Network process crashes in WebKit::StorageManagerSet::deleteSessionSt…

…orageForOrigins https://bugs.webkit.org/show_bug.cgi?id=214050 Patch by Sihui Liu <sihui_liu@appe.com> on 2020-07-07 Reviewed by Chris Dumez. In NetworkProcess::deleteAndRestrictWebsiteDataForRegistrableDomains, deleteSessionStorageForOrigins is called in a callback without checking if session still exists. * NetworkProcess/NetworkProcess.cpp: (WebKit::NetworkProcess::deleteAndRestrictWebsiteDataForRegistrableDomains): Canonical link: https://commits.webkit.org/226849@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@264036 268f45cc-cd09-0410-ab3c-d52691b4dbfc
WebKit · Jul 7, 2020 · f1786f7 · f1786f7
1 parent f43b0de
commit f1786f7
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 0 deletions.
diff --git a/Source/WebKit/ChangeLog b/Source/WebKit/ChangeLog
@@ -1,3 +1,16 @@
+2020-07-07  Sihui Liu  <sihui_liu@appe.com>
+
+        Network process crashes in WebKit::StorageManagerSet::deleteSessionStorageForOrigins
+        https://bugs.webkit.org/show_bug.cgi?id=214050
+
+        Reviewed by Chris Dumez.
+
+        In NetworkProcess::deleteAndRestrictWebsiteDataForRegistrableDomains, deleteSessionStorageForOrigins is called 
+        in a callback without checking if session still exists.
+
+        * NetworkProcess/NetworkProcess.cpp:
+        (WebKit::NetworkProcess::deleteAndRestrictWebsiteDataForRegistrableDomains):
+
 2020-07-07  Chris Dumez  <cdumez@apple.com>
 
         WebContent process sometimes kills itself because it is receiving too much IPC from the UIProcess

diff --git a/Source/WebKit/NetworkProcess/NetworkProcess.cpp b/Source/WebKit/NetworkProcess/NetworkProcess.cpp
@@ -1925,13 +1925,19 @@ void NetworkProcess::deleteAndRestrictWebsiteDataForRegistrableDomains(PAL::Sess
     if (m_storageManagerSet->contains(sessionID)) {
         if (websiteDataTypes.contains(WebsiteDataType::SessionStorage)) {
             m_storageManagerSet->getSessionStorageOrigins(sessionID, [protectedThis = makeRef(*this), this, sessionID, callbackAggregator, domainsToDeleteAllNonCookieWebsiteDataFor](auto&& origins) {
+                if (!m_storageManagerSet->contains(sessionID))
+                    return;
+
                 auto originsToDelete = filterForRegistrableDomains(origins, domainsToDeleteAllNonCookieWebsiteDataFor, callbackAggregator->m_domains);
                 m_storageManagerSet->deleteSessionStorageForOrigins(sessionID, originsToDelete, [callbackAggregator] { });
             });
         }
 
         if (websiteDataTypes.contains(WebsiteDataType::LocalStorage)) {
             m_storageManagerSet->getLocalStorageOrigins(sessionID, [protectedThis = makeRef(*this), this, sessionID, callbackAggregator, domainsToDeleteAllNonCookieWebsiteDataFor](auto&& origins) {
+                if (!m_storageManagerSet->contains(sessionID))
+                    return;
+
                 auto originsToDelete = filterForRegistrableDomains(origins, domainsToDeleteAllNonCookieWebsiteDataFor, callbackAggregator->m_domains);
                 m_storageManagerSet->deleteLocalStorageForOrigins(sessionID, originsToDelete, [callbackAggregator] { });
             });