Changeset 86945 in webkit


Ignore:
Timestamp:
May 20, 2011 6:24:29 AM (13 years ago)
Author:
Adam Roben
Message:

Don't try to process DownloadProxy messages twice (and robustify code that runs if we do)

Fixes <http://webkit.org/b/61142> <rdar://problem/9471680> REGRESSION (r86812): Crash
(preceded by assertion) in fastMalloc when downloading a file

Reviewed by Darin Adler.

Source/WebKit2:

  • Platform/CoreIPC/ArgumentDecoder.cpp:

(CoreIPC::alignedBufferIsLargeEnoughToContain): Added. This helper function checks that the
given buffer is large enough to hold |size| bytes (and correctly handles the case where
we're already at the end or beyond the end of the buffer).

(CoreIPC::ArgumentDecoder::alignBufferPosition):
(CoreIPC::ArgumentDecoder::bufferIsLargeEnoughToContain):
Replaced old code that was vulnerable to underflow with the new helper function.

  • UIProcess/WebProcessProxy.cpp:

(WebKit::WebProcessProxy::didReceiveSyncMessage): Added back an early return that was
mistakenly removed in r86812 so that we don't mistakenly pass DownloadProxy messages on to
a WebPageProxy after we've already handled them.

Tools:

Test that the WebKit2 UI process doesn't crash when starting a download

  • TestWebKitAPI/Tests/WebKit2/18-characters.html: Added.
  • TestWebKitAPI/Tests/WebKit2/DownloadDecideDestinationCrash.cpp: Added.

(TestWebKitAPI::decidePolicyForNavigationAction): Start a download.
(TestWebKitAPI::decideDestinationWithSuggestedFilename): Record that the download was
started, cancel the download, and return a bogus string.

(TestWebKitAPI::setContextDownloadClient):
(TestWebKitAPI::setPagePolicyClient):
Simple helper functions.

(TestWebKitAPI::TEST): Load 18-characters.html, which should trigger a download thanks to
our policy client, and run until we know that the download was started. If we haven't
crashed, we win!

  • TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
  • TestWebKitAPI/win/TestWebKitAPI.vcproj:
  • TestWebKitAPI/win/copy-resources.cmd:

Added new files.

Location:
trunk
Files:
2 added
7 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/WebKit2/ChangeLog

    r86924 r86945  
     12011-05-19  Adam Roben  <aroben@apple.com>
     2
     3        Don't try to process DownloadProxy messages twice (and robustify code that runs if we do)
     4
     5        Fixes <http://webkit.org/b/61142> <rdar://problem/9471680> REGRESSION (r86812): Crash
     6        (preceded by assertion) in fastMalloc when downloading a file
     7
     8        Reviewed by Darin Adler.
     9
     10        * Platform/CoreIPC/ArgumentDecoder.cpp:
     11        (CoreIPC::alignedBufferIsLargeEnoughToContain): Added. This helper function checks that the
     12        given buffer is large enough to hold |size| bytes (and correctly handles the case where
     13        we're already at the end or beyond the end of the buffer).
     14
     15        (CoreIPC::ArgumentDecoder::alignBufferPosition):
     16        (CoreIPC::ArgumentDecoder::bufferIsLargeEnoughToContain):
     17        Replaced old code that was vulnerable to underflow with the new helper function.
     18
     19        * UIProcess/WebProcessProxy.cpp:
     20        (WebKit::WebProcessProxy::didReceiveSyncMessage): Added back an early return that was
     21        mistakenly removed in r86812 so that we don't mistakenly pass DownloadProxy messages on to
     22        a WebPageProxy after we've already handled them.
     23
    1242011-05-19  Jer Noble  <jer.noble@apple.com>
    225

  • trunk/Source/WebKit2/Platform/CoreIPC/ArgumentDecoder.cpp

    r86574 r86945  
    8080}
    8181
     82static inline bool alignedBufferIsLargeEnoughToContain(const uint8_t* alignedPosition, const uint8_t* bufferEnd, size_t size)
     83{
     84    return bufferEnd >= alignedPosition && static_cast<size_t>(bufferEnd - alignedPosition) >= size;
     85}
     86
    8287bool ArgumentDecoder::alignBufferPosition(unsigned alignment, size_t size)
    8388{
    84     uint8_t* buffer = roundUpToAlignment(m_bufferPos, alignment);
    85     if (static_cast<size_t>(m_bufferEnd - buffer) < size) {
     89    uint8_t* alignedPosition = roundUpToAlignment(m_bufferPos, alignment);
     90    if (!alignedBufferIsLargeEnoughToContain(alignedPosition, m_bufferEnd, size)) {
    8691        // We've walked off the end of this buffer.
    8792        markInvalid();
     
    8994    }
    9095   
    91     m_bufferPos = buffer;
     96    m_bufferPos = alignedPosition;
    9297    return true;
    9398}
     
    95100bool ArgumentDecoder::bufferIsLargeEnoughToContain(unsigned alignment, size_t size) const
    96101{
    97     return static_cast<size_t>(m_bufferEnd - roundUpToAlignment(m_bufferPos, alignment)) >= size;
     102    return alignedBufferIsLargeEnoughToContain(roundUpToAlignment(m_bufferPos, alignment), m_bufferEnd, size);
    98103}
    99104

  • trunk/Source/WebKit2/UIProcess/WebProcessProxy.cpp

    r86895 r86945  
    271271        || messageID.is<CoreIPC::MessageClassDownloadProxy>() || messageID.is<CoreIPC::MessageClassWebIconDatabase>()) {
    272272        m_context->didReceiveSyncMessage(connection, messageID, arguments, reply);
     273        return;
    273274    }
    274275

  • trunk/Tools/ChangeLog

    r86930 r86945  
     12011-05-19  Adam Roben  <aroben@apple.com>
     2
     3        Test that the WebKit2 UI process doesn't crash when starting a download
     4
     5        Test for <http://webkit.org/b/61142> <rdar://problem/9471680> REGRESSION (r86812): Crash
     6        (preceded by assertion) in fastMalloc when downloading a file
     7
     8        Reviewed by Darin Adler.
     9
     10        * TestWebKitAPI/Tests/WebKit2/18-characters.html: Added.
     11
     12        * TestWebKitAPI/Tests/WebKit2/DownloadDecideDestinationCrash.cpp: Added.
     13        (TestWebKitAPI::decidePolicyForNavigationAction): Start a download.
     14        (TestWebKitAPI::decideDestinationWithSuggestedFilename): Record that the download was
     15        started, cancel the download, and return a bogus string.
     16
     17        (TestWebKitAPI::setContextDownloadClient):
     18        (TestWebKitAPI::setPagePolicyClient):
     19        Simple helper functions.
     20
     21        (TestWebKitAPI::TEST): Load 18-characters.html, which should trigger a download thanks to
     22        our policy client, and run until we know that the download was started. If we haven't
     23        crashed, we win!
     24
     25        * TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
     26        * TestWebKitAPI/win/TestWebKitAPI.vcproj:
     27        * TestWebKitAPI/win/copy-resources.cmd:
     28        Added new files.
     29
    1302011-05-20  Kent Tamura  <tkent@chromium.org>
    231

  • trunk/Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj

    r86624 r86945  
    5656                C02B77F2126612140026BF0F /* SpacebarScrolling.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C02B77F1126612140026BF0F /* SpacebarScrolling.cpp */; };
    5757                C02B7854126613AE0026BF0F /* Carbon.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = C02B7853126613AE0026BF0F /* Carbon.framework */; };
     58                C045F9451385C2EA00C0F3CD /* DownloadDecideDestinationCrash.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C045F9441385C2E900C0F3CD /* DownloadDecideDestinationCrash.cpp */; };
    5859                C0ADBE7C12FCA4D000D2C129 /* JavaScriptTest.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C0ADBE7A12FCA4D000D2C129 /* JavaScriptTest.cpp */; };
    5960                C0ADBE8312FCA6AA00D2C129 /* RestoreSessionStateContainingFormData.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C0ADBE8212FCA6AA00D2C129 /* RestoreSessionStateContainingFormData.cpp */; };
     
    164165                C02B7853126613AE0026BF0F /* Carbon.framework */ = {isa = PBXFileReference; explicitFileType = wrapper.framework; name = Carbon.framework; sourceTree = SDKROOT; };
    165166                C02B7882126615410026BF0F /* spacebar-scrolling.html */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.html; path = "spacebar-scrolling.html"; sourceTree = "<group>"; };
     167                C045F9441385C2E900C0F3CD /* DownloadDecideDestinationCrash.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = DownloadDecideDestinationCrash.cpp; sourceTree = "<group>"; };
     168                C045F9461385C2F800C0F3CD /* 18-characters.html */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.html; path = "18-characters.html"; sourceTree = "<group>"; };
    166169                C0ADBE7A12FCA4D000D2C129 /* JavaScriptTest.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JavaScriptTest.cpp; sourceTree = "<group>"; };
    167170                C0ADBE7B12FCA4D000D2C129 /* JavaScriptTest.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JavaScriptTest.h; sourceTree = "<group>"; };
     
    285288                                BCB6803F126FBFE100642A61 /* DocumentStartUserScriptAlertCrash.cpp */,
    286289                                BCB68041126FBFF100642A61 /* DocumentStartUserScriptAlertCrash_Bundle.cpp */,
     290                                C045F9441385C2E900C0F3CD /* DownloadDecideDestinationCrash.cpp */,
    287291                                1A5FEFDC1270E2A3000E2921 /* EvaluateJavaScript.cpp */,
    288292                                BCC8B95A12611F4700DE46A4 /* FailedLoad.cpp */,
     
    322326                        isa = PBXGroup;
    323327                        children = (
     328                                C045F9461385C2F800C0F3CD /* 18-characters.html */,
    324329                                BC2D004A12A9FEB300E732A3 /* file-with-anchor.html */,
    325330                                1A02C84B125D4A5E00E3F4BD /* find.html */,
     
    462467                                F6F3F29113342FEB00A6BF19 /* CookieManager.cpp in Sources */,
    463468                                33BE5AF5137B5A6C00705813 /* MouseMoveAfterCrash.cpp in Sources */,
     469                                C045F9451385C2EA00C0F3CD /* DownloadDecideDestinationCrash.cpp in Sources */,
    464470                        );
    465471                        runOnlyForDeploymentPostprocessing = 0;

  • trunk/Tools/TestWebKitAPI/win/TestWebKitAPI.vcproj

    r86354 r86945  
    413413                                >
    414414                                <File
     415                                        RelativePath="..\Tests\WebKit2\18-characters.html"
     416                                        >
     417                                </File>
     418                                <File
    415419                                        RelativePath="..\Tests\WebKit2\AboutBlankLoad.cpp"
    416420                                        >
     
    426430                                <File
    427431                                        RelativePath="..\Tests\WebKit2\DocumentStartUserScriptAlertCrash.cpp"
     432                                        >
     433                                </File>
     434                                <File
     435                                        RelativePath="..\Tests\WebKit2\DownloadDecideDestinationCrash.cpp"
    428436                                        >
    429437                                </File>

  • trunk/Tools/TestWebKitAPI/win/copy-resources.cmd

    r86354 r86945  
    99mkdir 2>NUL "%ResourcesDirectory%"
    1010for %%f in (
     11    ..\Tests\WebKit2\18-characters.html
    1112    ..\Tests\WebKit2\file-with-anchor.html
    1213    ..\Tests\WebKit2\find.html
Note: See TracChangeset for help on using the changeset viewer.