Changeset 239167 in webkit

Timestamp:

Dec 13, 2018 8:59:15 AM (5 years ago)

Author:

youenn@apple.com

Message:

On page close, WebPage::m_userMediaPermissionRequestManager is nullified too early
​https://bugs.webkit.org/show_bug.cgi?id=192657

Reviewed by Eric Carlson.

Source/WebKit:

Instead of nullifying the manager, make it a UniqueRef and clear it on closing the page.
This ensures we revoke the sandbox extensions as early as possible and keep the manager lifetime simple.

• WebProcess/MediaStream/UserMediaPermissionRequestManager.cpp:

(WebKit::UserMediaPermissionRequestManager::~UserMediaPermissionRequestManager):
(WebKit::UserMediaPermissionRequestManager::clear):

• WebProcess/MediaStream/UserMediaPermissionRequestManager.h:
• WebProcess/WebPage/WebPage.cpp:

(WebKit::WebPage::close):

• WebProcess/WebPage/WebPage.h:

(WebKit::WebPage::userMediaPermissionRequestManager):

Tools:

Add a test that loads a page registering ondevicechange,
load another page in the same process, closes the first page.
Ensure that the process does not crash in that case.

• TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
• TestWebKitAPI/Tests/WebKit/UserMedia.cpp:

(TestWebKitAPI::TEST):
(TestWebKitAPI::didCrashCallback):

• TestWebKitAPI/Tests/WebKit/ondevicechange.html: Added.

Location:

trunk

Files:

• Source/WebKit/ChangeLog (modified) (1 diff)
• Source/WebKit/WebProcess/MediaStream/UserMediaPermissionRequestManager.cpp (modified) (1 diff)
• Source/WebKit/WebProcess/MediaStream/UserMediaPermissionRequestManager.h (modified) (1 diff)
• Source/WebKit/WebProcess/WebPage/WebPage.cpp (modified) (2 diffs)
• Source/WebKit/WebProcess/WebPage/WebPage.h (modified) (2 diffs)
• Tools/ChangeLog (modified) (1 diff)
• Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj (modified) (7 diffs)
• Tools/TestWebKitAPI/Tests/WebKit/UserMedia.cpp (modified) (2 diffs)
• Tools/TestWebKitAPI/Tests/WebKit/ondevicechange.html (added)

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2018-12-13  Youenn Fablet  <youenn@apple.com>
+
+        On page close, WebPage::m_userMediaPermissionRequestManager is nullified too early
+        https://bugs.webkit.org/show_bug.cgi?id=192657
+
+        Reviewed by Eric Carlson.
+
+        Instead of nullifying the manager, make it a UniqueRef and clear it on closing the page.
+        This ensures we revoke the sandbox extensions as early as possible and keep the manager lifetime simple.
+
+        * WebProcess/MediaStream/UserMediaPermissionRequestManager.cpp:
+        (WebKit::UserMediaPermissionRequestManager::~UserMediaPermissionRequestManager):
+        (WebKit::UserMediaPermissionRequestManager::clear):
+        * WebProcess/MediaStream/UserMediaPermissionRequestManager.h:
+        * WebProcess/WebPage/WebPage.cpp:
+        (WebKit::WebPage::close):
+        * WebProcess/WebPage/WebPage.h:
+        (WebKit::WebPage::userMediaPermissionRequestManager):
+
 2018-12-13  Chris Fleizach  <cfleizach@apple.com>
 

trunk/Source/WebKit/WebProcess/MediaStream/UserMediaPermissionRequestManager.cpp

@@ -54 +54 @@
 UserMediaPermissionRequestManager::~UserMediaPermissionRequestManager()
 {
+    clear();
+}
+
+void UserMediaPermissionRequestManager::clear()
+{
     for (auto& sandboxExtension : m_userMediaDeviceSandboxExtensions)
         sandboxExtension.value->revoke();

trunk/Source/WebKit/WebProcess/MediaStream/UserMediaPermissionRequestManager.h

@@ -58 +58 @@
 
     void captureDevicesChanged();
+    void clear();
 
 private:

trunk/Source/WebKit/WebProcess/WebPage/WebPage.cpp

@@ -380 +380 @@
 #endif
 #if ENABLE(MEDIA_STREAM)
-    , m_userMediaPermissionRequestManager { std::make_unique<UserMediaPermissionRequestManager>(*this) }
+    , m_userMediaPermissionRequestManager { makeUniqueRef<UserMediaPermissionRequestManager>(*this) }
 #endif
     , m_pageScrolledHysteresis([this](PAL::HysteresisState state) { if (state == PAL::HysteresisState::Stopped) pageStoppedScrolling(); }, pageScrollHysteresisDuration)
@@ -1222 +1222 @@
 
 #if ENABLE(MEDIA_STREAM)
-    m_userMediaPermissionRequestManager = nullptr;
+    m_userMediaPermissionRequestManager->clear();
 #endif
 

trunk/Source/WebKit/WebProcess/WebPage/WebPage.h

@@ -577 +577 @@
 
 #if ENABLE(MEDIA_STREAM)
-    UserMediaPermissionRequestManager& userMediaPermissionRequestManager() { return *m_userMediaPermissionRequestManager; }
+    UserMediaPermissionRequestManager& userMediaPermissionRequestManager() { return m_userMediaPermissionRequestManager; }
     void prepareToSendUserMediaPermissionRequest();
     void captureDevicesChanged();
@@ -1627 +1627 @@
 
 #if ENABLE(MEDIA_STREAM)
-    std::unique_ptr<UserMediaPermissionRequestManager> m_userMediaPermissionRequestManager;
+    UniqueRef<UserMediaPermissionRequestManager> m_userMediaPermissionRequestManager;
 #endif
 

trunk/Tools/ChangeLog

@@ +1 @@
+2018-12-13  Youenn Fablet  <youenn@apple.com>
+
+        On page close, WebPage::m_userMediaPermissionRequestManager is nullified too early
+        https://bugs.webkit.org/show_bug.cgi?id=192657
+
+        Reviewed by Eric Carlson.
+
+        Add a test that loads a page registering ondevicechange,
+        load another page in the same process, closes the first page.
+        Ensure that the process does not crash in that case.
+
+        * TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
+        * TestWebKitAPI/Tests/WebKit/UserMedia.cpp:
+        (TestWebKitAPI::TEST):
+        (TestWebKitAPI::didCrashCallback):
+        * TestWebKitAPI/Tests/WebKit/ondevicechange.html: Added.
+
 2018-12-13  Carlos Eduardo Ramalho  <cadubentzen@gmail.com>
 

trunk/Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj

@@ -27 +27 @@
                 07492B3C1DF8B86600633DE1 /* enumerateMediaDevices.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 07492B391DF8ADA400633DE1 /* enumerateMediaDevices.html */; };
                 074994421EA5034B000DA44E /* getUserMedia.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 4A410F4D19AF7BEF002EBAB5 /* getUserMedia.html */; };
+                074994421EA5034B000DA44F /* ondevicechange.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 4A410F4D19AF7BEF002EBAB6 /* ondevicechange.html */; };
                 076E507F1F4513D6006E9F5A /* Logging.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 076E507E1F45031E006E9F5A /* Logging.cpp */; };
                 0799C3491EBA2D7B003B7532 /* UserMediaDisabled.mm in Sources */ = {isa = PBXBuildFile; fileRef = 07EDEFAC1EB9400C00D43292 /* UserMediaDisabled.mm */; };
@@ -1179 +1180 @@
                                 CDB5DFFF213610FA00D3E189 /* now-playing.html in Copy Resources */,
                                 93E2D2761ED7D53200FA76F6 /* offscreen-iframe-of-media-document.html in Copy Resources */,
+                                074994421EA5034B000DA44F /* ondevicechange.html in Copy Resources */,
                                 CEA6CF2819CCF69D0064F5A7 /* open-and-close-window.html in Copy Resources */,
                                 7CCB99231D3B4A46003922F6 /* open-multiple-external-url.html in Copy Resources */,
@@ -1510 +1512 @@
                 4A410F4B19AF7BD6002EBAB5 /* UserMedia.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = UserMedia.cpp; sourceTree = "<group>"; };
                 4A410F4D19AF7BEF002EBAB5 /* getUserMedia.html */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.html; path = getUserMedia.html; sourceTree = "<group>"; };
+                4A410F4D19AF7BEF002EBAB6 /* ondevicechange.html */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.html; path = ondevicechange.html; sourceTree = "<group>"; };
                 4BB4160116815B2600824238 /* JSWrapperForNodeInWebFrame.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = JSWrapperForNodeInWebFrame.mm; sourceTree = "<group>"; };
                 4BB4160316815F9100824238 /* ElementAtPointInWebFrame.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = ElementAtPointInWebFrame.mm; sourceTree = "<group>"; };
@@ -3266 +3269 @@
                                 5797FE321EB15A8900B2F4A0 /* navigation-client-default-crypto.html */,
                                 C99B675E1E39735C00FC6C80 /* no-autoplay-with-controls.html */,
+                                4A410F4D19AF7BEF002EBAB6 /* ondevicechange.html */,
                                 CEA6CF2719CCF69D0064F5A7 /* open-and-close-window.html */,
                                 83148B08202AC76800BADE99 /* override-builtins-test.html */,
@@ -3922 +3926 @@
                                 7CCE7EBE1A411A7E00447C4C /* DynamicDeviceScaleFactor.mm in Sources */,
                                 5C0BF8921DD599B600B00328 /* EarlyKVOCrash.mm in Sources */,
-                                52D5D6C021B9F1B30046ABA6 /* RenderingProgress.mm in Sources */,
                                 F44D064A1F3962F2001A0E29 /* EditingTestHarness.mm in Sources */,
                                 7CCE7EE01A411A9A00447C4C /* EditorCommands.mm in Sources */,
@@ -4100 +4103 @@
                                 7CCE7ECA1A411A7E00447C4C /* RenderedImageFromDOMRange.mm in Sources */,
                                 A12DDBFB1E836F0700CF6CAE /* RenderedImageWithOptions.mm in Sources */,
+                                52D5D6C021B9F1B30046ABA6 /* RenderingProgress.mm in Sources */,
                                 F464AF9220BB66EA007F9B18 /* RenderingProgressTests.mm in Sources */,
                                 7C83E0C41D0A654200FEBCF3 /* RequiresUserActionForPlayback.mm in Sources */,
@@ -4292 +4296 @@
                                 79C5D431209D768300F1E7CA /* InjectedBundleNodeHandleIsTextField.mm in Sources */,
                                 F44C7A0020F9EEBF0014478C /* ParserYieldTokenPlugIn.mm in Sources */,
-                                5245178721B9F57B0082CB34 /* RenderingProgressPlugIn.mm in Sources */,
                                 A13EBBAB1B87434600097110 /* PlatformUtilitiesCocoa.mm in Sources */,
                                 1A4F81CF1BDFFD53004E672E /* RemoteObjectRegistryPlugIn.mm in Sources */,
                                 A12DDC021E837C2400CF6CAE /* RenderedImageWithOptionsPlugIn.mm in Sources */,
+                                5245178721B9F57B0082CB34 /* RenderingProgressPlugIn.mm in Sources */,
                                 7C882E091C80C630006BF731 /* UserContentWorldPlugIn.mm in Sources */,
                                 7C83E03D1D0A60D600FEBCF3 /* UtilitiesCocoa.mm in Sources */,

trunk/Tools/TestWebKitAPI/Tests/WebKit/UserMedia.cpp

@@ -36 +36 @@
 namespace TestWebKitAPI {
 
+static bool didCrash;
 static bool wasPrompted;
 
@@ -96 +97 @@
 }
 
+static void didCrashCallback(WKPageRef, const void*)
+{
+    didCrash = true;
+    // Set wasPrompted to true to speed things up, we know the test failed.
+    wasPrompted = true;
+}
+
+TEST(WebKit, OnDeviceChangeCrash)
+{
+    auto context = adoptWK(WKContextCreate());
+
+    WKRetainPtr<WKPageGroupRef> pageGroup(AdoptWK, WKPageGroupCreateWithIdentifier(Util::toWK("GetUserMedia").get()));
+    WKPreferencesRef preferences = WKPageGroupGetPreferences(pageGroup.get());
+    WKPreferencesSetMediaDevicesEnabled(preferences, true);
+    WKPreferencesSetFileAccessFromFileURLsAllowed(preferences, true);
+    WKPreferencesSetMediaCaptureRequiresSecureConnection(preferences, false);
+    WKPreferencesSetMockCaptureDevicesEnabled(preferences, true);
+
+    WKPageUIClientV6 uiClient;
+    memset(&uiClient, 0, sizeof(uiClient));
+    uiClient.base.version = 6;
+    uiClient.decidePolicyForUserMediaPermissionRequest = decidePolicyForUserMediaPermissionRequestCallBack;
+    uiClient.checkUserMediaPermissionForOrigin = checkUserMediaPermissionCallback;
+
+    PlatformWebView webView(context.get(), pageGroup.get());
+    WKPageSetPageUIClient(webView.page(), &uiClient.base);
+
+    // Load a page registering ondevicechange handler.
+    auto url = adoptWK(Util::createURLForResource("ondevicechange", "html"));
+    ASSERT(url.get());
+
+    WKPageLoadURL(webView.page(), url.get());
+
+    // Load a second page in same process.
+    PlatformWebView webView2(context.get(), pageGroup.get());
+    WKPageSetPageUIClient(webView2.page(), &uiClient.base);
+    WKPageLoaderClientV0 loaderClient;
+    memset(&loaderClient, 0, sizeof(loaderClient));
+    loaderClient.base.version = 0;
+    loaderClient.processDidCrash = didCrashCallback;
+    WKPageSetPageLoaderClient(webView2.page(), &loaderClient.base);
+
+    wasPrompted = false;
+    url = adoptWK(Util::createURLForResource("getUserMedia", "html"));
+    WKPageLoadURL(webView2.page(), url.get());
+    Util::run(&wasPrompted);
+    EXPECT_EQ(WKPageGetProcessIdentifier(webView.page()), WKPageGetProcessIdentifier(webView2.page()));
+
+    didCrash = false;
+
+    // Close first page.
+    WKPageClose(webView.page());
+
+    wasPrompted = false;
+    url = adoptWK(Util::createURLForResource("getUserMedia", "html"));
+    WKPageLoadURL(webView2.page(), url.get());
+    Util::run(&wasPrompted);
+    // Verify pages process did not crash.
+    EXPECT_TRUE(!didCrash);
+}
+
 } // namespace TestWebKitAPI