo> & o={...})  Line 140 + 0x9 bytes	C++
 	WebKit.dll!WebKit::WebFrameProxy::setCertificateInfo(WTF::PassRefPtr<WebKit::WebCertificateInfo> certificateInfo={...})  Line 69	C++
 	WebKit.dll!WebKit::WebPageProxy::didCommitLoadForFrame(WebKit::WebFrameProxy * frame=0x0987a0b8, const WebKit::PlatformCertificateInfo & certificateInfo={...}, WebKit::APIObject * userData=0x00000000)  Line 1038	C++
 	WebKit.dll!WebKit::WebPageProxy::didReceiveMessage(CoreIPC::Connection * connection=0x08cda7a8, CoreIPC::MessageID messageID={...}, CoreIPC::ArgumentDecoder * arguments=0x0aa1cac8)  Line 616	C++
 	WebKit.dll!WebKit::WebProcessProxy::didReceiveMessage(CoreIPC::Connection * connection=0x08cda7a8, CoreIPC::MessageID messageID={...}, CoreIPC::ArgumentDecoder * arguments=0x0aa1cac8)  Line 356	C++
 	WebKit.dll!CoreIPC::Connection::dispatchMessages()  Line 278 + 0x33 bytes	C++
 	WebKit.dll!MemberFunctionWorkItem0<CoreIPC::Connection>::execute()  Line 74 + 0x10 bytes	C++
 	WebKit.dll!RunLoop::performWork()  Line 62 + 0x1a bytes	C++
 	WebKit.dll!RunLoop::wndProc(HWND__ * hWnd=0x000b0a82, unsigned int message=1025, unsigned int wParam=106901664, long lParam=0)  Line 56	C++
 	WebKit.dll!RunLoop::RunLoopWndProc(HWND__ * hWnd=0x000b0a82, unsigned int message=1025, unsigned int wParam=106901664, long lParam=0)  Line 38 + 0x18 bytes	C++
Comment 1 Adam Roben (:aroben) 2010-09-24 16:14:55 PDT 
Luckily, I have a fix!
Comment 2 Adam Roben (:aroben) 2010-09-24 16:15:48 PDT 
<rdar://problem/8477292>
Comment 3 Adam Roben (:aroben) 2010-09-27 06:09:03 PDT 
Created attachment 68899 [details]
Don't double-free CERT_CONTEXTs when copying PlatformCertificateInfos on Windows
Comment 4 Sam Weinig 2010-09-27 06:14:13 PDT 
Comment on attachment 68899 [details]
Don't double-free CERT_CONTEXTs when copying PlatformCertificateInfos on Windows

View in context: https://bugs.webkit.org/attachment.cgi?id=68899&action=review

> WebKit2/Shared/win/PlatformCertificateInfo.cpp:77
> +PlatformCertificateInfo& PlatformCertificateInfo::operator=(const PlatformCertificateInfo& other)
> +{
> +    if (m_certificateContext)
> +        ::CertFreeCertificateContext(m_certificateContext);
> +    m_certificateContext = ::CertDuplicateCertificateContext(other.m_certificateContext);
> +    return *this;
> +}

We should try and handle the self-assignment case here.
Comment 5 Adam Roben (:aroben) 2010-09-27 06:19:57 PDT 
Created attachment 68901 [details]
Don't double-free CERT_CONTEXTs when copying PlatformCertificateInfos on Windows
Comment 6 Adam Roben (:aroben) 2010-09-27 06:29:36 PDT 
Committed r68387: <http://trac.webkit.org/changeset/68387>