Bug 191762 - EXC_BAD_ACCESS when invoking a DownloadProxy's destination decision handler after the download has been canceled
Summary: EXC_BAD_ACCESS when invoking a DownloadProxy's destination decision handler a...
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit2 (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
Keywords: InRadar
Depends on:
Reported: 2018-11-16 11:48 PST by David Quesada
Modified: 2018-11-26 09:22 PST (History)
6 users (show)

See Also:

Test case (1.29 KB, text/x-objcsrc)
2018-11-16 11:48 PST, David Quesada
no flags Details
Patch (14.71 KB, patch)
2018-11-19 00:48 PST, David Quesada
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description David Quesada 2018-11-16 11:48:41 PST
Created attachment 355089 [details]
Test case

If a DownloadProxy is invalidated while the DownloadClient is deciding the destination, then the app will crash when the decision handler is called. The troublesome line of code is in DownloadProxy::decideDestinationWithSuggestedFilenameAsync:

    if (auto* networkProcess = m_processPool->networkProcess())

m_processPool is null (due to the DownloadProxyMap invalidating the proxy when the download is canceled), so you get an invalid memory access trying to get the process pool's m_networkProcess.

So if you get unlucky and the UI process gets notified that the download has been canceled while the destination decision handler is still outstanding, you have three terrible options:
- Call the decision handler and crash.
- Don't call the decision handler, and crash due to CompletionHandlerCallChecker getting upset.
- Strategically deallocate the handler block and @try/@catch the resulting exception to stay alive.

The code in decideDestinationWithSuggestedFilenameAsync()'s handler should check that m_processPool in non-null before trying to access its network process.
Comment 1 Radar WebKit Bug Importer 2018-11-17 12:22:36 PST
Comment 2 David Quesada 2018-11-19 00:48:25 PST
Created attachment 355258 [details]
Comment 3 WebKit Commit Bot 2018-11-19 14:52:49 PST
Comment on attachment 355258 [details]

Clearing flags on attachment: 355258

Committed r238381: <https://trac.webkit.org/changeset/238381>
Comment 4 WebKit Commit Bot 2018-11-19 14:52:50 PST
All reviewed patches have been landed.  Closing bug.
Comment 5 Alex Christensen 2018-11-26 09:22:24 PST
Comment on attachment 355258 [details]

View in context: https://bugs.webkit.org/attachment.cgi?id=355258&action=review

> Tools/TestWebKitAPI/Tests/WebKitCocoa/Download.mm:30

Let's just remove this.