Skip to content
Permalink
Browse files
Database process crashes deleting a corrupt SQLite database file (nul…
…l deref).

https://bugs.webkit.org/show_bug.cgi?id=155506.

Reviewed by Alex Christensen.

Source/WebCore:

Covered by new API test.

* Modules/indexeddb/server/SQLiteIDBBackingStore.cpp:
(WebCore::IDBServer::SQLiteIDBBackingStore::deleteBackingStore): Null check.

Tools:

* TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
* TestWebKitAPI/Tests/WebKit2Cocoa/IDBDeleteRecovery.html: Added.
* TestWebKitAPI/Tests/WebKit2Cocoa/IDBDeleteRecovery.mm: Added.
* TestWebKitAPI/Tests/WebKit2Cocoa/IDBDeleteRecovery.sqlite3: Added.
* TestWebKitAPI/Tests/WebKit2Cocoa/IDBDeleteRecovery.sqlite3-shm: Added.
* TestWebKitAPI/Tests/WebKit2Cocoa/IDBDeleteRecovery.sqlite3-wal: Added.


Canonical link: https://commits.webkit.org/177553@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@202822 268f45cc-cd09-0410-ab3c-d52691b4dbfc
  • Loading branch information
beidson committed Jul 5, 2016
1 parent 8b1a863 commit 15de6388e1ee7bfad8bda5771955fa347fa977f7
Showing 9 changed files with 160 additions and 9 deletions.
@@ -1,3 +1,15 @@
2016-07-05 Brady Eidson <beidson@apple.com>

Database process crashes deleting a corrupt SQLite database file (null deref).
https://bugs.webkit.org/show_bug.cgi?id=155506.

Reviewed by Alex Christensen.

Covered by new API test.

* Modules/indexeddb/server/SQLiteIDBBackingStore.cpp:
(WebCore::IDBServer::SQLiteIDBBackingStore::deleteBackingStore): Null check.

2016-07-05 Brady Eidson <beidson@apple.com>

TransactionOperations can get destroyed on the wrong thread.
@@ -2056,16 +2056,18 @@ void SQLiteIDBBackingStore::deleteBackingStore()
{
bool errored = true;

SQLiteStatement sql(*m_sqliteDB, ASCIILiteral("SELECT fileName FROM BlobFiles;"));
if (sql.prepare() == SQLITE_OK) {
int result = sql.step();
while (result == SQLITE_ROW) {
blobFiles.append(sql.getColumnText(0));
result = sql.step();
if (m_sqliteDB) {
SQLiteStatement sql(*m_sqliteDB, ASCIILiteral("SELECT fileName FROM BlobFiles;"));
if (sql.prepare() == SQLITE_OK) {
int result = sql.step();
while (result == SQLITE_ROW) {
blobFiles.append(sql.getColumnText(0));
result = sql.step();
}

if (result == SQLITE_DONE)
errored = false;
}

if (result == SQLITE_DONE)
errored = false;
}

if (errored)
@@ -1,3 +1,17 @@
2016-07-05 Brady Eidson <beidson@apple.com>

Database process crashes deleting a corrupt SQLite database file (null deref).
https://bugs.webkit.org/show_bug.cgi?id=155506.

Reviewed by Alex Christensen.

* TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
* TestWebKitAPI/Tests/WebKit2Cocoa/IDBDeleteRecovery.html: Added.
* TestWebKitAPI/Tests/WebKit2Cocoa/IDBDeleteRecovery.mm: Added.
* TestWebKitAPI/Tests/WebKit2Cocoa/IDBDeleteRecovery.sqlite3: Added.
* TestWebKitAPI/Tests/WebKit2Cocoa/IDBDeleteRecovery.sqlite3-shm: Added.
* TestWebKitAPI/Tests/WebKit2Cocoa/IDBDeleteRecovery.sqlite3-wal: Added.

2016-07-05 Alexey Proskuryakov <ap@apple.com>

run-webkit-tests should print more complete baseline search paths
@@ -64,6 +64,11 @@
37DC6791140D7D7600ABCCDB /* DOMRangeOfString.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 37DC678F140D7D3A00ABCCDB /* DOMRangeOfString.html */; };
37E1064C1697681800B78BD0 /* DOMHTMLTableCellElementCellAbove.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 37E1064B169767F700B78BD0 /* DOMHTMLTableCellElementCellAbove.html */; };
4BFDFFA71314776C0061F24B /* HitTestResultNodeHandle_Bundle.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4BFDFFA61314776C0061F24B /* HitTestResultNodeHandle_Bundle.cpp */; };
510477721D298DDD009747EB /* IDBDeleteRecovery.sqlite3 in Copy Resources */ = {isa = PBXBuildFile; fileRef = 5104776F1D298D85009747EB /* IDBDeleteRecovery.sqlite3 */; };
510477731D298DDD009747EB /* IDBDeleteRecovery.sqlite3-shm in Copy Resources */ = {isa = PBXBuildFile; fileRef = 510477701D298D85009747EB /* IDBDeleteRecovery.sqlite3-shm */; };
510477741D298DDD009747EB /* IDBDeleteRecovery.sqlite3-wal in Copy Resources */ = {isa = PBXBuildFile; fileRef = 510477711D298D85009747EB /* IDBDeleteRecovery.sqlite3-wal */; };
510477771D298E72009747EB /* IDBDeleteRecovery.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 510477761D298E57009747EB /* IDBDeleteRecovery.html */; };
510477781D29923B009747EB /* IDBDeleteRecovery.mm in Sources */ = {isa = PBXBuildFile; fileRef = 510477751D298E03009747EB /* IDBDeleteRecovery.mm */; };
51393E221523952D005F39C5 /* DOMWindowExtensionBasic_Bundle.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 51393E1D1523944A005F39C5 /* DOMWindowExtensionBasic_Bundle.cpp */; };
5142B2731517C8C800C32B19 /* ContextMenuCanCopyURL.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 5142B2721517C89100C32B19 /* ContextMenuCanCopyURL.html */; };
51714EB41CF8C78C004723C4 /* WebProcessKillIDBCleanup-1.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 51714EB21CF8C761004723C4 /* WebProcessKillIDBCleanup-1.html */; };
@@ -473,6 +478,10 @@
dstSubfolderSpec = 7;
files = (
51A587851D2739E3004BA9AF /* IndexedDBDatabaseProcessKill-1.html in Copy Resources */,
510477771D298E72009747EB /* IDBDeleteRecovery.html in Copy Resources */,
510477721D298DDD009747EB /* IDBDeleteRecovery.sqlite3 in Copy Resources */,
510477731D298DDD009747EB /* IDBDeleteRecovery.sqlite3-shm in Copy Resources */,
510477741D298DDD009747EB /* IDBDeleteRecovery.sqlite3-wal in Copy Resources */,
51A5877D1D1B49CD004BA9AF /* IndexedDBMultiProcess-3.html in Copy Resources */,
9984FACE1CFFB090008D198C /* editable-body.html in Copy Resources */,
51714EB41CF8C78C004723C4 /* WebProcessKillIDBCleanup-1.html in Copy Resources */,
@@ -692,6 +701,11 @@
4BB4160316815F9100824238 /* ElementAtPointInWebFrame.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = ElementAtPointInWebFrame.mm; sourceTree = "<group>"; };
4BFDFFA61314776C0061F24B /* HitTestResultNodeHandle_Bundle.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = HitTestResultNodeHandle_Bundle.cpp; sourceTree = "<group>"; };
4BFDFFA8131477770061F24B /* HitTestResultNodeHandle.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = HitTestResultNodeHandle.cpp; sourceTree = "<group>"; };
5104776F1D298D85009747EB /* IDBDeleteRecovery.sqlite3 */ = {isa = PBXFileReference; lastKnownFileType = file; path = IDBDeleteRecovery.sqlite3; sourceTree = "<group>"; };
510477701D298D85009747EB /* IDBDeleteRecovery.sqlite3-shm */ = {isa = PBXFileReference; lastKnownFileType = file; path = "IDBDeleteRecovery.sqlite3-shm"; sourceTree = "<group>"; };
510477711D298D85009747EB /* IDBDeleteRecovery.sqlite3-wal */ = {isa = PBXFileReference; lastKnownFileType = file; path = "IDBDeleteRecovery.sqlite3-wal"; sourceTree = "<group>"; };
510477751D298E03009747EB /* IDBDeleteRecovery.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = IDBDeleteRecovery.mm; sourceTree = "<group>"; };
510477761D298E57009747EB /* IDBDeleteRecovery.html */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.html; path = IDBDeleteRecovery.html; sourceTree = "<group>"; };
51393E1D1523944A005F39C5 /* DOMWindowExtensionBasic_Bundle.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = DOMWindowExtensionBasic_Bundle.cpp; sourceTree = "<group>"; };
51393E1E1523944A005F39C5 /* DOMWindowExtensionBasic.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = DOMWindowExtensionBasic.cpp; sourceTree = "<group>"; };
5142B2701517C88B00C32B19 /* ContextMenuCanCopyURL.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = ContextMenuCanCopyURL.mm; sourceTree = "<group>"; };
@@ -1157,6 +1171,7 @@
2D1FE0AF1AD465C1006CD9E6 /* FixedLayoutSize.mm */,
CDE195B31CFE0ADE0053D256 /* FullscreenTopContentInset.mm */,
51A587841D272EF3004BA9AF /* IndexedDBDatabaseProcessKill.mm */,
510477751D298E03009747EB /* IDBDeleteRecovery.mm */,
51BCEE491C84F4AF0042C82E /* IndexedDBMultiProcess.mm */,
51B1EE8D1C80F5880064FB98 /* IndexedDBPersistence.mm */,
37D36ED61AF42ECD00BAF5D9 /* LoadAlternateHTMLString.mm */,
@@ -1264,6 +1279,10 @@
5714ECBC1CA8C21800051AC8 /* DownloadRequestOriginalURL2.html */,
5714ECBA1CA8BFD100051AC8 /* DownloadRequestOriginalURLFrame.html */,
51A587821D272EB5004BA9AF /* IndexedDBDatabaseProcessKill-1.html */,
510477761D298E57009747EB /* IDBDeleteRecovery.html */,
5104776F1D298D85009747EB /* IDBDeleteRecovery.sqlite3 */,
510477701D298D85009747EB /* IDBDeleteRecovery.sqlite3-shm */,
510477711D298D85009747EB /* IDBDeleteRecovery.sqlite3-wal */,
51BCEE4C1C84F52C0042C82E /* IndexedDBMultiProcess-1.html */,
51BCEE4D1C84F52C0042C82E /* IndexedDBMultiProcess-2.html */,
51A5877C1D1B3D8D004BA9AF /* IndexedDBMultiProcess-3.html */,
@@ -2004,6 +2023,7 @@
7CCE7EE41A411AE600447C4C /* AboutBlankLoad.cpp in Sources */,
7CCE7EB31A411A7E00447C4C /* AcceptsFirstMouse.mm in Sources */,
7CCE7EB41A411A7E00447C4C /* AttributedString.mm in Sources */,
510477781D29923B009747EB /* IDBDeleteRecovery.mm in Sources */,
7CCE7EB51A411A7E00447C4C /* BackForwardList.mm in Sources */,
7CCE7EDC1A411A9200447C4C /* CalculationValue.cpp in Sources */,
7C83E0BA1D0A64FB00FEBCF3 /* Coding.mm in Sources */,
@@ -0,0 +1,14 @@
<script>

var request = window.indexedDB.deleteDatabase("IDBDeleteRecovery");

request.onsuccess = function(e)
{
window.webkit.messageHandlers.testHandler.postMessage('Deleted database');
}
request.onerror = function(e)
{
// Unexpected error
window.webkit.messageHandlers.testHandler.postMessage('Error deleting database');
}
</script>
@@ -0,0 +1,89 @@
/*
* Copyright (C) 2016 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
* THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
* THE POSSIBILITY OF SUCH DAMAGE.
*/

#import "config.h"

#import "PlatformUtilities.h"
#import "Test.h"
#import <WebKit/WKProcessPoolPrivate.h>
#import <WebKit/WKUserContentControllerPrivate.h>
#import <WebKit/WKWebViewConfigurationPrivate.h>
#import <WebKit/WebKit.h>
#import <WebKit/_WKProcessPoolConfiguration.h>
#import <WebKit/_WKUserStyleSheet.h>
#import <wtf/RetainPtr.h>

#if WK_API_ENABLED

static bool receivedScriptMessage;
static RetainPtr<WKScriptMessage> lastScriptMessage;

@interface IDBDeleteRecoveryMessageHandler : NSObject <WKScriptMessageHandler>
@end

@implementation IDBDeleteRecoveryMessageHandler

- (void)userContentController:(WKUserContentController *)userContentController didReceiveScriptMessage:(WKScriptMessage *)message
{
receivedScriptMessage = true;
lastScriptMessage = message;
}

@end

TEST(IndexedDB, DeleteRecovery)
{
RetainPtr<IDBDeleteRecoveryMessageHandler> handler = adoptNS([[IDBDeleteRecoveryMessageHandler alloc] init]);
RetainPtr<WKWebViewConfiguration> configuration = adoptNS([[WKWebViewConfiguration alloc] init]);
[[configuration userContentController] addScriptMessageHandler:handler.get() name:@"testHandler"];

// Allow file URLs to load non-file resources
[configuration _setAllowUniversalAccessFromFileURLs:YES];

[configuration.get().processPool _terminateDatabaseProcess];

// Copy the inconsistent database files to the database directory
NSURL *url1 = [[NSBundle mainBundle] URLForResource:@"IDBDeleteRecovery" withExtension:@"sqlite3" subdirectory:@"TestWebKitAPI.resources"];
NSURL *url2 = [[NSBundle mainBundle] URLForResource:@"IDBDeleteRecovery" withExtension:@"sqlite3-shm" subdirectory:@"TestWebKitAPI.resources"];
NSURL *url3 = [[NSBundle mainBundle] URLForResource:@"IDBDeleteRecovery" withExtension:@"sqlite3-wal" subdirectory:@"TestWebKitAPI.resources"];

NSURL *targetURL = [NSURL fileURLWithPath:[@"~/Library/WebKit/TestWebKitAPI/WebsiteData/IndexedDB/file__0/IDBDeleteRecovery" stringByExpandingTildeInPath]];
[[NSFileManager defaultManager] createDirectoryAtURL:targetURL withIntermediateDirectories:YES attributes:nil error:nil];

[[NSFileManager defaultManager] copyItemAtURL:url1 toURL:[targetURL URLByAppendingPathComponent:@"IndexedDB.sqlite3"] error:nil];
[[NSFileManager defaultManager] copyItemAtURL:url2 toURL:[targetURL URLByAppendingPathComponent:@"IndexedDB.sqlite3-shm"] error:nil];
[[NSFileManager defaultManager] copyItemAtURL:url3 toURL:[targetURL URLByAppendingPathComponent:@"IndexedDB.sqlite3-wal"] error:nil];

RetainPtr<WKWebView> webView = adoptNS([[WKWebView alloc] initWithFrame:NSMakeRect(0, 0, 800, 600) configuration:configuration.get()]);

NSURLRequest *request = [NSURLRequest requestWithURL:[[NSBundle mainBundle] URLForResource:@"IDBDeleteRecovery" withExtension:@"html" subdirectory:@"TestWebKitAPI.resources"]];
[webView loadRequest:request];

TestWebKitAPI::Util::run(&receivedScriptMessage);

EXPECT_WK_STREQ(@"Deleted database", [lastScriptMessage body]);
}

#endif
Binary file not shown.
Binary file not shown.
Binary file not shown.

0 comments on commit 15de638

Please sign in to comment.