Changeset 211569 in webkit

Timestamp:

Feb 2, 2017 10:31:54 AM (7 years ago)

Author:

Chris Dumez

Message:

[Crash] com.apple.WebKit.WebContent at WebKit: WebKit::WebPage::fromCorePage()
​https://bugs.webkit.org/show_bug.cgi?id=167738
<rdar://problem/30229990>

Reviewed by Andreas Kling.

Source/WebCore:

Upon destruction of a Page, we destroy the BackForwardClient, which is supposed
to keep track of HistoryItems associated to this particular page and remove them
from the PageCache. Given the crash trace, the issue seems to be that some
HistoryItems associated with the Page sometimes linger in the PageCache *after*
the Page has been destroyed, which leads to crashes later on when pruning the
PageCache.

In order to make the process more robust, this patch refactors the code so that
the Page is now in charge of removing all its associated HistoryItems from the
PageCache instead of relying on the BackForwardClient. Also, instead of having
the Page keep track of which HistoryItems are associated with it (which is
error prone), we now scan all PageCache entries instead to find which ones are
associated with the Page. While this is in theory slower, this is much safer
and in practice not an issue because the PageCache usually has 3-5 entries.

No new tests, could not reproduce.

• history/CachedPage.cpp:

(WebCore::CachedPage::CachedPage):

• history/CachedPage.h:

(WebCore::CachedPage::page):

• history/PageCache.cpp:

(WebCore::PageCache::removeAllItemsForPage):

• history/PageCache.h:
• page/Page.cpp:

(WebCore::Page::~Page):

Source/WebKit/mac:

The BackForwardClient no longer needs to worry about removing HistoryItems
from the PageCache now that WebCore takes care of it.

• History/BackForwardList.mm:

(BackForwardList::close):

Source/WebKit/win:

The BackForwardClient no longer needs to worry about removing HistoryItems
from the PageCache now that WebCore takes care of it.

• BackForwardList.cpp:

(BackForwardList::close):

Source/WebKit2:

The BackForwardClient no longer needs to worry about removing HistoryItems
from the PageCache now that WebCore takes care of it.

• WebProcess/WebPage/WebBackForwardListProxy.cpp:

(WebKit::WebBackForwardListProxy::addItemFromUIProcess):
(WebKit::WebBackForwardListProxy::addItem):
(WebKit::WebBackForwardListProxy::close):

• WebProcess/WebPage/WebBackForwardListProxy.h:

Location:

trunk/Source

Files:

• WebCore/ChangeLog (modified) (1 diff)
• WebCore/history/CachedPage.cpp (modified) (1 diff)
• WebCore/history/CachedPage.h (modified) (2 diffs)
• WebCore/history/PageCache.cpp (modified) (1 diff)
• WebCore/history/PageCache.h (modified) (1 diff)
• WebCore/page/Page.cpp (modified) (1 diff)
• WebKit/mac/ChangeLog (modified) (1 diff)
• WebKit/mac/History/BackForwardList.mm (modified) (1 diff)
• WebKit/win/BackForwardList.cpp (modified) (1 diff)
• WebKit/win/ChangeLog (modified) (1 diff)
• WebKit2/ChangeLog (modified) (1 diff)
• WebKit2/WebProcess/WebPage/WebBackForwardListProxy.cpp (modified) (3 diffs)
• WebKit2/WebProcess/WebPage/WebBackForwardListProxy.h (modified) (1 diff)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2017-02-02  Chris Dumez  <cdumez@apple.com>
+
+        [Crash] com.apple.WebKit.WebContent at WebKit: WebKit::WebPage::fromCorePage()
+        https://bugs.webkit.org/show_bug.cgi?id=167738
+        <rdar://problem/30229990>
+
+        Reviewed by Andreas Kling.
+
+        Upon destruction of a Page, we destroy the BackForwardClient, which is supposed
+        to keep track of HistoryItems associated to this particular page and remove them
+        from the PageCache. Given the crash trace, the issue seems to be that some
+        HistoryItems associated with the Page sometimes linger in the PageCache *after*
+        the Page has been destroyed, which leads to crashes later on when pruning the
+        PageCache.
+
+        In order to make the process more robust, this patch refactors the code so that
+        the Page is now in charge of removing all its associated HistoryItems from the
+        PageCache instead of relying on the BackForwardClient. Also, instead of having
+        the Page keep track of which HistoryItems are associated with it (which is
+        error prone), we now scan all PageCache entries instead to find which ones are
+        associated with the Page. While this is in theory slower, this is much safer
+        and in practice not an issue because the PageCache usually has 3-5 entries.
+
+        No new tests, could not reproduce.
+
+        * history/CachedPage.cpp:
+        (WebCore::CachedPage::CachedPage):
+        * history/CachedPage.h:
+        (WebCore::CachedPage::page):
+        * history/PageCache.cpp:
+        (WebCore::PageCache::removeAllItemsForPage):
+        * history/PageCache.h:
+        * page/Page.cpp:
+        (WebCore::Page::~Page):
+
 2017-02-02  Antti Koivisto  <antti@apple.com>
 

trunk/Source/WebCore/history/CachedPage.cpp

@@ -51 +51 @@
 
 CachedPage::CachedPage(Page& page)
-    : m_expirationTime(monotonicallyIncreasingTime() + page.settings().backForwardCacheExpirationInterval())
+    : m_page(page)
+    , m_expirationTime(monotonicallyIncreasingTime() + page.settings().backForwardCacheExpirationInterval())
     , m_cachedMainFrame(std::make_unique<CachedFrame>(page.mainFrame()))
 {

trunk/Source/WebCore/history/CachedPage.h

@@ -43 +43 @@
     void clear();
 
+    Page& page() const { return m_page; }
     Document* document() const { return m_cachedMainFrame->document(); }
     DocumentLoader* documentLoader() const { return m_cachedMainFrame->documentLoader(); }
@@ -59 +60 @@
 
 private:
+    Page& m_page;
     double m_expirationTime;
     std::unique_ptr<CachedFrame> m_cachedMainFrame;

trunk/Source/WebCore/history/PageCache.cpp

@@ -467 +467 @@
 }
 
+void PageCache::removeAllItemsForPage(Page& page)
+{
+    for (auto it = m_items.begin(); it != m_items.end();) {
+        // Increment iterator first so it stays invalid after the removal.
+        auto current = it;
+        ++it;
+        if (&(*current)->m_cachedPage->page() == &page) {
+            (*current)->m_cachedPage = nullptr;
+            m_items.remove(current);
+        }
+    }
+}
+
 CachedPage* PageCache::get(HistoryItem& item, Page* page)
 {

trunk/Source/WebCore/history/PageCache.h

@@ -58 +58 @@
     std::unique_ptr<CachedPage> take(HistoryItem&, Page*);
 
+    void removeAllItemsForPage(Page&);
+
     unsigned pageCount() const { return m_items.size(); }
     WEBCORE_EXPORT unsigned frameCount() const;

trunk/Source/WebCore/page/Page.cpp

@@ -326 +326 @@
 
     backForward().close();
+    PageCache::singleton().removeAllItemsForPage(*this);
 
 #ifndef NDEBUG

trunk/Source/WebKit/mac/ChangeLog

@@ +1 @@
+2017-02-02  Chris Dumez  <cdumez@apple.com>
+
+        [Crash] com.apple.WebKit.WebContent at WebKit: WebKit::WebPage::fromCorePage()
+        https://bugs.webkit.org/show_bug.cgi?id=167738
+        <rdar://problem/30229990>
+
+        Reviewed by Andreas Kling.
+
+        The BackForwardClient no longer needs to worry about removing HistoryItems
+        from the PageCache now that WebCore takes care of it.
+
+        * History/BackForwardList.mm:
+        (BackForwardList::close):
+
 2017-02-02  Yongjun Zhang  <yongjun_zhang@apple.com>
 

trunk/Source/WebKit/mac/History/BackForwardList.mm

@@ -226 +226 @@
 void BackForwardList::close()
 {
-    for (auto& item : m_entries)
-        PageCache::singleton().remove(item);
     m_entries.clear();
     m_entryHash.clear();

trunk/Source/WebKit/win/BackForwardList.cpp

@@ -226 +226 @@
 void BackForwardList::close()
 {
-    for (auto& item : m_entries)
-        PageCache::singleton().remove(item);
     m_entries.clear();
     m_entryHash.clear();

trunk/Source/WebKit/win/ChangeLog

@@ +1 @@
+2017-02-02  Chris Dumez  <cdumez@apple.com>
+
+        [Crash] com.apple.WebKit.WebContent at WebKit: WebKit::WebPage::fromCorePage()
+        https://bugs.webkit.org/show_bug.cgi?id=167738
+        <rdar://problem/30229990>
+
+        Reviewed by Andreas Kling.
+
+        The BackForwardClient no longer needs to worry about removing HistoryItems
+        from the PageCache now that WebCore takes care of it.
+
+        * BackForwardList.cpp:
+        (BackForwardList::close):
+
 2017-01-28  Yoav Weiss  <yoav@yoav.ws>
 

trunk/Source/WebKit2/ChangeLog

@@ +1 @@
+2017-02-02  Chris Dumez  <cdumez@apple.com>
+
+        [Crash] com.apple.WebKit.WebContent at WebKit: WebKit::WebPage::fromCorePage()
+        https://bugs.webkit.org/show_bug.cgi?id=167738
+        <rdar://problem/30229990>
+
+        Reviewed by Andreas Kling.
+
+        The BackForwardClient no longer needs to worry about removing HistoryItems
+        from the PageCache now that WebCore takes care of it.
+
+        * WebProcess/WebPage/WebBackForwardListProxy.cpp:
+        (WebKit::WebBackForwardListProxy::addItemFromUIProcess):
+        (WebKit::WebBackForwardListProxy::addItem):
+        (WebKit::WebBackForwardListProxy::close):
+        * WebProcess/WebPage/WebBackForwardListProxy.h:
+
 2017-02-02  Anders Carlsson  <andersca@apple.com>
 

trunk/Source/WebKit2/WebProcess/WebPage/WebBackForwardListProxy.cpp

@@ -101 +101 @@
     ASSERT(!idToHistoryItemMap().contains(itemID));
 
-    m_associatedItemIDs.add(itemID);
-
     historyItemToIDMap().set<ItemAndPageID>(item.ptr(), { .itemID = itemID, .pageID = pageID });
     idToHistoryItemMap().set(itemID, item.ptr());
@@ -155 +153 @@
     ASSERT(!idToHistoryItemMap().contains(itemID));
 
-    m_associatedItemIDs.add(itemID);
-
     historyItemToIDMap().set<ItemAndPageID>(item.ptr(), { .itemID = itemID, .pageID = m_page->pageID() });
     idToHistoryItemMap().set(itemID, item.ptr());
@@ -215 +211 @@
 void WebBackForwardListProxy::close()
 {
-    for (auto& itemID : m_associatedItemIDs) {
-        if (HistoryItem* item = itemForID(itemID))
-            WebCore::PageCache::singleton().remove(*item);
-    }
-
-    m_associatedItemIDs.clear();
     m_page = nullptr;
 }

trunk/Source/WebKit2/WebProcess/WebPage/WebBackForwardListProxy.h

@@ -61 +61 @@
 
     WebPage* m_page;
-    HashSet<uint64_t> m_associatedItemIDs;
 };