[Webkit-unassigned] [Bug 205685] XMLHTTPRequest POSTs blob data to a custom WKURLSchemeHandler protocol crash

Sun Jan 5 22:11:28 PST 2020

https://bugs.webkit.org/show_bug.cgi?id=205685

--- Comment #2 from mali <ak4868 at 163.com> ---
Created attachment 386811

  --> https://bugs.webkit.org/attachment.cgi?id=386811&action=review

the crash demo

use this demo can reproduct  this crash
crash log:
```
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x18)
  * frame #0: 0x00000001b41a2294 WebCore`WebCore::blobRegistry() + 20
    frame #1: 0x00000001b41cd354 WebCore`WebCore::createHTTPBodyCFReadStream(WebCore::FormData&) + 32
    frame #2: 0x00000001b41cdd94 WebCore`WebCore::setHTTPBody(_CFURLRequest*, WebCore::FormData*) + 56
    frame #3: 0x00000001b316f518 WebCore`WebCore::ResourceRequest::doUpdatePlatformHTTPBody() + 120
    frame #4: 0x00000001b41c7284 WebCore`WebCore::ResourceRequestBase::updatePlatformRequest(WebCore::HTTPBodyUpdatePolicy) const + 68
    frame #5: 0x00000001b316e0a4 WebCore`WebCore::ResourceRequest::nsURLRequest(WebCore::HTTPBodyUpdatePolicy) const + 20
    frame #6: 0x00000001b29efc14 WebKit`WebKit::WebURLSchemeTask::nsRequest() const + 68
    frame #7: 0x00000001041d5370 abcd`-[TestWKURLSchemeHandler webView:startURLSchemeTask:](self=0x000000028028c160, _cmd="webView:startURLSchemeTask:", webView=0x000000012801d400, urlSchemeTask=0x00000002800120c0) at ViewController.m:24:24
    frame #8: 0x00000001b2996d10 WebKit`WebKit::WebURLSchemeHandlerCocoa::platformStartTask(WebKit::WebPageProxy&, WebKit::WebURLSchemeTask&) + 128
    frame #9: 0x00000001b29eec74 WebKit`WebKit::WebURLSchemeHandler::startTask(WebKit::WebPageProxy&, WebKit::WebProcessProxy&, unsigned long long, WebCore::ResourceRequest&&, WTF::CompletionHandler<void (WebCore::ResourceResponse const&, WebCore::ResourceError const&, WTF::Vector<char, 0ul, WTF::CrashOnOverflow, 16ul> const&)>&&) + 220
    frame #10: 0x00000001b29bfb90 WebKit`WebKit::WebPageProxy::startURLSchemeTaskShared(WTF::Ref<WebKit::WebProcessProxy, WTF::DumbPtrTraits<WebKit::WebProcessProxy> >&&, WebKit::URLSchemeTaskParameters&&) + 96
    frame #11: 0x00000001b29bfaf8 WebKit`WebKit::WebPageProxy::startURLSchemeTask(WebKit::URLSchemeTaskParameters&&) + 52
    frame #12: 0x00000001b2c0f30c WebKit`WebKit::WebPageProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&) + 22416
    frame #13: 0x00000001b279d0d4 WebKit`IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) + 104
    frame #14: 0x00000001b29eb110 WebKit`WebKit::WebProcessProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&) + 32
    frame #15: 0x00000001b2787b74 WebKit`IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) + 204
    frame #16: 0x00000001b278a9d0 WebKit`IPC::Connection::dispatchIncomingMessages() + 404
    frame #17: 0x00000001b9f0389c JavaScriptCore`WTF::RunLoop::performWork() + 276
    frame #18: 0x00000001b9f03b5c JavaScriptCore`WTF::RunLoop::performWork(void*) + 36
    frame #19: 0x00000001ab158a00 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 24
    frame #20: 0x00000001ab158958 CoreFoundation`__CFRunLoopDoSource0 + 80
    frame #21: 0x00000001ab1580f0 CoreFoundation`__CFRunLoopDoSources0 + 180
    frame #22: 0x00000001ab15323c CoreFoundation`__CFRunLoopRun + 1080
    frame #23: 0x00000001ab152adc CoreFoundation`CFRunLoopRunSpecific + 464
    frame #24: 0x00000001b50d8328 GraphicsServices`GSEventRunModal + 104
    frame #25: 0x00000001af24dae0 UIKitCore`UIApplicationMain + 1936
    frame #26: 0x00000001041d5d08 abcd`main(argc=1, argv=0x000000016bc2f8f0) at main.m:14:16
    frame #27: 0x00000001aafdc360 libdyld.dylib`start + 4
```

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200106/58d05675/attachment.htm>