Changeset 193830 in webkit

Timestamp:

Dec 9, 2015 6:52:46 AM (8 years ago)

Author:

mario@webkit.org

Message:

[GTK] Crash in WebProcess when loading large content with custom URI schemes
​https://bugs.webkit.org/show_bug.cgi?id=144262

Reviewed by Carlos Garcia Campos.

Source/WebKit2:

Properly handle scenarios where errors happen after reading the first
chunk of data coming from the GInputStream provided by the application.

• UIProcess/API/gtk/WebKitWebContextPrivate.h:
• UIProcess/API/gtk/WebKitWebContext.cpp:

(webkitWebContextIsLoadingCustomProtocol): New, checks whether a load
is still in progress, after the startLoading method has been called.

• UIProcess/API/gtk/WebKitURISchemeRequest.cpp:

(webkitURISchemeRequestReadCallback): Early return if the stream has been
cancelled on finish_error, so that we make sure we don't keep on reading
the GInputStream after that point.
(webkit_uri_scheme_request_finish_error): Don't send a didFailWithError
message to the Network process if the load is not longer in progress.

• Shared/Network/CustomProtocols/soup/CustomProtocolManagerImpl.cpp:

(WebKit::CustomProtocolManagerImpl::didFailWithError): Handle the case where
an error is notified from the UI process after the first chunk has been read.
(WebKit::CustomProtocolManagerImpl::didReceiveResponse): Handle the case where
data might no longer be available if an error happened even before this point.

• WebProcess/soup/WebKitSoupRequestInputStream.h:
• WebProcess/soup/WebKitSoupRequestInputStream.cpp:

(webkitSoupRequestInputStreamDidFailWithError): Notify the custom GInputStream
that we no longer want to keep reading data in chunks due to a specific error.
(webkitSoupRequestInputStreamReadAsync): Early finish the GTask with a specific
error whenever webkitSoupRequestInputStreamDidFailWithError() has been called.

Tools:

Added new unit test to check the additional scenarios we now
handle for custom URI schemes.

• TestWebKitAPI/Tests/WebKit2Gtk/TestWebKitWebContext.cpp:

(generateHTMLContent): New helper function to generate big enough content.
(testWebContextURIScheme): New unit test.

Location:

trunk

Files:

• Source/WebKit2/ChangeLog (modified) (1 diff)
• Source/WebKit2/Shared/Network/CustomProtocols/soup/CustomProtocolManagerImpl.cpp (modified) (2 diffs)
• Source/WebKit2/UIProcess/API/gtk/WebKitURISchemeRequest.cpp (modified) (2 diffs)
• Source/WebKit2/UIProcess/API/gtk/WebKitWebContext.cpp (modified) (1 diff)
• Source/WebKit2/UIProcess/API/gtk/WebKitWebContextPrivate.h (modified) (1 diff)
• Source/WebKit2/WebProcess/soup/WebKitSoupRequestInputStream.cpp (modified) (4 diffs)
• Source/WebKit2/WebProcess/soup/WebKitSoupRequestInputStream.h (modified) (2 diffs)
• Tools/ChangeLog (modified) (1 diff)
• Tools/TestWebKitAPI/Tests/WebKit2Gtk/TestWebKitWebContext.cpp (modified) (6 diffs)

trunk/Source/WebKit2/ChangeLog

@@ +1 @@
+2015-12-09  Mario Sanchez Prada  <mario@endlessm.com>
+
+        [GTK] Crash in WebProcess when loading large content with custom URI schemes
+        https://bugs.webkit.org/show_bug.cgi?id=144262
+
+        Reviewed by Carlos Garcia Campos.
+
+        Properly handle scenarios where errors happen after reading the first
+        chunk of data coming from the GInputStream provided by the application.
+
+        * UIProcess/API/gtk/WebKitWebContextPrivate.h:
+        * UIProcess/API/gtk/WebKitWebContext.cpp:
+        (webkitWebContextIsLoadingCustomProtocol): New, checks whether a load
+        is still in progress, after the startLoading method has been called.
+        * UIProcess/API/gtk/WebKitURISchemeRequest.cpp:
+        (webkitURISchemeRequestReadCallback): Early return if the stream has been
+        cancelled on finish_error, so that we make sure we don't keep on reading
+        the GInputStream after that point.
+        (webkit_uri_scheme_request_finish_error): Don't send a didFailWithError
+        message to the Network process if the load is not longer in progress.
+        * Shared/Network/CustomProtocols/soup/CustomProtocolManagerImpl.cpp:
+        (WebKit::CustomProtocolManagerImpl::didFailWithError): Handle the case where
+        an error is notified from the UI process after the first chunk has been read.
+        (WebKit::CustomProtocolManagerImpl::didReceiveResponse): Handle the case where
+        data might no longer be available if an error happened even before this point.
+        * WebProcess/soup/WebKitSoupRequestInputStream.h:
+        * WebProcess/soup/WebKitSoupRequestInputStream.cpp:
+        (webkitSoupRequestInputStreamDidFailWithError): Notify the custom GInputStream
+        that we no longer want to keep reading data in chunks due to a specific error.
+        (webkitSoupRequestInputStreamReadAsync): Early finish the GTask with a specific
+        error whenever webkitSoupRequestInputStreamDidFailWithError() has been called.
+
 2015-12-09  Ryuan Choi  <ryuan.choi@navercorp.com>
 

trunk/Source/WebKit2/Shared/Network/CustomProtocols/soup/CustomProtocolManagerImpl.cpp

@@ -117 +117 @@
     ASSERT(data);
 
-    GRefPtr<GTask> task = data->releaseTask();
-    ASSERT(task.get());
-    g_task_return_new_error(task.get(), g_quark_from_string(error.domain().utf8().data()),
-        error.errorCode(), "%s", error.localizedDescription().utf8().data());
+    // Either we haven't started reading the stream yet, in which case we need to complete the
+    // task first, or we failed reading it and the task was already completed by didLoadData().
+    ASSERT(!data->stream || !data->task);
+
+    if (!data->stream) {
+        GRefPtr<GTask> task = data->releaseTask();
+        ASSERT(task.get());
+        g_task_return_new_error(task.get(), g_quark_from_string(error.domain().utf8().data()),
+            error.errorCode(), "%s", error.localizedDescription().utf8().data());
+    } else
+        webkitSoupRequestInputStreamDidFailWithError(WEBKIT_SOUP_REQUEST_INPUT_STREAM(data->stream.get()), error);
 
     m_customProtocolMap.remove(customProtocolID);
@@ -171 +178 @@
 {
     WebSoupRequestAsyncData* data = m_customProtocolMap.get(customProtocolID);
-    ASSERT(data);
+    // The data might have been removed from the request map if an error happened even before this point.
+    if (!data)
+        return;
+
     ASSERT(data->task);
 

trunk/Source/WebKit2/UIProcess/API/gtk/WebKitURISchemeRequest.cpp

@@ -166 +166 @@
         return;
     }
+
+    // Need to check the stream before proceeding as it can be cancelled if finish_error
+    // was previously call, which won't be detected by g_input_stream_read_finish().
+    if (!request->priv->stream)
+        return;
 
     WebKitURISchemeRequestPrivate* priv = request->priv;
@@ -231 +236 @@
 
     WebKitURISchemeRequestPrivate* priv = request->priv;
-
+    if (!webkitWebContextIsLoadingCustomProtocol(priv->webContext, priv->requestID))
+        return;
+
+    priv->stream = nullptr;
     WebCore::ResourceError resourceError(g_quark_to_string(error->domain), toWebCoreError(error->code), priv->uri.data(), String::fromUTF8(error->message));
     priv->webRequestManager->didFailWithError(priv->requestID, resourceError);

trunk/Source/WebKit2/UIProcess/API/gtk/WebKitWebContext.cpp

@@ -1295 +1295 @@
 }
 
+bool webkitWebContextIsLoadingCustomProtocol(WebKitWebContext* context, uint64_t customProtocolID)
+{
+    return context->priv->uriSchemeRequests.get(customProtocolID);
+}
+
 void webkitWebContextCreatePageForWebView(WebKitWebContext* context, WebKitWebView* webView, WebKitUserContentManager* userContentManager, WebKitWebView* relatedView)
 {

trunk/Source/WebKit2/UIProcess/API/gtk/WebKitWebContextPrivate.h

@@ -43 +43 @@
 void webkitWebContextStopLoadingCustomProtocol(WebKitWebContext*, uint64_t customProtocolID);
 void webkitWebContextDidFinishLoadingCustomProtocol(WebKitWebContext*, uint64_t customProtocolID);
+bool webkitWebContextIsLoadingCustomProtocol(WebKitWebContext*, uint64_t customProtocolID);
 void webkitWebContextCreatePageForWebView(WebKitWebContext*, WebKitWebView*, WebKitUserContentManager*, WebKitWebView*);
 void webkitWebContextWebViewDestroyed(WebKitWebContext*, WebKitWebView*);

trunk/Source/WebKit2/WebProcess/soup/WebKitSoupRequestInputStream.cpp

@@ -24 +24 @@
 #include <wtf/Threading.h>
 #include <wtf/glib/GRefPtr.h>
+#include <wtf/glib/GUniquePtr.h>
 
 struct AsyncReadData {
@@ -42 +43 @@
     uint64_t bytesReceived;
     uint64_t bytesRead;
+
+    GUniquePtr<GError> error;
 
     Lock readLock;
@@ -90 +93 @@
     if (!webkitSoupRequestInputStreamHasDataToRead(stream) && !webkitSoupRequestInputStreamIsWaitingForData(stream)) {
         g_task_return_int(task.get(), 0);
+        return;
+    }
+
+    if (stream->priv->error.get()) {
+        g_task_return_error(task.get(), stream->priv->error.release());
         return;
     }
@@ -164 +172 @@
 }
 
+void webkitSoupRequestInputStreamDidFailWithError(WebKitSoupRequestInputStream* stream, const WebCore::ResourceError& resourceError)
+{
+    GUniquePtr<GError> error(g_error_new(g_quark_from_string(resourceError.domain().utf8().data()), resourceError.errorCode(), "%s", resourceError.localizedDescription().utf8().data()));
+    if (stream->priv->pendingAsyncRead) {
+        AsyncReadData* data = stream->priv->pendingAsyncRead.get();
+        g_task_return_error(data->task.get(), error.release());
+    } else {
+        stream->priv->contentLength = stream->priv->bytesReceived;
+        stream->priv->error = WTF::move(error);
+    }
+}
+
 bool webkitSoupRequestInputStreamFinished(WebKitSoupRequestInputStream* stream)
 {

trunk/Source/WebKit2/WebProcess/soup/WebKitSoupRequestInputStream.h

@@ -21 +21 @@
 #define WebKitSoupRequestInputStream_h
 
+#include <WebCore/ResourceError.h>
 #include <gio/gio.h>
 
@@ -49 +50 @@
 GInputStream* webkitSoupRequestInputStreamNew(uint64_t contentLength);
 void webkitSoupRequestInputStreamAddData(WebKitSoupRequestInputStream*, const void* data, size_t dataLength);
+void webkitSoupRequestInputStreamDidFailWithError(WebKitSoupRequestInputStream*, const WebCore::ResourceError&);
 bool webkitSoupRequestInputStreamFinished(WebKitSoupRequestInputStream*);
 

trunk/Tools/ChangeLog

@@ +1 @@
+2015-12-09  Mario Sanchez Prada  <mario@endlessm.com>
+
+        [GTK] Crash in WebProcess when loading large content with custom URI schemes
+        https://bugs.webkit.org/show_bug.cgi?id=144262
+
+        Reviewed by Carlos Garcia Campos.
+
+        Added new unit test to check the additional scenarios we now
+        handle for custom URI schemes.
+
+        * TestWebKitAPI/Tests/WebKit2Gtk/TestWebKitWebContext.cpp:
+        (generateHTMLContent): New helper function to generate big enough content.
+        (testWebContextURIScheme): New unit test.
+
 2015-12-09  Ryuan Choi  <ryuan.choi@navercorp.com>
 

trunk/Tools/TestWebKitAPI/Tests/WebKit2Gtk/TestWebKitWebContext.cpp

@@ -27 +27 @@
 #include <wtf/glib/GRefPtr.h>
 #include <wtf/glib/GUniquePtr.h>
+#include <wtf/text/StringBuilder.h>
 #include <wtf/text/StringHash.h>
 
@@ -198 +199 @@
 static const char* errorDomain = "test";
 static const int errorCode = 10;
-static const char* errorMessage = "Error message.";
+
+static const char* genericErrorMessage = "Error message.";
+static const char* beforeReceiveResponseErrorMessage = "Error before didReceiveResponse.";
+static const char* afterInitialChunkErrorMessage = "Error after reading the initial chunk.";
 
 class URISchemeTest: public LoadTrackingTest {
@@ -230 +234 @@
         g_assert(webkit_uri_scheme_request_get_web_view(request) == test->m_webView);
 
-        GRefPtr<GInputStream> inputStream = adoptGRef(g_memory_input_stream_new());
-        test->assertObjectIsDeletedWhenTestFinishes(G_OBJECT(inputStream.get()));
-
         const char* scheme = webkit_uri_scheme_request_get_scheme(request);
         g_assert(scheme);
         g_assert(test->m_handlersMap.contains(String::fromUTF8(scheme)));
 
+        const URISchemeHandler& handler = test->m_handlersMap.get(String::fromUTF8(scheme));
+
+        GRefPtr<GInputStream> inputStream = adoptGRef(g_memory_input_stream_new());
+        test->assertObjectIsDeletedWhenTestFinishes(G_OBJECT(inputStream.get()));
+
+        const gchar* requestPath = webkit_uri_scheme_request_get_path(request);
+
         if (!g_strcmp0(scheme, "error")) {
-            GUniquePtr<GError> error(g_error_new_literal(g_quark_from_string(errorDomain), errorCode, errorMessage));
-            webkit_uri_scheme_request_finish_error(request, error.get());
+            if (!g_strcmp0(requestPath, "before-response")) {
+                GUniquePtr<GError> error(g_error_new_literal(g_quark_from_string(errorDomain), errorCode, beforeReceiveResponseErrorMessage));
+                // We call finish() and then finish_error() to make sure that not even
+                // the didReceiveResponse message is processed at the time of failing.
+                webkit_uri_scheme_request_finish(request, G_INPUT_STREAM(inputStream.get()), handler.replyLength, handler.mimeType.data());
+                webkit_uri_scheme_request_finish_error(request, error.get());
+            } else if (!g_strcmp0(requestPath, "after-first-chunk")) {
+                g_memory_input_stream_add_data(G_MEMORY_INPUT_STREAM(inputStream.get()), handler.reply.data(), handler.reply.length(), 0);
+                webkit_uri_scheme_request_finish(request, inputStream.get(), handler.replyLength, handler.mimeType.data());
+                // We need to wait until we reach the load-committed state before calling webkit_uri_scheme_request_finish_error(),
+                // so we rely on the test using finishOnCommittedAndWaitUntilLoadFinished() to actually call it from loadCommitted().
+            } else {
+                GUniquePtr<GError> error(g_error_new_literal(g_quark_from_string(errorDomain), errorCode, genericErrorMessage));
+                webkit_uri_scheme_request_finish_error(request, error.get());
+            }
             return;
         }
 
-        const URISchemeHandler& handler = test->m_handlersMap.get(String::fromUTF8(scheme));
-
         if (!g_strcmp0(scheme, "echo")) {
-            char* replyHTML = g_strdup_printf(handler.reply.data(), webkit_uri_scheme_request_get_path(request));
+            char* replyHTML = g_strdup_printf(handler.reply.data(), requestPath);
             g_memory_input_stream_add_data(G_MEMORY_INPUT_STREAM(inputStream.get()), replyHTML, strlen(replyHTML), g_free);
         } else if (!g_strcmp0(scheme, "closed"))
@@ -262 +281 @@
     }
 
+    virtual void loadCommitted() override
+    {
+        if (m_finishOnCommitted) {
+            GUniquePtr<GError> error(g_error_new_literal(g_quark_from_string(errorDomain), errorCode, afterInitialChunkErrorMessage));
+            webkit_uri_scheme_request_finish_error(m_uriSchemeRequest.get(), error.get());
+        }
+
+        LoadTrackingTest::loadCommitted();
+    }
+
+    void finishOnCommittedAndWaitUntilLoadFinished()
+    {
+        m_finishOnCommitted = true;
+        waitUntilLoadFinished();
+        m_finishOnCommitted = false;
+    }
+
     GRefPtr<WebKitURISchemeRequest> m_uriSchemeRequest;
     HashMap<String, URISchemeHandler> m_handlersMap;
+    bool m_finishOnCommitted { false };
 };
+
+String generateHTMLContent(unsigned contentLength)
+{
+    String baseString("abcdefghijklmnopqrstuvwxyz0123457890");
+    unsigned baseLength = baseString.length();
+
+    StringBuilder builder;
+    builder.append("<html><body>");
+
+    if (contentLength <= baseLength)
+        builder.append(baseString, 0, contentLength);
+    else {
+        unsigned currentLength = 0;
+        while (currentLength < contentLength) {
+            if ((currentLength + baseLength) <= contentLength)
+                builder.append(baseString);
+            else
+                builder.append(baseString, 0, contentLength - currentLength);
+
+            // Account for the 12 characters of the '<html><body>' prefix.
+            currentLength = builder.length() - 12;
+        }
+    }
+    builder.append("</body></html>");
+
+    return builder.toString();
+}
 
 static void testWebContextURIScheme(URISchemeTest* test, gconstpointer)
@@ -308 +372 @@
     g_assert(!test->m_loadEvents.contains(LoadTrackingTest::LoadFailed));
 
-    test->registerURISchemeHandler("error", 0, 0, 0);
+    // Anything over 8192 bytes will get multiple calls to g_input_stream_read_async in
+    // WebKitURISchemeRequest when reading data, but we still need way more than that to
+    // ensure that we reach the load-committed state before failing, so we use an 8MB HTML.
+    String longHTMLContent = generateHTMLContent(8 * 1024 * 1024);
+    test->registerURISchemeHandler("error", longHTMLContent.utf8().data(), -1, "text/html");
     test->m_loadEvents.clear();
     test->loadURI("error:error");
@@ -315 +383 @@
     g_assert(test->m_loadFailed);
     g_assert_error(test->m_error.get(), g_quark_from_string(errorDomain), errorCode);
-    g_assert_cmpstr(test->m_error->message, ==, errorMessage);
+    g_assert_cmpstr(test->m_error->message, ==, genericErrorMessage);
+
+    test->m_loadEvents.clear();
+    test->loadURI("error:before-response");
+    test->waitUntilLoadFinished();
+    g_assert(test->m_loadEvents.contains(LoadTrackingTest::ProvisionalLoadFailed));
+    g_assert(test->m_loadFailed);
+    g_assert_error(test->m_error.get(), g_quark_from_string(errorDomain), errorCode);
+    g_assert_cmpstr(test->m_error->message, ==, beforeReceiveResponseErrorMessage);
+
+    test->m_loadEvents.clear();
+    test->loadURI("error:after-first-chunk");
+    test->finishOnCommittedAndWaitUntilLoadFinished();
+    g_assert(!test->m_loadEvents.contains(LoadTrackingTest::ProvisionalLoadFailed));
+    g_assert(test->m_loadEvents.contains(LoadTrackingTest::LoadFailed));
+    g_assert(test->m_loadFailed);
+    g_assert_error(test->m_error.get(), g_quark_from_string(errorDomain), errorCode);
+    g_assert_cmpstr(test->m_error->message, ==, afterInitialChunkErrorMessage);
 
     test->registerURISchemeHandler("closed", 0, 0, 0);