RESOLVED FIXED 199063
WebURLSchemeHandlerProxy::loadSynchronously crash with sync request 
https://bugs.webkit.org/show_bug.cgi?id=199063
Summary WebURLSchemeHandlerProxy::loadSynchronously crash with sync request
Jin
Reported 2019-06-20 01:20:57 PDT
The problem code is the following: void WebURLSchemeHandlerProxy::loadSynchronously(ResourceLoadIdentifier loadIdentifier, const ResourceRequest& request, ResourceResponse& response, ResourceError& error, Vector<char>& data) { IPC::DataReference dataReference; if (!m_webPage.sendSync(Messages::WebPageProxy::LoadSynchronousURLSchemeTask(URLSchemeTaskParameters { m_identifier, loadIdentifier, request }), Messages::WebPageProxy::LoadSynchronousURLSchemeTask::Reply(response, error, dataReference))) { error = failedCustomProtocolSyncLoad(request); return; } data.resize(dataReference.size()); memcpy(data.data(), dataReference.data(), dataReference.size()); } The “IPC::DataReference dataReference;” just "reference" data from sendSync but not "copy" it. When the sendSync function pop stack, the data will be dealloc. So the dataReference get a wild pointer. Steps: 1、 Setup custom Scheme UCWKURLSchemeHandler *handler = [[UCWKURLSchemeHandler alloc] init]; [configuration setURLSchemeHandler:handler forURLScheme:@"uc"]; 2、enable "Malloc Scribble" debug Environment 3、set breakpoint at WebURLSchemeHandlerProxy::loadSynchronously at the line “ data.resize(dataReference.size());” 4、launch the iOS Simultaor 5、Send a *Sync* XMLHttpRequest with the custom scheme Result: check the value of “dataReference” You can see my Screen Shot. This is the same result at MacOS Version
Attachments
Screen Shot (269.12 KB, image/png)
2019-06-20 01:22 PDT, Jin 		no flags
Details
Patch (6.14 KB, patch)
2019-06-20 14:12 PDT, Brady Eidson 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Jin
Comment 1 2019-06-20 01:22:05 PDT
Created attachment 372546 [details] Screen Shot
Radar WebKit Bug Importer
Comment 2 2019-06-20 01:41:11 PDT
<rdar://problem/51934147>
Brady Eidson
Comment 3 2019-06-20 14:12:14 PDT
Created attachment 372582 [details] Patch
Geoffrey Garen
Comment 4 2019-06-20 14:37:17 PDT
Comment on attachment 372582 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=372582&action=review r=me > Source/WebKit/WebProcess/WebPage/WebURLSchemeHandlerProxy.cpp:67 > + data.shrink(0); Why shrink here?
WebKit Commit Bot
Comment 5 2019-06-20 15:52:16 PDT
Comment on attachment 372582 [details] Patch Clearing flags on attachment: 372582 Committed r246660: <https://trac.webkit.org/changeset/246660>
WebKit Commit Bot
Comment 6 2019-06-20 15:52:18 PDT
All reviewed patches have been landed. Closing bug.
Brady Eidson
Comment 7 2019-06-20 16:11:09 PDT
(In reply to Geoffrey Garen from comment #4) > Comment on attachment 372582 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=372582&action=review > > r=me > > > Source/WebKit/WebProcess/WebPage/WebURLSchemeHandlerProxy.cpp:67 > > + data.shrink(0); > > Why shrink here? Sorry, saw the r=me in the email but missed the question. Agreed it's unnecessary. "Bad™" habit sanitizing out parameters gained for early CS profs.
Note You need to log in before you can comment on or make changes to this bug.