Bug 194144 - Network Process crash when resuming downloads: '-[__NSDictionaryI setObject:forKey:]: unrecognized selector sent to instance %p'
Summary: Network Process crash when resuming downloads: '-[__NSDictionaryI setObject:f...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit2 (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2019-01-31 22:49 PST by David Quesada
Modified: 2019-02-01 15:08 PST (History)
5 users (show)

See Also:

Attachments
Patch (2.62 KB, patch)
2019-02-01 09:39 PST, David Quesada 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description David Quesada 2019-01-31 22:49:27 PST 
rdar://problem/47553456
Comment 1 David Quesada 2019-01-31 22:54:59 PST 
Resuming a download occasionally causes a Network Process crash due to an uncaught NSInvalidArgumentException. In Download::resume(), we decode the root object from the resume data, assume it's a mutable dictionary (with no type checking), and try to -setObject:forKey: it.
Comment 2 David Quesada 2019-02-01 09:39:16 PST 
Created attachment 360866 [details]
Patch
Comment 3 Geoffrey Garen 2019-02-01 13:26:55 PST 
Comment on attachment 360866 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=360866&action=review

> Source/WebKit/NetworkProcess/Downloads/cocoa/DownloadCocoa.mm:61
> +    auto dictionary = adoptNS(static_cast<NSMutableDictionary *>([[unarchiver decodeObjectOfClasses:plistClasses forKey:@"NSKeyedArchiveRootObjectKey"] mutableCopy]));

Why do we pass plistClasses to decodeObjectOfClasses? My reading of this code is that any root object class other than NSDictionary would be an error.

Should we just decodeObjectOfClass: [NSDictionary class]?
Comment 4 David Quesada 2019-02-01 13:45:45 PST 
(In reply to Geoffrey Garen from comment #3)
> Comment on attachment 360866 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=360866&action=review
> 
> > Source/WebKit/NetworkProcess/Downloads/cocoa/DownloadCocoa.mm:61
> > +    auto dictionary = adoptNS(static_cast<NSMutableDictionary *>([[unarchiver decodeObjectOfClasses:plistClasses forKey:@"NSKeyedArchiveRootObjectKey"] mutableCopy]));
> 
> Why do we pass plistClasses to decodeObjectOfClasses? My reading of this
> code is that any root object class other than NSDictionary would be an error.
> 
> Should we just decodeObjectOfClass: [NSDictionary class]?

That won't work. The class whitelist also applies to the objects being decoded by the dictionary. So if we only allow decoding NSDictionary, we wouldn't get any object unless the resume data is a dictionary that only contains other dictionaries as objects (which themselves can only contain dictionaries as objects, recursively).
Comment 5 Geoffrey Garen 2019-02-01 14:31:21 PST 
Comment on attachment 360866 [details]
Patch

r=me
Comment 6 WebKit Commit Bot 2019-02-01 15:08:53 PST 
Comment on attachment 360866 [details]
Patch

Clearing flags on attachment: 360866

Committed r240881: <https://trac.webkit.org/changeset/240881>
Comment 7 WebKit Commit Bot 2019-02-01 15:08:55 PST 
All reviewed patches have been landed.  Closing bug.