Bug 246858

Summary: [SOUP] http/tests/security/cookies/cookie-theft-with-javascript-doc.html crashing
Product: WebKit Reporter: Claudio Saavedra <csaavedra>
Component: WebKitGTKAssignee: Claudio Saavedra <csaavedra>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, bugs-noreply, Hironori.Fujii, mcatanzaro
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=247658

Description Claudio Saavedra 2022-10-21 08:09:37 PDT 
Since https://github.com/WebKit/WebKit/commit/361f64fcdd4b6aa17aaafcc55ebc88ab89acfc89 landed, http/tests/security/cookies/cookie-theft-with-javascript-doc.html has been crashing pretty consistently. 

ASSERTION FAILED: result
/app/webkit/Source/WebKit/NetworkProcess/NetworkProcess.cpp(434) : bool WebKit::NetworkProcess::allowsFirstPartyForCookies(WebCore::ProcessIdentifier, const WTF::URL&)
1   0x7fe547a47b63 WTFCrash

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/app/webkit/WebKitBuild/Debug/bin/WebKitNetworkProcess 10 9'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  WTFCrash () at /app/webkit/Source/WTF/wtf/Assertions.cpp:327
327	    *(int *)(uintptr_t)0xbbadbeef = 0;
[Current thread is 1 (Thread 0x7fe53e8be540 (LWP 44))]

Thread 1 (Thread 0x7fe53e8be540 (LWP 44)):
#0  WTFCrash() () at /app/webkit/Source/WTF/wtf/Assertions.cpp:327
#1  0x00007fe5512070f5 in WTFCrashWithInfo(int, char const*, char const*, int) () at /app/webkit/WebKitBuild/Debug/WTF/Headers/wtf/Assertions.h:754
#2  0x00007fe551a6886b in WebKit::NetworkProcess::allowsFirstPartyForCookies(WTF::ObjectIdentifier<WebCore::ProcessIdentifierType>, WTF::URL const&) (this=0x7fe535034240, processIdentifier=..., firstParty=...) at /app/webkit/Source/WebKit/NetworkProcess/NetworkProcess.cpp:434
#3  0x00007fe551a08f14 in WebKit::NetworkConnectionToWebProcess::cookiesForDOM(WTF::URL const&, WebCore::SameSiteInfo const&, WTF::URL const&, WebCore::ProcessQualified<WTF::ObjectIdentifier<WebCore::FrameIdentifierType> >, WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WebCore::IncludeSecureCookies, WebCore::ShouldAskITP, WebCore::ShouldRelaxThirdPartyCookieBlocking, WTF::CompletionHandler<void (WTF::String, bool)>&&) (this=0x7fe535094340, firstParty=..., sameSiteInfo=..., url=..., frameID=..., pageID=..., includeSecureCookies=WebCore::IncludeSecureCookies::No, shouldAskITP=WebCore::ShouldAskITP::No, shouldRelaxThirdPartyCookieBlocking=WebCore::ShouldRelaxThirdPartyCookieBlocking::No, completionHandler=...) at /app/webkit/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp:773
Comment 1 Claudio Saavedra 2022-10-21 08:20:11 PDT 
There are two web processes (due to the iframe in the test), one with identifier 7 and the other 12. One of them is adding 'nullOrigin' to the "allowedFirstPartyForCookies" list, not the other. When the other receives a call to get the cookies for the DOM, the check of whether 'nullOrigin' is an allowed first party for cookies fails, and the assertion with it:

NetworkProcess::addAllowedFirstPartyForCookies(identifier: 7, firstPartyForCookies: nullOrigin)

NetworkProcess::addAllowedFirstPartyForCookies(identifier: 12, firstPartyForCookies: 127.0.0.1)

NetworkProcess::allowsFirstPartyForCookies(identifier: 12, firstPartyForCookies: 127.0.0.1)

NetworkProcess::allowsFirstPartyForCookies(identifier: 12, firstPartyForCookies: 127.0.0.1)

NetworkProcess::allowsFirstPartyForCookies(identifier: 12, firstPartyForCookies: nullOrigin)
  --> ASSERTION FAILED: result


The crash doesn't happen always for me, so this might be a timing issue.
Comment 2 Fujii Hironori 2022-11-08 23:54:07 PST 
See also bug#247658. I'm proposing a patch there.
Comment 3 Claudio Saavedra 2022-11-09 13:06:29 PST 
This seems to have been fixed already with https://commits.webkit.org/256065@main
Comment 4 Claudio Saavedra 2022-11-09 13:13:14 PST 
Pull request: https://github.com/WebKit/WebKit/pull/6317
Comment 5 EWS 2022-11-09 13:16:27 PST 
Committed 256498@main (4cd9a03152f0): <https://commits.webkit.org/256498@main>

Reviewed commits have been landed. Closing PR #6317 and removing active labels.