RESOLVED FIXED Bug 202077
Safari 13 may launch leftover 32-bit plug-in process from Safari 12’s WebKit, which crashes 
https://bugs.webkit.org/show_bug.cgi?id=202077
Summary Safari 13 may launch leftover 32-bit plug-in process from Safari 12’s WebKit,...
mitz
Reported 2019-09-21 14:16:39 PDT
rdar://problem/55547063 On macOS High Sierra, if Safari 13 was installed after Safari 12 had been installed, Safari may end up launching the 32-bit plug-in service left behind in the staged WebKit framework, and the service will crash immediately (because as of Safari 13, its dependencies don’t have a 32-bit slice). This can happen, for example, if there is still a 32-bit plug-in in /Library/Internet Plug-Ins, and the user chooses to manage website data. This is because even though the 32-bit plug-in service has been removed from WebKit, the code paths that launch it haven’t been removed. Patch forthcoming.
Attachments
Remove 32-bit plug-in code paths (3.60 KB, patch)
2019-09-21 14:32 PDT, mitz 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
mitz
Comment 1 2019-09-21 14:32:06 PDT
Created attachment 379323 [details] Remove 32-bit plug-in code paths
Sam Weinig
Comment 2 2019-09-21 14:42:46 PDT
Comment on attachment 379323 [details] Remove 32-bit plug-in code paths View in context: https://bugs.webkit.org/attachment.cgi?id=379323&action=review > Source/WebKit/UIProcess/Launcher/mac/ProcessLauncherMac.mm:60 > case ProcessLauncher::ProcessType::Plugin32: What is the reason for keeping this enum case at all?
mitz
Comment 3 2019-09-21 14:48:37 PDT
(In reply to Sam Weinig from comment #2) > Comment on attachment 379323 [details] > Remove 32-bit plug-in code paths > > View in context: > https://bugs.webkit.org/attachment.cgi?id=379323&action=review > > > Source/WebKit/UIProcess/Launcher/mac/ProcessLauncherMac.mm:60 > > case ProcessLauncher::ProcessType::Plugin32: > > What is the reason for keeping this enum case at all? ProcessType is a cross-platform type, and I didn’t want to expand the scope of this patch beyond Mac code.
Sam Weinig
Comment 4 2019-09-21 14:58:14 PDT
Gotcha.
WebKit Commit Bot
Comment 5 2019-09-21 15:57:53 PDT
Comment on attachment 379323 [details] Remove 32-bit plug-in code paths Clearing flags on attachment: 379323 Committed r250186: <https://trac.webkit.org/changeset/250186>
WebKit Commit Bot
Comment 6 2019-09-21 15:57:54 PDT
All reviewed patches have been landed. Closing bug.
Chris Dumez
Comment 7 2019-09-21 23:05:48 PDT
This is causing a lot of crashes on the bots (They exit early): https://build.webkit.org/results/Apple%20Mojave%20Debug%20WK2%20(Tests)/r250186%20(4826)/results.html
Chris Dumez
Comment 8 2019-09-21 23:06:53 PDT
Comment on attachment 379323 [details] Remove 32-bit plug-in code paths View in context: https://bugs.webkit.org/attachment.cgi?id=379323&action=review > Source/WebKit/UIProcess/Plugins/mac/PluginProcessProxyMac.mm:63 > + ASSERT(pluginProcessAttributes.moduleInfo.pluginArchitecture == CPU_TYPE_X86); Looks like this assertion is hitting.
mitz
Comment 9 2019-09-21 23:07:27 PDT
(In reply to Chris Dumez from comment #8) > Comment on attachment 379323 [details] > Remove 32-bit plug-in code paths > > View in context: > https://bugs.webkit.org/attachment.cgi?id=379323&action=review > > > Source/WebKit/UIProcess/Plugins/mac/PluginProcessProxyMac.mm:63 > > + ASSERT(pluginProcessAttributes.moduleInfo.pluginArchitecture == CPU_TYPE_X86); > > Looks like this assertion is hitting. I’ll see if I can reproduce this locally.
mitz
Comment 10 2019-09-21 23:10:33 PDT
(In reply to mitz from comment #9) > (In reply to Chris Dumez from comment #8) > > Comment on attachment 379323 [details] > > Remove 32-bit plug-in code paths > > > > View in context: > > https://bugs.webkit.org/attachment.cgi?id=379323&action=review > > > > > Source/WebKit/UIProcess/Plugins/mac/PluginProcessProxyMac.mm:63 > > > + ASSERT(pluginProcessAttributes.moduleInfo.pluginArchitecture == CPU_TYPE_X86); Silly mistake, this should say CPU_TYPE_X86_64. I’ll fix it right away. Thanks for noticing this!
Chris Dumez
Comment 11 2019-09-21 23:11:14 PDT
Comment on attachment 379323 [details] Remove 32-bit plug-in code paths View in context: https://bugs.webkit.org/attachment.cgi?id=379323&action=review >>> Source/WebKit/UIProcess/Plugins/mac/PluginProcessProxyMac.mm:63 >>> + ASSERT(pluginProcessAttributes.moduleInfo.pluginArchitecture == CPU_TYPE_X86); >> >> Looks like this assertion is hitting. > > I’ll see if I can reproduce this locally. Shouldn’t this be != instead of == ?
Chris Dumez
Comment 12 2019-09-21 23:13:19 PDT
(In reply to mitz from comment #10) > (In reply to mitz from comment #9) > > (In reply to Chris Dumez from comment #8) > > > Comment on attachment 379323 [details] > > > Remove 32-bit plug-in code paths > > > > > > View in context: > > > https://bugs.webkit.org/attachment.cgi?id=379323&action=review > > > > > > > Source/WebKit/UIProcess/Plugins/mac/PluginProcessProxyMac.mm:63 > > > > + ASSERT(pluginProcessAttributes.moduleInfo.pluginArchitecture == CPU_TYPE_X86); > > Silly mistake, this should say CPU_TYPE_X86_64. I’ll fix it right away. > Thanks for noticing this! Oh just saw your comment, glad this is an easy fix.
mitz
Comment 13 2019-09-21 23:13:29 PDT
Corrected the assertion in r250197.
Note You need to log in before you can comment on or make changes to this bug.