Bug 202753 - [Cocoa] IPC::decode should gracefully handle a nil allowed class
Summary: [Cocoa] IPC::decode should gracefully handle a nil allowed class
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Andy Estes
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2019-10-09 09:32 PDT by Andy Estes
Modified: 2019-10-09 14:30 PDT (History)
5 users (show)

See Also:

Attachments
Patch (2.15 KB, patch)
2019-10-09 09:42 PDT, Andy Estes 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andy Estes 2019-10-09 09:32:13 PDT 
[Cocoa] IPC::decode should gracefully handle a nil allowed class
Comment 1 Andy Estes 2019-10-09 09:42:45 PDT 
Created attachment 380537 [details]
Patch
Comment 2 Geoffrey Garen 2019-10-09 10:01:14 PDT 
Comment on attachment 380537 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=380537&action=review

r=me

> Source/WebKit/ChangeLog:20
> +        rdar://problem/55839467 was resolved by fixing the build misconfiguration, but this patch
> +        improves IPC::decode so that a nil allowed class results in a message decoding failure
> +        rather than a maybe-caught NSException.
> +

What do message decoding failures do at runtime? Would this error we experienced still be obvious, or would it become more subtle?
Comment 3 Timothy Hatcher 2019-10-09 10:24:13 PDT 
Comment on attachment 380537 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=380537&action=review

>> Source/WebKit/ChangeLog:20
>> +
> 
> What do message decoding failures do at runtime? Would this error we experienced still be obvious, or would it become more subtle?

When the allowedClasses array is empty, we assert in debug builds and always return nil for the decoded object. So it would depend on the caller to handle that.
Comment 4 Andy Estes 2019-10-09 11:10:13 PDT 
(In reply to Geoffrey Garen from comment #2)
> Comment on attachment 380537 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=380537&action=review
> 
> r=me
> 
> > Source/WebKit/ChangeLog:20
> > +        rdar://problem/55839467 was resolved by fixing the build misconfiguration, but this patch
> > +        improves IPC::decode so that a nil allowed class results in a message decoding failure
> > +        rather than a maybe-caught NSException.
> > +
> 
> What do message decoding failures do at runtime? Would this error we
> experienced still be obvious, or would it become more subtle?

The new failure mode is that a call to sendSync() with an infinite timeout now returns false when decoding fails in the remote process (rather than hanging).

For cases like rdar://problem/55839467, returning false causes PaymentCoordinator to throw a JavaScript exception telling the webpage that the payment UI could not be presented. We also have a LOG_ERROR (but not a RELEASE_LOG_ERROR) for when secure coding-style decoding fails.
Comment 5 Andy Estes 2019-10-09 11:29:10 PDT 
(In reply to Andy Estes from comment #4)
> returning false causes
> PaymentCoordinator to throw a JavaScript exception telling the webpage that
> the payment UI could not be presented. We also have a LOG_ERROR (but not a
> RELEASE_LOG_ERROR) for when secure coding-style decoding fails.

... which I think is at least as obvious a symptom as a hang, in that the Apple Pay UI does not appear in response to button activation in either case.
Comment 6 WebKit Commit Bot 2019-10-09 14:29:26 PDT 
Comment on attachment 380537 [details]
Patch

Clearing flags on attachment: 380537

Committed r250934: <https://trac.webkit.org/changeset/250934>
Comment 7 WebKit Commit Bot 2019-10-09 14:29:28 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 8 Radar WebKit Bug Importer 2019-10-09 14:30:16 PDT 
<rdar://problem/56130523>