Changeset 107356 in webkit


Ignore:
Timestamp:
Feb 9, 2012 9:45:10 PM (12 years ago)
Author:
ap@apple.com
Message:

ASSERTION FAILED: checkURLReceivedFromWebProcess(originalURL) loading a local file, if the WebProcess crashed
https://bugs.webkit.org/show_bug.cgi?id=70845
<rdar://problem/10269985>

Reviewed by Anders Carlsson.

This also fixes some case where WebProcess did not get a sandbox extension after a crash.

  • UIProcess/WebPageProxy.cpp:

(WebKit::WebPageProxy::reattachToWebProcessWithItem): We no longer need to pass a sandbox
extension here, we're now passing it at b/f navigation bottleneck.
(WebKit::WebPageProxy::reload): Pass a sandbox extension - reload may mean reloading an error
page after a crash, so WebProcess may no longer have the extension.
(WebKit::WebPageProxy::goForward): We no longer need to pass a sandbox extension here,
we're now passing it at b/f navigation bottleneck. Also, fixed a bug where we first null checked
a WebBackForwardListItem pointer, and then used it anyway.
(WebKit::WebPageProxy::goBack): Ditto.
(WebKit::WebPageProxy::goToBackForwardItem): Ditto.
(WebKit::WebPageProxy::backForwardGoToItem): This is the bottleneck. We get here both for UI
actions like pressing the Back button, and for window.history.go() navigations. JS navigations
previously didn't open up the sandbox. URLs in UI process b/f list are trusted, so it's
always OK to grant a sandbox extension if one of them is a file: one.

  • UIProcess/WebPageProxy.h: backForwardGoToItem() now returns a sandbox extension handle.
  • UIProcess/WebPageProxy.messages.in: Ditto.
  • UIProcess/WebProcessProxy.cpp:

(WebKit::WebProcessProxy::checkURLReceivedFromWebProcess): If a URL is in UI process b/f
list, then it has been already vetted as something the Web process knows about. No need to
crash if it actually attempts going there.
(WebKit::WebProcessProxy::didReceiveInvalidMessage): Removed a useless comment (we have tons
of fprintfs besides this one). Fixed log message syntax.

  • UIProcess/cf/WebPageProxyCF.cpp: (WebKit::WebPageProxy::restoreFromSessionStateData):

We no longer need to pass a sandbox extension here, we're now passing it at b/f navigation
bottleneck.

  • WebProcess/WebPage/WebBackForwardListProxy.cpp: (WebKit::WebBackForwardListProxy::goToItem):

We now get an extension here, when telling UI process that we're navigating to a b/f list item.

  • WebProcess/WebPage/WebPage.cpp:

(WebKit::WebPage::reload): Use the extension we're getting.
(WebKit::WebPage::goForward): Don't use one we're not getting.
(WebKit::WebPage::goBack): Ditto.
(WebKit::WebPage::goToBackForwardItem): Ditto.
(WebKit::WebPage::restoreSessionAndNavigateToCurrentItem): Ditto.

  • WebProcess/WebPage/WebPage.h: Adjusted signatures accordingly.
  • WebProcess/WebPage/WebPage.messages.in: Ditto.
Location:
trunk/Source/WebKit2
Files:
10 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/WebKit2/ChangeLog

    r107307 r107356  
     12012-02-09  Alexey Proskuryakov  <ap@apple.com>
     2
     3        ASSERTION FAILED: checkURLReceivedFromWebProcess(originalURL) loading a local file, if the WebProcess crashed
     4        https://bugs.webkit.org/show_bug.cgi?id=70845
     5        <rdar://problem/10269985>
     6
     7        Reviewed by Anders Carlsson.
     8
     9        This also fixes some case where WebProcess did not get a sandbox extension after a crash.
     10
     11        * UIProcess/WebPageProxy.cpp:
     12        (WebKit::WebPageProxy::reattachToWebProcessWithItem): We no longer need to pass a sandbox
     13        extension here, we're now passing it at b/f navigation bottleneck.
     14        (WebKit::WebPageProxy::reload): Pass a sandbox extension - reload may mean reloading an error
     15        page after a crash, so WebProcess may no longer have the extension.
     16        (WebKit::WebPageProxy::goForward): We no longer need to pass a sandbox extension here,
     17        we're now passing it at b/f navigation bottleneck. Also, fixed a bug where we first null checked
     18        a WebBackForwardListItem pointer, and then used it anyway.
     19        (WebKit::WebPageProxy::goBack): Ditto.
     20        (WebKit::WebPageProxy::goToBackForwardItem): Ditto.
     21        (WebKit::WebPageProxy::backForwardGoToItem): This is the bottleneck. We get here both for UI
     22        actions like pressing the Back button, and for window.history.go() navigations. JS navigations
     23        previously didn't open up the sandbox. URLs in UI process b/f list are trusted, so it's
     24        always OK to grant a sandbox extension if one of them is a file: one.
     25
     26        * UIProcess/WebPageProxy.h: backForwardGoToItem() now returns a sandbox extension handle.
     27
     28        * UIProcess/WebPageProxy.messages.in: Ditto.
     29
     30        * UIProcess/WebProcessProxy.cpp:
     31        (WebKit::WebProcessProxy::checkURLReceivedFromWebProcess): If a URL is in UI process b/f
     32        list, then it has been already vetted as something the Web process knows about. No need to
     33        crash if it actually attempts going there.
     34        (WebKit::WebProcessProxy::didReceiveInvalidMessage): Removed a useless comment (we have tons
     35        of fprintfs besides this one). Fixed log message syntax.
     36
     37        * UIProcess/cf/WebPageProxyCF.cpp: (WebKit::WebPageProxy::restoreFromSessionStateData):
     38        We no longer need to pass a sandbox extension here, we're now passing it at b/f navigation
     39        bottleneck.
     40
     41        * WebProcess/WebPage/WebBackForwardListProxy.cpp: (WebKit::WebBackForwardListProxy::goToItem):
     42        We now get an extension here, when telling UI process that we're navigating to a b/f list item.
     43
     44        * WebProcess/WebPage/WebPage.cpp:
     45        (WebKit::WebPage::reload): Use the extension we're getting.
     46        (WebKit::WebPage::goForward): Don't use one we're not getting.
     47        (WebKit::WebPage::goBack): Ditto.
     48        (WebKit::WebPage::goToBackForwardItem): Ditto.
     49        (WebKit::WebPage::restoreSessionAndNavigateToCurrentItem): Ditto.
     50
     51        * WebProcess/WebPage/WebPage.h: Adjusted signatures accordingly.
     52
     53        * WebProcess/WebPage/WebPage.messages.in: Ditto.
     54
    1552012-02-09  Matthew Delaney  <mdelaney@apple.com>
    256
  • trunk/Source/WebKit2/UIProcess/WebPageProxy.cpp

    r107168 r107356  
    318318        return;
    319319
    320     SandboxExtension::Handle sandboxExtensionHandle;
    321     bool createdExtension = maybeInitializeSandboxExtensionHandle(KURL(KURL(), item->url()), sandboxExtensionHandle);
    322     if (createdExtension)
    323         process()->willAcquireUniversalFileReadSandboxExtension();
    324     process()->send(Messages::WebPage::GoToBackForwardItem(item->itemID(), sandboxExtensionHandle), m_pageID);
     320    process()->send(Messages::WebPage::GoToBackForwardItem(item->itemID()), m_pageID);
    325321    process()->responsivenessTimer()->start();
    326322}
     
    510506void WebPageProxy::reload(bool reloadFromOrigin)
    511507{
    512     if (m_backForwardList->currentItem())
    513         setPendingAPIRequestURL(m_backForwardList->currentItem()->url());
     508    SandboxExtension::Handle sandboxExtensionHandle;
     509
     510    if (m_backForwardList->currentItem()) {
     511        String url = m_backForwardList->currentItem()->url();
     512        setPendingAPIRequestURL(url);
     513
     514        // We may not have an extension yet if back/forward list was reinstated after a WebProcess crash or a browser relaunch
     515        bool createdExtension = maybeInitializeSandboxExtensionHandle(KURL(KURL(), url), sandboxExtensionHandle);
     516        if (createdExtension)
     517            process()->willAcquireUniversalFileReadSandboxExtension();
     518    }
    514519
    515520    if (!isValid()) {
     
    518523    }
    519524
    520     process()->send(Messages::WebPage::Reload(reloadFromOrigin), m_pageID);
     525    process()->send(Messages::WebPage::Reload(reloadFromOrigin, sandboxExtensionHandle), m_pageID);
    521526    process()->responsivenessTimer()->start();
    522527}
     
    528533
    529534    WebBackForwardListItem* forwardItem = m_backForwardList->forwardItem();
    530     if (forwardItem)
    531         setPendingAPIRequestURL(forwardItem->url());
     535    if (!forwardItem)
     536        return;
     537
     538    setPendingAPIRequestURL(forwardItem->url());
    532539
    533540    if (!isValid()) {
     
    536543    }
    537544
    538     SandboxExtension::Handle sandboxExtensionHandle;
    539     bool createdExtension = maybeInitializeSandboxExtensionHandle(KURL(KURL(), forwardItem->url()), sandboxExtensionHandle);
    540     if (createdExtension)
    541         process()->willAcquireUniversalFileReadSandboxExtension();
    542     process()->send(Messages::WebPage::GoForward(forwardItem->itemID(), sandboxExtensionHandle), m_pageID);
     545    process()->send(Messages::WebPage::GoForward(forwardItem->itemID()), m_pageID);
    543546    process()->responsivenessTimer()->start();
    544547}
     
    555558
    556559    WebBackForwardListItem* backItem = m_backForwardList->backItem();
    557     if (backItem)
    558         setPendingAPIRequestURL(backItem->url());
     560    if (!backItem)
     561        return;
     562
     563    setPendingAPIRequestURL(backItem->url());
    559564
    560565    if (!isValid()) {
     
    563568    }
    564569
    565     SandboxExtension::Handle sandboxExtensionHandle;
    566     bool createdExtension = maybeInitializeSandboxExtensionHandle(KURL(KURL(), backItem->url()), sandboxExtensionHandle);
    567     if (createdExtension)
    568         process()->willAcquireUniversalFileReadSandboxExtension();
    569     process()->send(Messages::WebPage::GoBack(backItem->itemID(), sandboxExtensionHandle), m_pageID);
     570    process()->send(Messages::WebPage::GoBack(backItem->itemID()), m_pageID);
    570571    process()->responsivenessTimer()->start();
    571572}
     
    585586    setPendingAPIRequestURL(item->url());
    586587
    587     SandboxExtension::Handle sandboxExtensionHandle;
    588     bool createdExtension = maybeInitializeSandboxExtensionHandle(KURL(KURL(), item->url()), sandboxExtensionHandle);
    589     if (createdExtension)
    590         process()->willAcquireUniversalFileReadSandboxExtension();
    591     process()->send(Messages::WebPage::GoToBackForwardItem(item->itemID(), sandboxExtensionHandle), m_pageID);
     588    process()->send(Messages::WebPage::GoToBackForwardItem(item->itemID()), m_pageID);
    592589    process()->responsivenessTimer()->start();
    593590}
     
    24492446}
    24502447
    2451 void WebPageProxy::backForwardGoToItem(uint64_t itemID)
    2452 {
    2453     m_backForwardList->goToItem(process()->webBackForwardItem(itemID));
     2448void WebPageProxy::backForwardGoToItem(uint64_t itemID, SandboxExtension::Handle& sandboxExtensionHandle)
     2449{
     2450    WebBackForwardListItem* item = process()->webBackForwardItem(itemID);
     2451    if (!item)
     2452        return;
     2453
     2454    bool createdExtension = maybeInitializeSandboxExtensionHandle(KURL(KURL(), item->url()), sandboxExtensionHandle);
     2455    if (createdExtension)
     2456        process()->willAcquireUniversalFileReadSandboxExtension();
     2457    m_backForwardList->goToItem(item);
    24542458}
    24552459
  • trunk/Source/WebKit2/UIProcess/WebPageProxy.h

    r107168 r107356  
    744744    // Back/Forward list management
    745745    void backForwardAddItem(uint64_t itemID);
    746     void backForwardGoToItem(uint64_t itemID);
     746    void backForwardGoToItem(uint64_t itemID, SandboxExtension::Handle&);
    747747    void backForwardItemAtIndex(int32_t index, uint64_t& itemID);
    748748    void backForwardBackListCount(int32_t& count);
  • trunk/Source/WebKit2/UIProcess/WebPageProxy.messages.in

    r107168 r107356  
    157157    # BackForward messages
    158158    BackForwardAddItem(uint64_t itemID)
    159     BackForwardGoToItem(uint64_t itemID)
     159    BackForwardGoToItem(uint64_t itemID) -> (WebKit::SandboxExtension::Handle sandboxExtensionHandle)
    160160    BackForwardItemAtIndex(int32_t itemIndex) -> (uint64_t itemID)
    161161    BackForwardBackListCount() -> (int32_t count)
  • trunk/Source/WebKit2/UIProcess/WebProcessProxy.cpp

    r105364 r107356  
    246246    }
    247247
     248    // Items in back/forward list have been already checked.
     249    // One case where we don't have sandbox extensions for file URLs in b/f list is if the list has been reinstated after a crash or a browser restart.
     250    for (WebBackForwardListItemMap::iterator iter = m_backForwardListItemMap.begin(), end = m_backForwardListItemMap.end(); iter != end; ++iter) {
     251        if (KURL(KURL(), iter->second->url()).fileSystemPath() == path)
     252            return true;
     253        if (KURL(KURL(), iter->second->originalURL()).fileSystemPath() == path)
     254            return true;
     255    }
     256
    248257    // A Web process that was never asked to load a file URL should not ever ask us to do anything with a file URL.
     258    fprintf(stderr, "Received an unexpected URL from the web process: '%s'\n", url.string().utf8().data());
    249259    return false;
    250260}
     
    369379void WebProcessProxy::didReceiveInvalidMessage(CoreIPC::Connection*, CoreIPC::MessageID messageID)
    370380{
    371     // This fprintf is intentionally left because this function should
    372     // only be hit in the case of a misbehaving web process.
    373     fprintf(stderr, "Receive an invalid message from the web process with message ID %x\n", messageID.toInt());
     381    fprintf(stderr, "Received an invalid message from the web process with message ID %x\n", messageID.toInt());
    374382
    375383    // Terminate the WebProcesses.
  • trunk/Source/WebKit2/UIProcess/cf/WebPageProxyCF.cpp

    r105339 r107356  
    165165                    process()->send(Messages::WebPage::RestoreSession(state), m_pageID);
    166166                else {
    167                     SandboxExtension::Handle sandboxExtensionHandle;
    168                     if (WebBackForwardListItem* item = m_backForwardList->currentItem()) {
    169                         bool createdExtension = maybeInitializeSandboxExtensionHandle(KURL(KURL(), item->url()), sandboxExtensionHandle);
    170                         if (createdExtension)
    171                             process()->willAcquireUniversalFileReadSandboxExtension();
     167                    if (WebBackForwardListItem* item = m_backForwardList->currentItem())
    172168                        setPendingAPIRequestURL(item->url());
    173                     }
    174 
    175                     process()->send(Messages::WebPage::RestoreSessionAndNavigateToCurrentItem(state, sandboxExtensionHandle), m_pageID);
     169
     170                    process()->send(Messages::WebPage::RestoreSessionAndNavigateToCurrentItem(state), m_pageID);
    176171                }
    177172            }
  • trunk/Source/WebKit2/WebProcess/WebPage/WebBackForwardListProxy.cpp

    r95901 r107356  
    164164        return;
    165165
    166     m_page->send(Messages::WebPageProxy::BackForwardGoToItem(historyItemToIDMap().get(item)));
     166    SandboxExtension::Handle sandboxExtensionHandle;
     167    m_page->sendSync(Messages::WebPageProxy::BackForwardGoToItem(historyItemToIDMap().get(item)), Messages::WebPageProxy::BackForwardGoToItem::Reply(sandboxExtensionHandle));
     168    m_page->sandboxExtensionTracker().beginLoad(m_page->mainWebFrame(), sandboxExtensionHandle);
    167169}
    168170
  • trunk/Source/WebKit2/WebProcess/WebPage/WebPage.cpp

    r107168 r107356  
    714714}
    715715
    716 void WebPage::reload(bool reloadFromOrigin)
     716void WebPage::reload(bool reloadFromOrigin, const SandboxExtension::Handle& sandboxExtensionHandle)
    717717{
    718718    SendStopResponsivenessTimer stopper(this);
    719719
     720    m_sandboxExtensionTracker.beginLoad(m_mainFrame.get(), sandboxExtensionHandle);
    720721    m_mainFrame->coreFrame()->loader()->reload(reloadFromOrigin);
    721722}
    722723
    723 void WebPage::goForward(uint64_t backForwardItemID, const SandboxExtension::Handle& sandboxExtensionHandle)
     724void WebPage::goForward(uint64_t backForwardItemID)
    724725{
    725726    SendStopResponsivenessTimer stopper(this);
     
    730731        return;
    731732
    732     m_sandboxExtensionTracker.beginLoad(m_mainFrame.get(), sandboxExtensionHandle);
    733733    m_page->goToItem(item, FrameLoadTypeForward);
    734734}
    735735
    736 void WebPage::goBack(uint64_t backForwardItemID, const SandboxExtension::Handle& sandboxExtensionHandle)
     736void WebPage::goBack(uint64_t backForwardItemID)
    737737{
    738738    SendStopResponsivenessTimer stopper(this);
     
    743743        return;
    744744
    745     m_sandboxExtensionTracker.beginLoad(m_mainFrame.get(), sandboxExtensionHandle);
    746745    m_page->goToItem(item, FrameLoadTypeBack);
    747746}
    748747
    749 void WebPage::goToBackForwardItem(uint64_t backForwardItemID, const SandboxExtension::Handle& sandboxExtensionHandle)
     748void WebPage::goToBackForwardItem(uint64_t backForwardItemID)
    750749{
    751750    SendStopResponsivenessTimer stopper(this);
     
    756755        return;
    757756
    758     m_sandboxExtensionTracker.beginLoad(m_mainFrame.get(), sandboxExtensionHandle);
    759757    m_page->goToItem(item, FrameLoadTypeIndexedBackForward);
    760758}
     
    14401438}
    14411439
    1442 void WebPage::restoreSessionAndNavigateToCurrentItem(const SessionState& sessionState, const SandboxExtension::Handle& sandboxExtensionHandle)
     1440void WebPage::restoreSessionAndNavigateToCurrentItem(const SessionState& sessionState)
    14431441{
    14441442    if (uint64_t currentItemID = restoreSession(sessionState))
    1445         goToBackForwardItem(currentItemID, sandboxExtensionHandle);
     1443        goToBackForwardItem(currentItemID);
    14461444}
    14471445
  • trunk/Source/WebKit2/WebProcess/WebPage/WebPage.h

    r107168 r107356  
    537537    void loadPlainTextString(const String&);
    538538    void linkClicked(const String& url, const WebMouseEvent&);
    539     void reload(bool reloadFromOrigin);
    540     void goForward(uint64_t, const SandboxExtension::Handle&);
    541     void goBack(uint64_t, const SandboxExtension::Handle&);
    542     void goToBackForwardItem(uint64_t, const SandboxExtension::Handle&);
     539    void reload(bool reloadFromOrigin, const SandboxExtension::Handle&);
     540    void goForward(uint64_t);
     541    void goBack(uint64_t);
     542    void goToBackForwardItem(uint64_t);
    543543    void tryRestoreScrollPosition();
    544544    void setActive(bool);
     
    568568
    569569    uint64_t restoreSession(const SessionState&);
    570     void restoreSessionAndNavigateToCurrentItem(const SessionState&, const SandboxExtension::Handle&);
     570    void restoreSessionAndNavigateToCurrentItem(const SessionState&);
    571571
    572572    void didRemoveBackForwardItem(uint64_t);
  • trunk/Source/WebKit2/WebProcess/WebPage/WebPage.messages.in

    r106511 r107356  
    5151    CenterSelectionInVisibleArea()
    5252
    53     GoBack(uint64_t backForwardItemID, WebKit::SandboxExtension::Handle sandboxExtensionHandle)
    54     GoForward(uint64_t backForwardItemID, WebKit::SandboxExtension::Handle sandboxExtensionHandle)
    55     GoToBackForwardItem(uint64_t backForwardItemID, WebKit::SandboxExtension::Handle sandboxExtensionHandle)
     53    GoBack(uint64_t backForwardItemID)
     54    GoForward(uint64_t backForwardItemID)
     55    GoToBackForwardItem(uint64_t backForwardItemID)
    5656    TryRestoreScrollPosition()
    5757    LoadHTMLString(WTF::String htmlString, WTF::String baseURL)
     
    6161    LoadURLRequest(WebCore::ResourceRequest request, WebKit::SandboxExtension::Handle sandboxExtensionHandle)
    6262    LinkClicked(WTF::String url, WebKit::WebMouseEvent event)
    63     Reload(bool reloadFromOrigin)
     63    Reload(bool reloadFromOrigin, WebKit::SandboxExtension::Handle sandboxExtensionHandle)
    6464    StopLoading()
    6565
     
    7272   
    7373    RestoreSession(WebKit::SessionState state)
    74     RestoreSessionAndNavigateToCurrentItem(WebKit::SessionState state, WebKit::SandboxExtension::Handle sandboxExtensionHandle)
     74    RestoreSessionAndNavigateToCurrentItem(WebKit::SessionState state)
    7575
    7676    DidRemoveBackForwardItem(uint64_t backForwardItemID)
Note: See TracChangeset for help on using the changeset viewer.