Bug 220400 - [CoreIPC] null-ptr in IPC::createArchiveList
Summary: [CoreIPC] null-ptr in IPC::createArchiveList
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit2 (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Rob Buis
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2021-01-06 23:20 PST by Ryosuke Niwa
Modified: 2021-01-19 23:30 PST (History)
11 users (show)

See Also:

Attachments
Test (requires WTR in macOS) (674 bytes, text/html)
2021-01-06 23:20 PST, Ryosuke Niwa 		no flags Details
Patch (3.54 KB, patch)
2021-01-18 03:05 PST, Rob Buis 		no flags Details | Formatted Diff | Diff
Patch (3.77 KB, patch)
2021-01-19 00:23 PST, Rob Buis 		no flags Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ryosuke Niwa 2021-01-06 23:20:59 PST 
Created attachment 417158 [details]
Test (requires WTR in macOS)

Using the new IPC testing code I added in https://trac.webkit.org/r268239,
we can reproduce the following crash in macOS ASAN builds:

ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fff203e9144 bp 0x7ffee7d4c6f0 sp 0x7ffee7d4c6c0 T0)

    #0 0x7fff203e9144 in CFDictionaryGetValue+0x21 (CoreFoundation:x86_64h+0x8144)
    #1 0x1133c5b8e in IPC::createArchiveList(__CFDictionary const*, void const*, long*, void const***, long*, __CFDictionary const**, __CFNumber const**, __CFString const**) WebCoreArgumentCodersMac.mm:108
    #2 0x1133c57f3 in IPC::createCFURLRequestFromSerializableRepresentation(__CFDictionary const*, void const*) WebCoreArgumentCodersMac.mm:170
    #3 0x1133b71b7 in IPC::createNSURLRequestFromSerializableRepresentation(__CFDictionary const*, void const*) WebCoreArgumentCodersMac.mm:185
    #4 0x1133b69dd in IPC::ArgumentCoder<WebCore::ResourceRequest>::decodePlatformData(IPC::Decoder&, WebCore::ResourceRequest&) WebCoreArgumentCodersMac.mm:234
    #5 0x1146ee151 in IPC::ArgumentCoder<WebCore::ResourceRequest>::decode(IPC::Decoder&, WebCore::ResourceRequest&) WebCoreArgumentCoders.cpp:1270
    #6 0x112359f8b in IPC::Decoder& IPC::Decoder::operator>><WebCore::ResourceRequest, (void*)0>(WTF::Optional<WebCore::ResourceRequest>&) Decoder.h:161
    #7 0x113497604 in WebKit::FrameInfoData::decode(IPC::Decoder&) FrameInfoData.cpp:50
    #8 0x1125d4bbd in WTF::Optional<WebKit::FrameInfoData> IPC::ArgumentCoder<WebKit::FrameInfoData>::decode<WebKit::FrameInfoData, (void*)0>(IPC::Decoder&) ArgumentCoder.h:111
    #9 0x1125d4779 in IPC::Decoder& IPC::Decoder::operator>><WebKit::FrameInfoData, (void*)0>(WTF::Optional<WebKit::FrameInfoData>&) Decoder.h:153
    #10 0x11460e156 in IPC::TupleDecoderImpl<WebKit::FrameInfoData, WTF::Vector<unsigned char, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WebCore::PublicKeyCredentialRequestOptions, bool>::decode(IPC::Decoder&) ArgumentCoders.h:296
    #11 0x11460de2e in IPC::TupleDecoderImpl<WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, WebKit::FrameInfoData, WTF::Vector<unsigned char, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WebCore::PublicKeyCredentialRequestOptions, bool>::decode(IPC::Decoder&) ArgumentCoders.h:300
    #12 0x11460dc7d in IPC::TupleDecoder<5ul, WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, WebKit::FrameInfoData, WTF::Vector<unsigned char, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WebCore::PublicKeyCredentialRequestOptions, bool>::decode(IPC::Decoder&) ArgumentCoders.h:324
    #13 0x11460db9d in IPC::ArgumentCoder<std::__1::tuple<WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, WebKit::FrameInfoData, WTF::Vector<unsigned char, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WebCore::PublicKeyCredentialRequestOptions, bool> >::decode(IPC::Decoder&) ArgumentCoders.h:344
    #14 0x11460d952 in IPC::Decoder& IPC::Decoder::operator>><std::__1::tuple<WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, WebKit::FrameInfoData, WTF::Vector<unsigned char, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WebCore::PublicKeyCredentialRequestOptions, bool>, (void*)0>(WTF::Optional<std::__1::tuple<WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, WebKit::FrameInfoData, WTF::Vector<unsigned char, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WebCore::PublicKeyCredentialRequestOptions, bool> >&) Decoder.h:153
    #15 0x114608ef7 in void IPC::handleMessageAsync<Messages::WebAuthenticatorCoordinatorProxy::GetAssertion, WebKit::WebAuthenticatorCoordinatorProxy, void (WebKit::WebAuthenticatorCoordinatorProxy::*)(WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, WebKit::FrameInfoData&&, WTF::Vector<unsigned char, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&&, WebCore::PublicKeyCredentialRequestOptions&&, bool, WTF::CompletionHandler<void (WebCore::AuthenticatorResponseData const&, WebCore::ExceptionData const&)>&&)>(IPC::Connection&, IPC::Decoder&, WebKit::WebAuthenticatorCoordinatorProxy*, void (WebKit::WebAuthenticatorCoordinatorProxy::*)(WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, WebKit::FrameInfoData&&, WTF::Vector<unsigned char, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&&, WebCore::PublicKeyCredentialRequestOptions&&, bool, WTF::CompletionHandler<void (WebCore::AuthenticatorResponseData const&, WebCore::ExceptionData const&)>&&)) HandleMessage.h:178
    #16 0x114608a0d in WebKit::WebAuthenticatorCoordinatorProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&) WebAuthenticatorCoordinatorProxyMessageReceiver.cpp:146
    #17 0x11284c285 in IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) MessageReceiverMap.cpp:123
    #18 0x1137757fc in WebKit::AuxiliaryProcessProxy::dispatchMessage(IPC::Connection&, IPC::Decoder&) AuxiliaryProcessProxy.cpp:216
    #19 0x113b57367 in WebKit::WebProcessProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&) WebProcessProxy.cpp:808
    #20 0x112374b93 in IPC::Connection::dispatchMessage(IPC::Decoder&) Connection.cpp:1039
    #21 0x112376507 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) Connection.cpp:1139
    #22 0x112373319 in IPC::Connection::dispatchIncomingMessages() Connection.cpp:1243
    #23 0x1123955ee in IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_8::operator()() Connection.cpp:1000
    #24 0x11239555c in WTF::Detail::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_8, void>::call() Function.h:52
    #25 0x109c695ce in WTF::Function<void ()>::operator()() const Function.h:83
    #26 0x109d02a28 in WTF::RunLoop::performWork() RunLoop.cpp:128
    #27 0x109d05d45 in WTF::RunLoop::performWork(void*) RunLoopCF.cpp:46
    #28 0x7fff20462a0b in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__+0x10 (CoreFoundation:x86_64h+0x81a0b)
    #29 0x7fff20462973 in __CFRunLoopDoSource0+0xb3 (CoreFoundation:x86_64h+0x81973)
    #30 0x7fff204626ee in __CFRunLoopDoSources0+0xf7 (CoreFoundation:x86_64h+0x816ee)
    #31 0x7fff20461120 in __CFRunLoopRun+0x379 (CoreFoundation:x86_64h+0x80120)
    #32 0x7fff204606cd in CFRunLoopRunSpecific+0x232 (CoreFoundation:x86_64h+0x7f6cd)
    #33 0x7fff211edfa0 in -[NSRunLoop(NSRunLoop) runMode:beforeDate:]+0xd3 (Foundation:x86_64+0x5ffa0)
    #34 0x107f77006 in WTR::TestController::platformRunUntil(bool&, WTF::Seconds) TestControllerCocoa.mm:225
    #35 0x107f2183a in WTR::TestController::runUntil(bool&, WTF::Seconds) TestController.cpp:1546
    #36 0x107f996cd in WTR::TestInvocation::invoke() TestInvocation.cpp:168
    #37 0x107f2e541 in WTR::TestController::runTest(char const*) TestController.cpp:1476
    #38 0x107f2269d in WTR::TestController::run() TestController.cpp:1533
    #39 0x107f21c01 in WTR::TestController::TestController(int, char const**) TestController.cpp:193
    #40 0x107f22708 in WTR::TestController::TestController(int, char const**) TestController.cpp:190
    #41 0x107ebd0aa in main main.mm:70

<rdar://problem/70476922>
Comment 1 Rob Buis 2021-01-18 03:05:29 PST 
Created attachment 417824 [details]
Patch
Comment 2 youenn fablet 2021-01-18 09:34:06 PST 
Comment on attachment 417824 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=417824&action=review

> Source/WebKit/Shared/mac/WebCoreArgumentCodersMac.mm:235
> +        return false;

Seems fine like this.
Looking at a few place, we sometimes do check for dictionary being null before encoding it and we are not doing it everywhere (FontInfo::decode or SecItemRequestData::decode).
In that particular case, we would not need to encode this boolean at all so there might be a small gain to have explicit checks.
Comment 3 Rob Buis 2021-01-19 00:23:16 PST 
Created attachment 417861 [details]
Patch
Comment 4 EWS 2021-01-19 01:07:56 PST 
Committed r271597: <https://trac.webkit.org/changeset/271597>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 417861 [details].