RESOLVED FIXED222587
Validate documentState of FrameState when setting and getting it 
https://bugs.webkit.org/show_bug.cgi?id=222587
Summary Validate documentState of FrameState when setting and getting it
Sihui Liu
Reported 2021-03-01 22:35:53 PST
...
Attachments
Patch (8.88 KB, patch)
2021-03-01 22:49 PST, Sihui Liu 		no flags
DetailsFormatted DiffDiff
Patch (10.88 KB, patch)
2021-03-02 09:03 PST, Sihui Liu 		no flags
DetailsFormatted DiffDiff
Patch (11.16 KB, patch)
2021-03-02 13:21 PST, Sihui Liu 		no flags
DetailsFormatted DiffDiff
Patch (11.17 KB, patch)
2021-03-02 15:17 PST, Sihui Liu 		no flags
DetailsFormatted DiffDiff
Patch (11.13 KB, patch)
2021-03-04 12:52 PST, Sihui Liu 		no flags
DetailsFormatted DiffDiff
Patch for landing (13.09 KB, patch)
2021-03-04 15:08 PST, Sihui Liu 		ews-feeder: commit-queue-
DetailsFormatted DiffDiff
Patch for landing (13.31 KB, patch)
2021-03-04 15:23 PST, Sihui Liu 		no flags
DetailsFormatted DiffDiff
Show Obsolete (6) View All Add attachment proposed patch, testcase, etc.
Sihui Liu
Comment 1 2021-03-01 22:49:23 PST
Created attachment 421907 [details] Patch
Sihui Liu
Comment 2 2021-03-02 09:03:10 PST
Created attachment 421945 [details] Patch
EWS Watchlist
Comment 3 2021-03-02 09:03:58 PST
Thanks for the patch. If this patch contains new public API please make sure it follows the guidelines for new WebKit2 GTK+ API. See https://trac.webkit.org/wiki/WebKitGTK/AddingNewWebKit2API
Chris Dumez
Comment 4 2021-03-02 09:24:42 PST
Comment on attachment 421945 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=421945&action=review > Source/WebKit/Shared/SessionState.cpp:282 > + StringView(stateString).upconvertedCharacters(); Maybe a comment to explain why this is validating? It is not clear to me at least. > Source/WebKit/Shared/SessionState.h:90 > + Vector<String> documentState() const { return m_documentState; } should return a `const Vector<String>&` > Source/WebKit/UIProcess/API/glib/WebKitWebViewSessionState.cpp:310 > frameState.documentState.reserveInitialCapacity(documentStateLength); Looks like this line should be dropped? > Source/WebKit/UIProcess/mac/LegacySessionStateCoding.cpp:907 > + frameState.setDocumentState(documentState, FrameState::ShouldValidate::Yes); Decoding failed here. So what's the point of this?
Sihui Liu
Comment 5 2021-03-02 13:21:18 PST
Created attachment 421984 [details] Patch
Sihui Liu
Comment 6 2021-03-02 13:24:00 PST
Comment on attachment 421945 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=421945&action=review >> Source/WebKit/Shared/SessionState.cpp:282 >> + StringView(stateString).upconvertedCharacters(); > > Maybe a comment to explain why this is validating? It is not clear to me at least. I just added the crashed function here, it seems it failed when traversing the characters. Will add a comment. >> Source/WebKit/Shared/SessionState.h:90 >> + Vector<String> documentState() const { return m_documentState; } > > should return a `const Vector<String>&` Okay. >> Source/WebKit/UIProcess/API/glib/WebKitWebViewSessionState.cpp:310 >> frameState.documentState.reserveInitialCapacity(documentStateLength); > > Looks like this line should be dropped? Right, good catch, will remove. >> Source/WebKit/UIProcess/mac/LegacySessionStateCoding.cpp:907 >> + frameState.setDocumentState(documentState, FrameState::ShouldValidate::Yes); > > Decoding failed here. So what's the point of this? The old behavior is updating documentState even it fails, so I just followed that.
Geoffrey Garen
Comment 7 2021-03-02 14:43:00 PST
Comment on attachment 421984 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=421984&action=review > Source/WebKit/Shared/SessionState.cpp:289 > + auto character = characters8[i]; > + UNUSED_PARAM(character); I believe the compiler is smart enough to notice that 'character' is unused, and skip the load from characters8 altogether. That will turn this validation into a no-op. You should be able to force a load by doing "volatile LChar character = characters8[I]". But perhaps a better idea would be to RELEASE_ASSERT(isLatin1(character)). (LChar is a 7-bit Latin1 encoding.) That's slightly more validation, and honestly every time I've tried to use the 'volatile' keyword I've done it wrong.
Sihui Liu
Comment 8 2021-03-02 15:17:00 PST
Created attachment 422001 [details] Patch
Sihui Liu
Comment 9 2021-03-04 12:52:34 PST
Created attachment 422274 [details] Patch
Geoffrey Garen
Comment 10 2021-03-04 13:22:36 PST
Comment on attachment 422274 [details] Patch r=me Based on the analysis of other crash logs, maybe we should add a main thread RELEASE_ASSERT too.
Sihui Liu
Comment 11 2021-03-04 15:08:27 PST
Created attachment 422293 [details] Patch for landing
Sihui Liu
Comment 12 2021-03-04 15:23:21 PST
Created attachment 422297 [details] Patch for landing
EWS
Comment 13 2021-03-04 15:54:27 PST
Patch 422293 does not build
EWS
Comment 14 2021-03-04 16:12:46 PST
Committed r273929: <https://commits.webkit.org/r273929> All reviewed patches have been landed. Closing bug and clearing flags on attachment 422297 [details].
Radar WebKit Bug Importer
Comment 15 2021-03-04 16:13:20 PST
<rdar://problem/75063667>
Note You need to log in before you can comment on or make changes to this bug.