RESOLVED FIXED 246858
[SOUP] http/tests/security/cookies/cookie-theft-with-javascript-doc.html crashing 
https://bugs.webkit.org/show_bug.cgi?id=246858
Summary [SOUP] http/tests/security/cookies/cookie-theft-with-javascript-doc.html cras...
Claudio Saavedra
Reported 2022-10-21 08:09:37 PDT
Since https://github.com/WebKit/WebKit/commit/361f64fcdd4b6aa17aaafcc55ebc88ab89acfc89 landed, http/tests/security/cookies/cookie-theft-with-javascript-doc.html has been crashing pretty consistently. ASSERTION FAILED: result /app/webkit/Source/WebKit/NetworkProcess/NetworkProcess.cpp(434) : bool WebKit::NetworkProcess::allowsFirstPartyForCookies(WebCore::ProcessIdentifier, const WTF::URL&) 1 0x7fe547a47b63 WTFCrash [Thread debugging using libthread_db enabled] Using host libthread_db library "/usr/lib/x86_64-linux-gnu/libthread_db.so.1". Core was generated by `/app/webkit/WebKitBuild/Debug/bin/WebKitNetworkProcess 10 9'. Program terminated with signal SIGSEGV, Segmentation fault. #0 WTFCrash () at /app/webkit/Source/WTF/wtf/Assertions.cpp:327 327 *(int *)(uintptr_t)0xbbadbeef = 0; [Current thread is 1 (Thread 0x7fe53e8be540 (LWP 44))] Thread 1 (Thread 0x7fe53e8be540 (LWP 44)): #0 WTFCrash() () at /app/webkit/Source/WTF/wtf/Assertions.cpp:327 #1 0x00007fe5512070f5 in WTFCrashWithInfo(int, char const*, char const*, int) () at /app/webkit/WebKitBuild/Debug/WTF/Headers/wtf/Assertions.h:754 #2 0x00007fe551a6886b in WebKit::NetworkProcess::allowsFirstPartyForCookies(WTF::ObjectIdentifier<WebCore::ProcessIdentifierType>, WTF::URL const&) (this=0x7fe535034240, processIdentifier=..., firstParty=...) at /app/webkit/Source/WebKit/NetworkProcess/NetworkProcess.cpp:434 #3 0x00007fe551a08f14 in WebKit::NetworkConnectionToWebProcess::cookiesForDOM(WTF::URL const&, WebCore::SameSiteInfo const&, WTF::URL const&, WebCore::ProcessQualified<WTF::ObjectIdentifier<WebCore::FrameIdentifierType> >, WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WebCore::IncludeSecureCookies, WebCore::ShouldAskITP, WebCore::ShouldRelaxThirdPartyCookieBlocking, WTF::CompletionHandler<void (WTF::String, bool)>&&) (this=0x7fe535094340, firstParty=..., sameSiteInfo=..., url=..., frameID=..., pageID=..., includeSecureCookies=WebCore::IncludeSecureCookies::No, shouldAskITP=WebCore::ShouldAskITP::No, shouldRelaxThirdPartyCookieBlocking=WebCore::ShouldRelaxThirdPartyCookieBlocking::No, completionHandler=...) at /app/webkit/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp:773
Attachments
Add attachment proposed patch, testcase, etc.
Claudio Saavedra
Comment 1 2022-10-21 08:20:11 PDT
There are two web processes (due to the iframe in the test), one with identifier 7 and the other 12. One of them is adding 'nullOrigin' to the "allowedFirstPartyForCookies" list, not the other. When the other receives a call to get the cookies for the DOM, the check of whether 'nullOrigin' is an allowed first party for cookies fails, and the assertion with it: NetworkProcess::addAllowedFirstPartyForCookies(identifier: 7, firstPartyForCookies: nullOrigin) NetworkProcess::addAllowedFirstPartyForCookies(identifier: 12, firstPartyForCookies: 127.0.0.1) NetworkProcess::allowsFirstPartyForCookies(identifier: 12, firstPartyForCookies: 127.0.0.1) NetworkProcess::allowsFirstPartyForCookies(identifier: 12, firstPartyForCookies: 127.0.0.1) NetworkProcess::allowsFirstPartyForCookies(identifier: 12, firstPartyForCookies: nullOrigin) --> ASSERTION FAILED: result The crash doesn't happen always for me, so this might be a timing issue.
Fujii Hironori
Comment 2 2022-11-08 23:54:07 PST
See also bug#247658. I'm proposing a patch there.
Claudio Saavedra
Comment 3 2022-11-09 13:06:29 PST
This seems to have been fixed already with https://commits.webkit.org/256065@main
Claudio Saavedra
Comment 4 2022-11-09 13:13:14 PST
Pull request: https://github.com/WebKit/WebKit/pull/6317
EWS
Comment 5 2022-11-09 13:16:27 PST
Committed 256498@main (4cd9a03152f0): <https://commits.webkit.org/256498@main> Reviewed commits have been landed. Closing PR #6317 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.