WKURLSchemeHandler crashes when sent errors

Originator:robnapier
Number:rdar://42974387 Date Originated:2018-08-06
Status: Resolved:
Product: Product Version:iOS 12
Classification: Reproducible:
 
Area:
WebKit

Summary:

Calling urlSchemeTask.didFailWithError() prior to sending data crashes.

See example Playground attachment.

Expected Results:

WebView should receive an error while loading

Actual Results:

Crash at urlSchemeTask.didFailWithError(error):

error: Execution was interrupted, reason: EXC_BAD_INSTRUCTION (code=EXC_I386_INVOP, subcode=0x0).
The process has been left at the point where it was interrupted, use "thread return -x" to return to the state before expression evaluation.

* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_INSTRUCTION (code=EXC_I386_INVOP, subcode=0x0)
  * frame #0: 0x00000001223e5431 libswiftCore.dylib`function signature specialization <Arg[2] = Dead, Arg[3] = Dead> of Swift._fatalErrorMessage(_: Swift.StaticString, _: Swift.StaticString, file: Swift.StaticString, line: Swift.UInt, flags: Swift.UInt32) -> Swift.Never + 113
    frame #1: 0x000000012221ad63 libswiftCore.dylib`Swift._fatalErrorMessage(_: Swift.StaticString, _: Swift.StaticString, file: Swift.StaticString, line: Swift.UInt, flags: Swift.UInt32) -> Swift.Never + 19
    frame #2: 0x000000012679acfe $__lldb_expr18`main at Untitled Page.xcplaygroundpage:49
    frame #3: 0x000000010c89a600 MyPlayground`linkResources + 304
    frame #4: 0x000000010e03b76c CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_BLOCK__ + 12
    frame #5: 0x000000010e03af20 CoreFoundation`__CFRunLoopDoBlocks + 336
    frame #6: 0x000000010e035784 CoreFoundation`__CFRunLoopRun + 1284
    frame #7: 0x000000010e034f41 CoreFoundation`CFRunLoopRunSpecific + 625
    frame #8: 0x000000011560e1b5 GraphicsServices`GSEventRunModal + 62
    frame #9: 0x0000000111d23df4 UIKitCore`UIApplicationMain + 140
    frame #10: 0x000000010c89a6cd MyPlayground`main + 205
    frame #11: 0x000000010fa4b9ed libdyld.dylib`start + 1

Version/Build:

iOS 12, Xcode 10b5

Notes:

Crash appears to be due to WebURLSchemeTask::didComplete, specifically this line (https://github.com/WebKit/webkit/blob/master/Source/WebKit/UIProcess/WebURLSchemeTask.cpp#L136):

m_syncCompletionHandler(m_syncResponse, error, IPC::DataReference { (const uint8_t*)m_syncData->data(), m_syncData->size() });

If didReceiveData has not been called yet, m_syncData will be nullptr, and crash.

didComplete explicitly permits no response to have been sent, if there is an error (note that the docs for Cocoa's didReceiveResponse are misleading about this; even if a response is sent, it doesn't address the issue, however).

    if (!m_responseSent && error.isNull())
        return ExceptionType::NoResponseSent;

Comments


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!