RESOLVED FIXED 202753
[Cocoa] IPC::decode should gracefully handle a nil allowed class 
https://bugs.webkit.org/show_bug.cgi?id=202753
Summary [Cocoa] IPC::decode should gracefully handle a nil allowed class
Andy Estes
Reported 2019-10-09 09:32:13 PDT
[Cocoa] IPC::decode should gracefully handle a nil allowed class
Attachments
Patch (2.15 KB, patch)
2019-10-09 09:42 PDT, Andy Estes 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Andy Estes
Comment 1 2019-10-09 09:42:45 PDT
Created attachment 380537 [details] Patch
Geoffrey Garen
Comment 2 2019-10-09 10:01:14 PDT
Comment on attachment 380537 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=380537&action=review r=me > Source/WebKit/ChangeLog:20 > + rdar://problem/55839467 was resolved by fixing the build misconfiguration, but this patch > + improves IPC::decode so that a nil allowed class results in a message decoding failure > + rather than a maybe-caught NSException. > + What do message decoding failures do at runtime? Would this error we experienced still be obvious, or would it become more subtle?
Timothy Hatcher
Comment 3 2019-10-09 10:24:13 PDT
Comment on attachment 380537 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=380537&action=review >> Source/WebKit/ChangeLog:20 >> + > > What do message decoding failures do at runtime? Would this error we experienced still be obvious, or would it become more subtle? When the allowedClasses array is empty, we assert in debug builds and always return nil for the decoded object. So it would depend on the caller to handle that.
Andy Estes
Comment 4 2019-10-09 11:10:13 PDT
(In reply to Geoffrey Garen from comment #2) > Comment on attachment 380537 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=380537&action=review > > r=me > > > Source/WebKit/ChangeLog:20 > > + rdar://problem/55839467 was resolved by fixing the build misconfiguration, but this patch > > + improves IPC::decode so that a nil allowed class results in a message decoding failure > > + rather than a maybe-caught NSException. > > + > > What do message decoding failures do at runtime? Would this error we > experienced still be obvious, or would it become more subtle? The new failure mode is that a call to sendSync() with an infinite timeout now returns false when decoding fails in the remote process (rather than hanging). For cases like rdar://problem/55839467, returning false causes PaymentCoordinator to throw a JavaScript exception telling the webpage that the payment UI could not be presented. We also have a LOG_ERROR (but not a RELEASE_LOG_ERROR) for when secure coding-style decoding fails.
Andy Estes
Comment 5 2019-10-09 11:29:10 PDT
(In reply to Andy Estes from comment #4) > returning false causes > PaymentCoordinator to throw a JavaScript exception telling the webpage that > the payment UI could not be presented. We also have a LOG_ERROR (but not a > RELEASE_LOG_ERROR) for when secure coding-style decoding fails. ... which I think is at least as obvious a symptom as a hang, in that the Apple Pay UI does not appear in response to button activation in either case.
WebKit Commit Bot
Comment 6 2019-10-09 14:29:26 PDT
Comment on attachment 380537 [details] Patch Clearing flags on attachment: 380537 Committed r250934: <https://trac.webkit.org/changeset/250934>
WebKit Commit Bot
Comment 7 2019-10-09 14:29:28 PDT
All reviewed patches have been landed. Closing bug.
Radar WebKit Bug Importer
Comment 8 2019-10-09 14:30:16 PDT
<rdar://problem/56130523>
Note You need to log in before you can comment on or make changes to this bug.