Changeset 238381 in webkit

Timestamp:

Nov 19, 2018 2:52:42 PM (5 years ago)

Author:

david_quesada@apple.com

Message:

EXC_BAD_ACCESS when invoking a DownloadProxy's destination decision handler after the download has been canceled
​https://bugs.webkit.org/show_bug.cgi?id=191762
rdar://problem/46151509

Reviewed by Dean Jackson.

Source/WebKit:

When the DownloadClient calls the decision handler with a destination path, check if
m_processPool is null before trying to access its network process. This can happen
if a download is canceled before the client decides its destination.

• UIProcess/Downloads/DownloadProxy.cpp:

(WebKit::DownloadProxy::decideDestinationWithSuggestedFilenameAsync):

Tools:

• TestWebKitAPI/Tests/WebKitCocoa/Download.mm:

Enable the Download API test on iOS, since the platform supports downloads. All the
tests pass already, except for one which was written using AppKit-specific code:

TEST(_WKDownload, RedirectedDownload):

Use a more platform-agnostic approach to starting the download in this API test.
Instead of manually triggering an NSMenu item to download a file from a link, the
test will simulate a user-initiated click on the link, and the navigation delegate
will direct the web view to start a download based on the link's navigation action.
Additionally, remove the manual creation of a new NSWindow. TestWKWebView makes its
own UI/NSWindow.

TEST(_WKDownload, DownloadCanceledWhileDecidingDestination):

Add an API test _WKDownload.DownloadCanceledWhileDecidingDestination to simulate the
conditions that would trigger this crash - handling a download's -decideDestination…
delegate call by canceling the download, waiting for the UI process to be notified
that the download has been canceled, and calling the decision handler. This should
not crash.

(-[CancelDownloadWhileDecidingDestinationDelegate _downloadDidFinish:]):
(-[CancelDownloadWhileDecidingDestinationDelegate _download:didFailWithError:]):
(-[CancelDownloadWhileDecidingDestinationDelegate _downloadDidCancel:]):
(-[CancelDownloadWhileDecidingDestinationDelegate _download:decideDestinationWithSuggestedFilename:completionHandler:]):
(-[UIDownloadAsFileTestDelegate _webView:contextMenu:forElement:]): Deleted.

• TestWebKitAPI/cocoa/TestWKWebView.h:
• TestWebKitAPI/cocoa/TestWKWebView.mm:

(-[TestWKWebView objectByEvaluatingJavaScriptWithUserGesture:]):

Add a user-initated version of -objectByEvaluatingJavaScript:. This is needed in
order to maintain the behavior of the RedirectedDownload test, which verifies the
state of the _WKDownload.wasUserInitiated property.

Location:

trunk

Files:

• Source/WebKit/ChangeLog (modified) (1 diff)
• Source/WebKit/UIProcess/Downloads/DownloadProxy.cpp (modified) (1 diff)
• Tools/ChangeLog (modified) (1 diff)
• Tools/TestWebKitAPI/Tests/WebKitCocoa/Download.mm (modified) (5 diffs)
• Tools/TestWebKitAPI/cocoa/TestWKWebView.h (modified) (1 diff)
• Tools/TestWebKitAPI/cocoa/TestWKWebView.mm (modified) (1 diff)

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2018-11-19  David Quesada  <david_quesada@apple.com>
+
+        EXC_BAD_ACCESS when invoking a DownloadProxy's destination decision handler after the download has been canceled
+        https://bugs.webkit.org/show_bug.cgi?id=191762
+        rdar://problem/46151509
+
+        Reviewed by Dean Jackson.
+
+        When the DownloadClient calls the decision handler with a destination path, check if
+        m_processPool is null before trying to access its network process. This can happen
+        if a download is canceled before the client decides its destination.
+
+        * UIProcess/Downloads/DownloadProxy.cpp:
+        (WebKit::DownloadProxy::decideDestinationWithSuggestedFilenameAsync):
+
 2018-11-19  Tomoki Imai  <Tomoki.Imai@sony.com>
 

trunk/Source/WebKit/UIProcess/Downloads/DownloadProxy.cpp

@@ -171 +171 @@
             SandboxExtension::createHandle(destination, SandboxExtension::Type::ReadWrite, sandboxExtensionHandle);
 
+        if (!m_processPool)
+            return;
+
         if (auto* networkProcess = m_processPool->networkProcess())
             networkProcess->send(Messages::NetworkProcess::ContinueDecidePendingDownloadDestination(downloadID, destination, sandboxExtensionHandle, allowOverwrite == AllowOverwrite::Yes), 0);

trunk/Tools/ChangeLog

@@ +1 @@
+2018-11-19  David Quesada  <david_quesada@apple.com>
+
+        EXC_BAD_ACCESS when invoking a DownloadProxy's destination decision handler after the download has been canceled
+        https://bugs.webkit.org/show_bug.cgi?id=191762
+        rdar://problem/46151509
+
+        Reviewed by Dean Jackson.
+
+        * TestWebKitAPI/Tests/WebKitCocoa/Download.mm:
+            Enable the Download API test on iOS, since the platform supports downloads. All the
+            tests pass already, except for one which was written using AppKit-specific code:
+        TEST(_WKDownload, RedirectedDownload):
+            Use a more platform-agnostic approach to starting the download in this API test.
+            Instead of manually triggering an NSMenu item to download a file from a link, the
+            test will simulate a user-initiated click on the link, and the navigation delegate
+            will direct the web view to start a download based on the link's navigation action.
+            Additionally, remove the manual creation of a new NSWindow. TestWKWebView makes its
+            own UI/NSWindow.
+        TEST(_WKDownload, DownloadCanceledWhileDecidingDestination):
+            Add an API test _WKDownload.DownloadCanceledWhileDecidingDestination to simulate the
+            conditions that would trigger this crash - handling a download's -decideDestination…
+            delegate call by canceling the download, waiting for the UI process to be notified
+            that the download has been canceled, and calling the decision handler. This should
+            not crash.
+        (-[CancelDownloadWhileDecidingDestinationDelegate _downloadDidFinish:]):
+        (-[CancelDownloadWhileDecidingDestinationDelegate _download:didFailWithError:]):
+        (-[CancelDownloadWhileDecidingDestinationDelegate _downloadDidCancel:]):
+        (-[CancelDownloadWhileDecidingDestinationDelegate _download:decideDestinationWithSuggestedFilename:completionHandler:]):
+        (-[UIDownloadAsFileTestDelegate _webView:contextMenu:forElement:]): Deleted.
+        * TestWebKitAPI/cocoa/TestWKWebView.h:
+        * TestWebKitAPI/cocoa/TestWKWebView.mm:
+        (-[TestWKWebView objectByEvaluatingJavaScriptWithUserGesture:]):
+            Add a user-initated version of -objectByEvaluatingJavaScript:. This is needed in
+            order to maintain the behavior of the RedirectedDownload test, which verifies the
+            state of the _WKDownload.wasUserInitiated property.
+
 2018-11-19  Wenson Hsieh  <wenson_hsieh@apple.com>
 

trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/Download.mm

@@ -28 +28 @@
 
 #if WK_API_ENABLED
-#if PLATFORM(MAC) // No downloading on iOS
+#if PLATFORM(MAC) || PLATFORM(IOS)
 
 #import "PlatformUtilities.h"
@@ -43 +43 @@
 #import <WebKit/WKWebViewConfiguration.h>
 #import <wtf/RetainPtr.h>
-#import <wtf/mac/AppKitCompatibilityDeclarations.h>
 #import <wtf/text/WTFString.h>
 
@@ -440 +439 @@
 }
 
-@interface UIDownloadAsFileTestDelegate : NSObject <WKUIDelegatePrivate>
-@end
-
-@implementation UIDownloadAsFileTestDelegate
-
-IGNORE_WARNINGS_BEGIN("deprecated-implementations")
-- (NSMenu *)_webView:(WKWebView *)webView contextMenu:(NSMenu *)menu forElement:(_WKContextMenuElementInfo *)element
-IGNORE_WARNINGS_END
-{
-    static const long downloadLinkedFileTag = 2;
-    auto index = [menu indexOfItemWithTag:downloadLinkedFileTag];
-    [menu performActionForItemAtIndex:index];
-    return nil;
-}
-
-@end
-
 @interface RedirectedDownloadDelegate : NSObject <_WKDownloadDelegate>
 @end
@@ -518 +500 @@
     isDone = false;
 
-    auto delegate = adoptNS([[UIDownloadAsFileTestDelegate alloc] init]);
     auto configuration = adoptNS([[WKWebViewConfiguration alloc] init]);
     auto webView = adoptNS([[TestWKWebView alloc] initWithFrame:CGRectMake(0, 0, 800, 600) configuration:configuration.get()]);
-    [webView setUIDelegate:delegate.get()];
     auto downloadDelegate = adoptNS([[RedirectedDownloadDelegate alloc] init]);
     [[[webView configuration] processPool] _setDownloadDelegate:downloadDelegate.get()];
 
-    auto window = adoptNS([[NSWindow alloc] initWithContentRect:[webView frame] styleMask:NSWindowStyleMaskBorderless backing:NSBackingStoreBuffered defer:YES]);
-    [[window contentView] addSubview:webView.get()];
-
     // Do 2 loads in the same view to make sure the redirect chain is properly cleared between loads.
     [webView synchronouslyLoadHTMLString:@"<div>First load</div>"];
-    [webView synchronouslyLoadHTMLString:@"<a style='display: block; height: 100%; width: 100%' href='http://redirect/?redirect/?pass'>test</a>"];
+    [webView synchronouslyLoadHTMLString:@"<a id='link' href='http://redirect/?redirect/?pass'>test</a>"];
 
     expectedOriginatingWebView = webView.get();
     expectedUserInitiatedState = true;
-    NSPoint clickPoint = NSMakePoint(100, 100);
-    [[webView hitTest:clickPoint] mouseDown:[NSEvent mouseEventWithType:NSEventTypeRightMouseDown location:clickPoint modifierFlags:0 timestamp:0 windowNumber:[window windowNumber] context:nil eventNumber:0 clickCount:1 pressure:1]];
-    [[webView hitTest:clickPoint] mouseUp:[NSEvent mouseEventWithType:NSEventTypeRightMouseUp location:clickPoint modifierFlags:0 timestamp:0 windowNumber:[window windowNumber] context:nil eventNumber:0 clickCount:1 pressure:1]];
+
+    auto navigationDelegate = adoptNS([[DownloadNavigationDelegate alloc] init]);
+    [webView setNavigationDelegate:navigationDelegate.get()];
+    [webView objectByEvaluatingJavaScriptWithUserGesture:@"document.getElementById('link').click();"];
 
     isDone = false;
@@ -591 +569 @@
 }
 
+static bool downloadHasDecidedDestination;
+
+@interface CancelDownloadWhileDecidingDestinationDelegate : NSObject <_WKDownloadDelegate>
+@end
+
+@implementation CancelDownloadWhileDecidingDestinationDelegate
+- (void)_downloadDidFinish:(_WKDownload *)download
+{
+    EXPECT_TRUE(false);
+    isDone = true;
+}
+
+- (void)_download:(_WKDownload *)download didFailWithError:(NSError *)error
+{
+    EXPECT_TRUE(false);
+    isDone = true;
+}
+
+- (void)_downloadDidCancel:(_WKDownload *)download
+{
+    isDone = true;
+}
+
+- (void)_download:(_WKDownload *)download decideDestinationWithSuggestedFilename:(NSString *)filename completionHandler:(void (^)(BOOL allowOverwrite, NSString *destination))completionHandler
+{
+    [download cancel];
+    TestWebKitAPI::Util::run(&isDone);
+    completionHandler(YES, @"/tmp/WebKitAPITest/_WKDownload");
+    downloadHasDecidedDestination = true;
+}
+@end
+
+TEST(_WKDownload, DownloadCanceledWhileDecidingDestination)
+{
+    [TestProtocol registerWithScheme:@"http"];
+
+    auto navigationDelegate = adoptNS([[DownloadNavigationDelegate alloc] init]);
+    auto downloadDelegate = adoptNS([[CancelDownloadWhileDecidingDestinationDelegate alloc] init]);
+
+    auto webView = adoptNS([[WKWebView alloc] initWithFrame:NSMakeRect(0, 0, 800, 600)]);
+    [webView setNavigationDelegate:navigationDelegate.get()];
+    [[[webView configuration] processPool] _setDownloadDelegate:downloadDelegate.get()];
+
+    isDone = false;
+    downloadHasDecidedDestination = false;
+    [webView loadRequest:[NSURLRequest requestWithURL:[NSURL URLWithString:@"http://pass"]]];
+
+    TestWebKitAPI::Util::run(&downloadHasDecidedDestination);
+
+    [TestProtocol unregister];
+}
+
 #endif
 #endif

trunk/Tools/TestWebKitAPI/cocoa/TestWKWebView.h

@@ -66 +66 @@
 - (void)synchronouslyLoadTestPageNamed:(NSString *)pageName;
 - (id)objectByEvaluatingJavaScript:(NSString *)script;
+- (id)objectByEvaluatingJavaScriptWithUserGesture:(NSString *)script;
 - (NSString *)stringByEvaluatingJavaScript:(NSString *)script;
 - (void)waitForMessage:(NSString *)message;

trunk/Tools/TestWebKitAPI/cocoa/TestWKWebView.mm

@@ -305 +305 @@
 }
 
+- (id)objectByEvaluatingJavaScriptWithUserGesture:(NSString *)script
+{
+    bool isWaitingForJavaScript = false;
+    RetainPtr<id> evalResult;
+    [self evaluateJavaScript:script completionHandler:[&] (id result, NSError *error) {
+        evalResult = result;
+        isWaitingForJavaScript = true;
+        EXPECT_TRUE(!error);
+        if (error)
+            NSLog(@"Encountered error: %@ while evaluating script: %@", error, script);
+    }];
+    TestWebKitAPI::Util::run(&isWaitingForJavaScript);
+    return evalResult.autorelease();
+}
+
 - (NSString *)stringByEvaluatingJavaScript:(NSString *)script
 {