[Webkit-unassigned] [Bug 191762] New: EXC_BAD_ACCESS when invoking a DownloadProxy's destination decision handler after the download has been canceled

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Nov 16 11:48:41 PST 2018 

https://bugs.webkit.org/show_bug.cgi?id=191762

            Bug ID: 191762
           Summary: EXC_BAD_ACCESS when invoking a DownloadProxy's
                    destination decision handler after the download has
                    been canceled
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit2
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: david_quesada at apple.com

Created attachment 355089

  --> https://bugs.webkit.org/attachment.cgi?id=355089&action=review

Test case

If a DownloadProxy is invalidated while the DownloadClient is deciding the destination, then the app will crash when the decision handler is called. The troublesome line of code is in DownloadProxy::decideDestinationWithSuggestedFilenameAsync:

    if (auto* networkProcess = m_processPool->networkProcess())

m_processPool is null (due to the DownloadProxyMap invalidating the proxy when the download is canceled), so you get an invalid memory access trying to get the process pool's m_networkProcess.

So if you get unlucky and the UI process gets notified that the download has been canceled while the destination decision handler is still outstanding, you have three terrible options:
- Call the decision handler and crash.
- Don't call the decision handler, and crash due to CompletionHandlerCallChecker getting upset.
- Strategically deallocate the handler block and @try/@catch the resulting exception to stay alive.

The code in decideDestinationWithSuggestedFilenameAsync()'s handler should check that m_processPool in non-null before trying to access its network process.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20181116/b62fa9e5/attachment.html>

More information about the webkit-unassigned mailing list