Branch: refs/heads/webkitglib/2.52
Home: https://github.com/WebKit/WebKit
Commit: e4dea8efd15fa98fe78fb25eeef8082fc81338df
https://github.com/WebKit/WebKit/commit/e4dea8efd15fa98fe78fb25eeef8082fc81338df
Author: Rupin Mittal <[email protected]>
Date: 2026-03-12 (Thu, 12 Mar 2026)
Changed paths:
M Source/WebKit/NetworkProcess/NetworkProcess.cpp
Log Message:
-----------
Cherry-pick 309114@main (f43860e90c4c).
https://bugs.webkit.org/show_bug.cgi?id=309695
StabilityTracer: Crash in callback of async IPC sent by
WebKit::NetworkProcess::findPendingDownloadLocation
https://bugs.webkit.org/show_bug.cgi?id=309695
rdar://172248665
Reviewed by Ben Nham and Per Arne Vollan.
It looks like the crash is due to a null pointer deference. It seems like
the
completion handler on this line:
return completionHandler(PolicyAction::Ignore);
in NetworkProcess::findPendingDownloadLocation is null.
This completion handler is called as part of the reply of the async IPC to
sent to
DownloadProxy::DecideDestinationWithSuggestedFilename.
Given that NetworkProcess::findPendingDownloadLocation receives the
completionHandler
as an rvalue reference and then moves it into the lambda, it's likely not
null to
begin with. But the IPC message is sent with the IPC::Connection* returned
by
downloadProxyConnection(), which can be a nullptr. That would cause
undefined behavior
and could result in this crash.
So we speculatively fix this by early returning if the connection doesn't
exist.
* Source/WebKit/NetworkProcess/NetworkProcess.cpp:
(WebKit::NetworkProcess::findPendingDownloadLocation):
Canonical link: https://commits.webkit.org/309114@main
Canonical link: https://commits.webkit.org/305877.183@webkitglib/2.52
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
