Since r217206 Connection::readBytesFromSocket() validates size of control message. However, it compares cmsg_len with attachmentMaxAmount, while Connection::sendOutgoingMessage() computes it as CMSG_LEN(sizeof(int) * attachmentFDBufferLength) where attachmentFDBufferLength <= attachmentMaxAmount. This mismatch between sender and receiver leads to possibility of assertion failure with large number of attachments, e.g. here 62 attachments have cmsg_length == 264.
Created attachment 351598 [details] Patch
Comment on attachment 351598 [details] Patch Oh wow, good find. Under what scenario were you hitting this failure? Any way to write a test? Can you add it to https://trac.webkit.org/wiki/WebKitGTK/2.22.x (for 2.22.3) after landing, please?
(In reply to Michael Catanzaro from comment #2) > Comment on attachment 351598 [details] > Patch > > Oh wow, good find. > > Under what scenario were you hitting this failure? It was reproducing with QtWebKit, but not with GTK port. I guess behavior is different because Qt uses UI-side compositing, which is probably a reson why there are so many attachments. >Any way to write a test? No idea from the top of my had. > > Can you add it to https://trac.webkit.org/wiki/WebKitGTK/2.22.x (for 2.22.3) > after landing, please? Sure
Comment on attachment 351598 [details] Patch Clearing flags on attachment: 351598 Committed r236928: <https://trac.webkit.org/changeset/236928>
All reviewed patches have been landed. Closing bug.
<rdar://problem/45098148>