208029 2020-02-20 13:17:05 -0800 REGRESSION (r255533) Null Deref of _sessionWrapper under [WKNetworkSessionDelegate URLSession:task:didReceiveChallenge:completionHandler:] 2020-02-21 13:19:21 -0800 1 1 1 Unclassified WebKit WebKit2 WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 206984 1 cdumez cdumez achristensen beidson commit-queue david_quesada ggaren thorton webkit-bug-importer youennf oldest_to_newest 1621394 0 cdumez 2020-02-20 13:17:05 -0800 Null Derek of _sessionWrapper under [WKNetworkSessionDelegate URLSession:task:didReceiveChallenge:completionHandler:]: Thread[0] EXC_BAD_ACCESS (SIGSEGV) (KERN_INVALID_ADDRESS at 0x0000000000000030) [ 0] 0x00007fff465ce9a0 WebKit`-[WKNetworkSessionDelegate URLSession:task:didReceiveChallenge:completionHandler:] [inlined] WTF::HashMap<unsigned long long, WebKit::DownloadID, WTF::IntHash<unsigned long long>, WTF::HashTraits<unsigned long long>, WTF::HashTraits<WebKit::DownloadID> >::get(unsigned long long const&) const at HashMap.h:436:12 0x00007fff465ce98e: xorl %ebx, %ebx 0x00007fff465ce990: movq 0x651289(%rip), %rsi ; "" 0x00007fff465ce997: movq %r14, %rdi 0x00007fff465ce99a: callq *0x5f90d0(%rip) ; (void *)0x0000000000000000 -> 0x00007fff465ce9a0: movq 0x30(%rbx), %rdi 0x00007fff465ce9a4: movl 0x3c(%rbx), %esi 0x00007fff465ce9a7: movq %rax, %rdx 0x00007fff465ce9aa: callq 0x10f622 ; WTF::HashMap<unsigned long long, WebKit::DownloadID, WTF::IntHash<unsigned long long>, WTF::HashTraits<unsigned long long>, WTF::HashTraits<WebKit::DownloadID> >::get<WTF::IdentityHashTranslator<WTF::HashMap<unsigned long long, WebKit::DownloadID, WTF::IntHash<unsigned long long>, WTF::HashTraits<unsigned long long>, WTF::HashTraits<WebKit::DownloadID> >::KeyValuePairTraits, WTF::IntHash<unsigned long long> >, unsigned long long> at HashMap.h:320 0x00007fff465ce9af: testq %rax, %rax [ 0] 0x00007fff465ce9a0 WebKit`-[WKNetworkSessionDelegate URLSession:task:didReceiveChallenge:completionHandler:] + 109 at NetworkSessionCocoa.mm:617 613 auto* networkDataTask = [self existingTask:task]; 614 auto* sessionCocoa = networkDataTask ? static_cast<NetworkSessionCocoa*>(networkDataTask->networkSession()) : nullptr; 615 if (!networkDataTask) { 616 ASSERT(!sessionCocoa); -> 617 auto downloadID = _sessionWrapper->downloadMap.get(task.taskIdentifier); 618 auto download = downloadID.downloadID() ? _session->networkProcess().downloadManager().download(downloadID) : nil; 619 sessionCocoa = download ? static_cast<NetworkSessionCocoa*>(_session->networkProcess().networkSession(download->sessionID())) : nil; 620 } 621 if (!sessionCocoa || [task state] == NSURLSessionTaskStateCanceling) { [ 1] 0x00007fff339ce5c4 CFNetwork`__68-[NSURLSession delegate_task:didReceiveChallenge:completionHandler:]_block_invoke + 138 at Session.mm:598:3 594 { 595 id<NSURLSessionTaskDelegate> d = (id<NSURLSessionTaskDelegate>) _delegate_ivar; 596 [self addDelegateBlock:^{ 597 [task._metrics delegateBegin:@selector(URLSession:task:didReceiveChallenge:completionHandler:)]; -> 598 [d URLSession:self task:task didReceiveChallenge:challenge completionHandler:^(NSURLSessionAuthChallengeDisposition disposition, NSURLCredential *credential) { 599 [task._metrics delegateEnd:@selector(URLSession:task:didReceiveChallenge:completionHandler:)]; 600 completionHandler(disposition, credential); 601 }]; 602 }]; [ 2] 0x00007fff3787cc54 Foundation`__NSBLOCKOPERATION_IS_CALLING_OUT_TO_A_BLOCK__ + 6 at NSOperation.m:1541:5 1537 } 1538 1539 static void __NSBLOCKOPERATION_IS_CALLING_OUT_TO_A_BLOCK__(void (^block)(void)) __attribute__((noinline)); 1540 static void __NSBLOCKOPERATION_IS_CALLING_OUT_TO_A_BLOCK__(void (^block)(void)) { -> 1541 block(); 1542 __asm __volatile__(""); // thwart tail-call optimization 1543 } 1544 1545 - (void)main { 1621395 1 cdumez 2020-02-20 13:17:21 -0800 <rdar://problem/59404381> 1621399 2 391329 cdumez 2020-02-20 13:19:49 -0800 Created attachment 391329 Patch 1621403 3 391329 david_quesada 2020-02-20 13:36:48 -0800 Comment on attachment 391329 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=391329&action=review Makes sense to me. (But I'm not a reviewer) Thanks for fixing this! > Source/WebKit/ChangeLog:3 > + REGRESSION (r255533) Null Derek of _sessionWrapper under [WKNetworkSessionDelegate URLSession:task:didReceiveChallenge:completionHandler:] "Null Derek" should be "Null deref" > Source/WebKit/ChangeLog:9 > + r255533 started deferencing _sessionWrapper without null check in didReceiveChallenge. All other delegates in this file null check "deferencing" should be "dereferencing" 1621404 4 391330 cdumez 2020-02-20 13:38:48 -0800 Created attachment 391330 Patch 1621766 5 391330 cdumez 2020-02-21 13:19:18 -0800 Comment on attachment 391330 Patch Clearing flags on attachment: 391330 Committed r257158: <https://trac.webkit.org/changeset/257158> 1621767 6 cdumez 2020-02-21 13:19:21 -0800 All reviewed patches have been landed. Closing bug. 391329 2020-02-20 13:19:49 -0800 2020-02-20 13:38:46 -0800 Patch bug-208029-20200220131948.patch text/plain 2055 cdumez U3VidmVyc2lvbiBSZXZpc2lvbjogMjU3MDYyCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViS2l0L0No YW5nZUxvZyBiL1NvdXJjZS9XZWJLaXQvQ2hhbmdlTG9nCmluZGV4IDc5NjdjMGNiMTQ4NzRjZjAw NTk3ZGUyMDczZWViNDQ4YTY0MDkxZjQuLmE1MmJlMjQ1MThmMTg1YTM2ZGM4N2RiZmI5Mjc0NWYw NGNlNTIzZTggMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJLaXQvQ2hhbmdlTG9nCisrKyBiL1NvdXJj ZS9XZWJLaXQvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMTcgQEAKKzIwMjAtMDItMjAgIENocmlzIER1 bWV6ICA8Y2R1bWV6QGFwcGxlLmNvbT4KKworICAgICAgICBSRUdSRVNTSU9OIChyMjU1NTMzKSBO dWxsIERlcmVrIG9mIF9zZXNzaW9uV3JhcHBlciB1bmRlciBbV0tOZXR3b3JrU2Vzc2lvbkRlbGVn YXRlIFVSTFNlc3Npb246dGFzazpkaWRSZWNlaXZlQ2hhbGxlbmdlOmNvbXBsZXRpb25IYW5kbGVy Ol0KKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTIwODAy OQorICAgICAgICA8cmRhcjovL3Byb2JsZW0vNTk0MDQzODE+CisKKyAgICAgICAgUmV2aWV3ZWQg YnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgcjI1NTUzMyBzdGFydGVkIGRlZmVyZW5jaW5n IF9zZXNzaW9uV3JhcHBlciB3aXRob3V0IG51bGwgY2hlY2sgaW4gZGlkUmVjZWl2ZUNoYWxsZW5n ZS4gQWxsIG90aGVyIGRlbGVnYXRlcyBpbiB0aGlzIGZpbGUgbnVsbCBjaGVjaworICAgICAgICBf c2Vzc2lvbldyYXBwZXIgYmVmb3JlIHVzaW5nIGl0IGJlY2F1c2UgaXQgaXMgYSB3ZWFrIHBvaW50 ZXIuIEFkZCBhIG51bGwgY2hlY2sgdG8gYXZvaWQgY3Jhc2hpbmcuCisKKyAgICAgICAgKiBOZXR3 b3JrUHJvY2Vzcy9jb2NvYS9OZXR3b3JrU2Vzc2lvbkNvY29hLm1tOgorICAgICAgICAoLVtXS05l dHdvcmtTZXNzaW9uRGVsZWdhdGUgc2Vzc2lvbkZyb21UYXNrOl0pOgorCiAyMDIwLTAyLTIwICBD aHJpcyBEdW1leiAgPGNkdW1lekBhcHBsZS5jb20+CiAKICAgICAgICAgUkVHUkVTU0lPTiAocjI1 NTY3Nyk6IFJlbG9hZGluZyB0YWIgd2l0aCBiZWZvcmV1bmxvYWQgcHJvbXB0IGNsb3NlcyB0YWIg d2hlbiBhc2tpbmcgdG8gc3RheSBvbiBwYWdlCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViS2l0L05l dHdvcmtQcm9jZXNzL2NvY29hL05ldHdvcmtTZXNzaW9uQ29jb2EubW0gYi9Tb3VyY2UvV2ViS2l0 L05ldHdvcmtQcm9jZXNzL2NvY29hL05ldHdvcmtTZXNzaW9uQ29jb2EubW0KaW5kZXggZGU1OWRj NmE0MTgxODlkMjAwZmIzOTMwNTg3NjBmZWZkY2IxMjA0ZS4uNmViNDllNTkyMTc3MDM4MDFjMDgx ZTgyZmRmODVkODk3ZDM0NzNhMyAxMDA2NDQKLS0tIGEvU291cmNlL1dlYktpdC9OZXR3b3JrUHJv Y2Vzcy9jb2NvYS9OZXR3b3JrU2Vzc2lvbkNvY29hLm1tCisrKyBiL1NvdXJjZS9XZWJLaXQvTmV0 d29ya1Byb2Nlc3MvY29jb2EvTmV0d29ya1Nlc3Npb25Db2NvYS5tbQpAQCAtNjEzLDYgKzYxMyw5 IEBAIC0gKE5ldHdvcmtTZXNzaW9uQ29jb2EqKXNlc3Npb25Gcm9tVGFzazooTlNVUkxTZXNzaW9u VGFzayAqKXRhc2sgewogICAgIGlmIChhdXRvKiBuZXR3b3JrRGF0YVRhc2sgPSBbc2VsZiBleGlz dGluZ1Rhc2s6dGFza10pCiAgICAgICAgIHJldHVybiBzdGF0aWNfY2FzdDxOZXR3b3JrU2Vzc2lv bkNvY29hKj4obmV0d29ya0RhdGFUYXNrLT5uZXR3b3JrU2Vzc2lvbigpKTsKIAorICAgIGlmICgh X3Nlc3Npb25XcmFwcGVyKQorICAgICAgICByZXR1cm4gbnVsbHB0cjsKKwogICAgIGlmIChhdXRv IGRvd25sb2FkSUQgPSBfc2Vzc2lvbldyYXBwZXItPmRvd25sb2FkTWFwLmdldCh0YXNrLnRhc2tJ ZGVudGlmaWVyKSkgewogICAgICAgICBpZiAoYXV0byBkb3dubG9hZCA9IF9zZXNzaW9uLT5uZXR3 b3JrUHJvY2VzcygpLmRvd25sb2FkTWFuYWdlcigpLmRvd25sb2FkKGRvd25sb2FkSUQpKQogICAg ICAgICAgICAgcmV0dXJuIHN0YXRpY19jYXN0PE5ldHdvcmtTZXNzaW9uQ29jb2EqPihfc2Vzc2lv bi0+bmV0d29ya1Byb2Nlc3MoKS5uZXR3b3JrU2Vzc2lvbihkb3dubG9hZC0+c2Vzc2lvbklEKCkp KTsK 391330 2020-02-20 13:38:48 -0800 2020-02-21 13:19:18 -0800 Patch bug-208029-20200220133847.patch text/plain 2057 cdumez U3VidmVyc2lvbiBSZXZpc2lvbjogMjU3MDYyCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViS2l0L0No YW5nZUxvZyBiL1NvdXJjZS9XZWJLaXQvQ2hhbmdlTG9nCmluZGV4IDc5NjdjMGNiMTQ4NzRjZjAw NTk3ZGUyMDczZWViNDQ4YTY0MDkxZjQuLjcxMmE0Mjk0YzM1NGQ4NWI1ZWRiZTUzYTAwY2UwYmI3 NGU5NzQ0ZWEgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJLaXQvQ2hhbmdlTG9nCisrKyBiL1NvdXJj ZS9XZWJLaXQvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMTcgQEAKKzIwMjAtMDItMjAgIENocmlzIER1 bWV6ICA8Y2R1bWV6QGFwcGxlLmNvbT4KKworICAgICAgICBSRUdSRVNTSU9OIChyMjU1NTMzKSBO dWxsIERlcmVmIG9mIF9zZXNzaW9uV3JhcHBlciB1bmRlciBbV0tOZXR3b3JrU2Vzc2lvbkRlbGVn YXRlIFVSTFNlc3Npb246dGFzazpkaWRSZWNlaXZlQ2hhbGxlbmdlOmNvbXBsZXRpb25IYW5kbGVy Ol0KKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTIwODAy OQorICAgICAgICA8cmRhcjovL3Byb2JsZW0vNTk0MDQzODE+CisKKyAgICAgICAgUmV2aWV3ZWQg YnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgcjI1NTUzMyBzdGFydGVkIGRlcmVmZXJlbmNp bmcgX3Nlc3Npb25XcmFwcGVyIHdpdGhvdXQgbnVsbCBjaGVjayBpbiBkaWRSZWNlaXZlQ2hhbGxl bmdlLiBBbGwgb3RoZXIgZGVsZWdhdGVzIGluIHRoaXMgZmlsZSBudWxsIGNoZWNrCisgICAgICAg IF9zZXNzaW9uV3JhcHBlciBiZWZvcmUgdXNpbmcgaXQgYmVjYXVzZSBpdCBpcyBhIHdlYWsgcG9p bnRlci4gQWRkIGEgbnVsbCBjaGVjayB0byBhdm9pZCBjcmFzaGluZy4KKworICAgICAgICAqIE5l dHdvcmtQcm9jZXNzL2NvY29hL05ldHdvcmtTZXNzaW9uQ29jb2EubW06CisgICAgICAgICgtW1dL TmV0d29ya1Nlc3Npb25EZWxlZ2F0ZSBzZXNzaW9uRnJvbVRhc2s6XSk6CisKIDIwMjAtMDItMjAg IENocmlzIER1bWV6ICA8Y2R1bWV6QGFwcGxlLmNvbT4KIAogICAgICAgICBSRUdSRVNTSU9OIChy MjU1Njc3KTogUmVsb2FkaW5nIHRhYiB3aXRoIGJlZm9yZXVubG9hZCBwcm9tcHQgY2xvc2VzIHRh YiB3aGVuIGFza2luZyB0byBzdGF5IG9uIHBhZ2UKZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJLaXQv TmV0d29ya1Byb2Nlc3MvY29jb2EvTmV0d29ya1Nlc3Npb25Db2NvYS5tbSBiL1NvdXJjZS9XZWJL aXQvTmV0d29ya1Byb2Nlc3MvY29jb2EvTmV0d29ya1Nlc3Npb25Db2NvYS5tbQppbmRleCBkZTU5 ZGM2YTQxODE4OWQyMDBmYjM5MzA1ODc2MGZlZmRjYjEyMDRlLi42ZWI0OWU1OTIxNzcwMzgwMWMw ODFlODJmZGY4NWQ4OTdkMzQ3M2EzIDEwMDY0NAotLS0gYS9Tb3VyY2UvV2ViS2l0L05ldHdvcmtQ cm9jZXNzL2NvY29hL05ldHdvcmtTZXNzaW9uQ29jb2EubW0KKysrIGIvU291cmNlL1dlYktpdC9O ZXR3b3JrUHJvY2Vzcy9jb2NvYS9OZXR3b3JrU2Vzc2lvbkNvY29hLm1tCkBAIC02MTMsNiArNjEz LDkgQEAgLSAoTmV0d29ya1Nlc3Npb25Db2NvYSopc2Vzc2lvbkZyb21UYXNrOihOU1VSTFNlc3Np b25UYXNrICopdGFzayB7CiAgICAgaWYgKGF1dG8qIG5ldHdvcmtEYXRhVGFzayA9IFtzZWxmIGV4 aXN0aW5nVGFzazp0YXNrXSkKICAgICAgICAgcmV0dXJuIHN0YXRpY19jYXN0PE5ldHdvcmtTZXNz aW9uQ29jb2EqPihuZXR3b3JrRGF0YVRhc2stPm5ldHdvcmtTZXNzaW9uKCkpOwogCisgICAgaWYg KCFfc2Vzc2lvbldyYXBwZXIpCisgICAgICAgIHJldHVybiBudWxscHRyOworCiAgICAgaWYgKGF1 dG8gZG93bmxvYWRJRCA9IF9zZXNzaW9uV3JhcHBlci0+ZG93bmxvYWRNYXAuZ2V0KHRhc2sudGFz a0lkZW50aWZpZXIpKSB7CiAgICAgICAgIGlmIChhdXRvIGRvd25sb2FkID0gX3Nlc3Npb24tPm5l dHdvcmtQcm9jZXNzKCkuZG93bmxvYWRNYW5hZ2VyKCkuZG93bmxvYWQoZG93bmxvYWRJRCkpCiAg ICAgICAgICAgICByZXR1cm4gc3RhdGljX2Nhc3Q8TmV0d29ya1Nlc3Npb25Db2NvYSo+KF9zZXNz aW9uLT5uZXR3b3JrUHJvY2VzcygpLm5ldHdvcmtTZXNzaW9uKGRvd25sb2FkLT5zZXNzaW9uSUQo KSkpOwo=