Changeset 210822 in webkit

Timestamp:

Jan 17, 2017 11:24:23 AM (7 years ago)

Author:

Joseph Pecoraro

Message:

Crash when closing tab with debugger paused
​https://bugs.webkit.org/show_bug.cgi?id=161746
<rdar://problem/15607819>

Reviewed by Brian Burg and Brent Fulgham.

Source/WebCore:

• page/Page.h:

(WebCore::Page::incrementNestedRunLoopCount):
(WebCore::Page::decrementNestedRunLoopCount):
(WebCore::Page::insideNestedRunLoop):
Keep track of whether or not this Page is inside of a nested run loop.
Currently the only nested run loop we know about is EventLoop used
by Web Inspector when debugging JavaScript.

(WebCore::Page::whenUnnested):
Callback that can be called when we are no longer inside of a nested
run loop.

(WebCore::Page::~Page):
Ensure we are not in a known nested run loop when destructing, since
that could be unsafe.

• inspector/PageScriptDebugServer.cpp:

(WebCore::PageScriptDebugServer::runEventLoopWhilePausedInternal):
Increment and decrement as we go into or leave the nested runloop.

• inspector/InspectorController.cpp:

(WebCore::InspectorController::inspectedPageDestroyed):
(WebCore::InspectorController::disconnectAllFrontends):
Rework destruction to allow disconnectAllFrontends to happen earlier
if necessary. WebKit clients may use this to disconnect remote
frontends when closing a Page.

Source/WebKit/mac:

• WebView/WebView.mm:

(WebKit::DeferredPageDestructor::createDeferredPageDestructor):
(WebKit::DeferredPageDestructor::DeferredPageDestructor):
(WebKit::DeferredPageDestructor::tryDestruction):
(-[WebView _close]):
Defer destruction of the Page if we are in a nested runloop.

Source/WebKit2:

• WebProcess/WebPage/WebPage.cpp:

(WebKit::DeferredPageDestructor::createDeferredPageDestructor):
(WebKit::DeferredPageDestructor::DeferredPageDestructor):
(WebKit::DeferredPageDestructor::tryDestruction):
(WebKit::WebPage::close):
Defer destruction of the Page and WebPage if we are in a nested runloop.
Also, proactively close all inspector frontends, including remote frontends.

• WebProcess/WebPage/ios/WebPageIOS.mm:

(WebKit::WebPage::handleSyntheticClick):
(WebKit::WebPage::completeSyntheticClick):
Return early in some cases where a nested run loop may have closed
the WebPage on us while handling JavaScript events.

Location:

trunk/Source

Files:

• WebCore/ChangeLog (modified) (1 diff)
• WebCore/inspector/InspectorController.cpp (modified) (3 diffs)
• WebCore/inspector/PageScriptDebugServer.cpp (modified) (1 diff)
• WebCore/page/Page.cpp (modified) (3 diffs)
• WebCore/page/Page.h (modified) (2 diffs)
• WebKit/mac/ChangeLog (modified) (1 diff)
• WebKit/mac/WebView/WebView.mm (modified) (2 diffs)
• WebKit2/ChangeLog (modified) (1 diff)
• WebKit2/WebProcess/WebPage/WebPage.cpp (modified) (5 diffs)
• WebKit2/WebProcess/WebPage/ios/WebPageIOS.mm (modified) (3 diffs)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2017-01-17  Joseph Pecoraro  <pecoraro@apple.com>
+
+        Crash when closing tab with debugger paused
+        https://bugs.webkit.org/show_bug.cgi?id=161746
+        <rdar://problem/15607819>
+
+        Reviewed by Brian Burg and Brent Fulgham.
+
+        * page/Page.h:
+        (WebCore::Page::incrementNestedRunLoopCount):
+        (WebCore::Page::decrementNestedRunLoopCount):
+        (WebCore::Page::insideNestedRunLoop):
+        Keep track of whether or not this Page is inside of a nested run loop.
+        Currently the only nested run loop we know about is EventLoop used
+        by Web Inspector when debugging JavaScript.
+
+        (WebCore::Page::whenUnnested):
+        Callback that can be called when we are no longer inside of a nested
+        run loop.
+
+        (WebCore::Page::~Page):
+        Ensure we are not in a known nested run loop when destructing, since
+        that could be unsafe.
+
+        * inspector/PageScriptDebugServer.cpp:
+        (WebCore::PageScriptDebugServer::runEventLoopWhilePausedInternal):
+        Increment and decrement as we go into or leave the nested runloop.
+
+        * inspector/InspectorController.cpp:
+        (WebCore::InspectorController::inspectedPageDestroyed):
+        (WebCore::InspectorController::disconnectAllFrontends):
+        Rework destruction to allow disconnectAllFrontends to happen earlier
+        if necessary. WebKit clients may use this to disconnect remote
+        frontends when closing a Page.
+
 2017-01-16  Filip Pizlo  <fpizlo@apple.com>
 

trunk/Source/WebCore/inspector/InspectorController.cpp

@@ -204 +204 @@
     m_injectedScriptManager->disconnect();
 
-    // If the local frontend page was destroyed, close the window.
-    if (m_inspectorFrontendClient)
-        m_inspectorFrontendClient->closeWindow();
-
-    // The frontend should call setInspectorFrontendClient(nullptr) under closeWindow().
-    ASSERT(!m_inspectorFrontendClient);
-
     // Clean up resources and disconnect local and remote frontends.
     disconnectAllFrontends();
+
+    // Disconnect the client.
+    m_inspectorClient->inspectedPageDestroyed();
+    m_inspectorClient = nullptr;
 
     m_agents.discardValues();
@@ -301 +298 @@
 void InspectorController::disconnectAllFrontends()
 {
-    // The local frontend client should be disconnected already.
+    // If the local frontend page was destroyed, close the window.
+    if (m_inspectorFrontendClient)
+        m_inspectorFrontendClient->closeWindow();
+
+    // The frontend should call setInspectorFrontendClient(nullptr) under closeWindow().
     ASSERT(!m_inspectorFrontendClient);
+
+    if (!m_frontendRouter->hasFrontends())
+        return;
 
     for (unsigned i = 0; i < m_frontendRouter->frontendCount(); ++i)
@@ -315 +319 @@
     // Destroy the inspector overlay's page.
     m_overlay->freePage();
-
-    // Disconnect local WK2 frontend and destroy the client.
-    m_inspectorClient->inspectedPageDestroyed();
-    m_inspectorClient = nullptr;
 
     // Disconnect any remaining remote frontends.

trunk/Source/WebCore/inspector/PageScriptDebugServer.cpp

@@ -115 +115 @@
     TimerBase::fireTimersInNestedEventLoop();
 
+    m_page.incrementNestedRunLoopCount();
+
     EventLoop loop;
     while (!m_doneProcessingDebuggerEvents && !loop.ended())
         loop.cycle();
+
+    m_page.decrementNestedRunLoopCount();
 }
 

trunk/Source/WebCore/page/Page.cpp

@@ -201 +201 @@
     , m_diagnosticLoggingClient(WTFMove(pageConfiguration.diagnosticLoggingClient))
     , m_webGLStateTracker(WTFMove(pageConfiguration.webGLStateTracker))
-    , m_subframeCount(0)
     , m_openedByDOM(false)
     , m_tabKeyCyclesThroughElements(true)
@@ -289 +288 @@
 Page::~Page()
 {
+    ASSERT(!m_nestedRunLoopCount);
+    ASSERT(!m_unnestCallback);
+
     m_validationMessageClient = nullptr;
     m_diagnosticLoggingClient = nullptr;
@@ -1685 +1687 @@
 #endif
 
+void Page::incrementNestedRunLoopCount()
+{
+    m_nestedRunLoopCount++;
+}
+
+void Page::decrementNestedRunLoopCount()
+{
+    ASSERT(m_nestedRunLoopCount);
+    if (m_nestedRunLoopCount <= 0)
+        return;
+
+    m_nestedRunLoopCount--;
+
+    if (!m_nestedRunLoopCount && m_unnestCallback) {
+        callOnMainThread([this] {
+            if (insideNestedRunLoop())
+                return;
+
+            // This callback may destruct the Page.
+            if (m_unnestCallback) {
+                auto callback = m_unnestCallback;
+                m_unnestCallback = nullptr;
+                callback();
+            }
+        });
+    }
+}
+
+void Page::whenUnnested(std::function<void()> callback)
+{
+    ASSERT(!m_unnestCallback);
+
+    m_unnestCallback = callback;
+}
+
 #if ENABLE(REMOTE_INSPECTOR)
 bool Page::remoteInspectionAllowed() const

trunk/Source/WebCore/page/Page.h

@@ -193 +193 @@
     int subframeCount() const { checkSubframeCountConsistency(); return m_subframeCount; }
 
+    void incrementNestedRunLoopCount();
+    void decrementNestedRunLoopCount();
+    bool insideNestedRunLoop() const { return m_nestedRunLoopCount > 0; }
+    WEBCORE_EXPORT void whenUnnested(std::function<void()>);
+
 #if ENABLE(REMOTE_INSPECTOR)
     WEBCORE_EXPORT bool remoteInspectionAllowed() const;
@@ -623 +628 @@
     std::unique_ptr<WebGLStateTracker> m_webGLStateTracker;
 
-    int m_subframeCount;
+    int m_nestedRunLoopCount { 0 };
+    std::function<void()> m_unnestCallback;
+
+    int m_subframeCount { 0 };
     String m_groupName;
     bool m_openedByDOM;

trunk/Source/WebKit/mac/ChangeLog

@@ +1 @@
+2017-01-17  Joseph Pecoraro  <pecoraro@apple.com>
+
+        Crash when closing tab with debugger paused
+        https://bugs.webkit.org/show_bug.cgi?id=161746
+        <rdar://problem/15607819>
+
+        Reviewed by Brian Burg and Brent Fulgham.
+
+        * WebView/WebView.mm:
+        (WebKit::DeferredPageDestructor::createDeferredPageDestructor):
+        (WebKit::DeferredPageDestructor::DeferredPageDestructor):
+        (WebKit::DeferredPageDestructor::tryDestruction):
+        (-[WebView _close]):
+        Defer destruction of the Page if we are in a nested runloop.
+
 2017-01-16  Joseph Pecoraro  <pecoraro@apple.com>
 

trunk/Source/WebKit/mac/WebView/WebView.mm

@@ -583 +583 @@
 }
 
+namespace WebKit {
+
+class DeferredPageDestructor {
+public:
+    static void createDeferredPageDestructor(std::unique_ptr<Page> page)
+    {
+        new DeferredPageDestructor(WTFMove(page));
+    }
+
+private:
+    DeferredPageDestructor(std::unique_ptr<Page> page)
+        : m_page(WTFMove(page))
+    {
+        tryDestruction();
+    }
+
+    void tryDestruction()
+    {
+        if (m_page->insideNestedRunLoop()) {
+            m_page->whenUnnested([this] { tryDestruction(); });
+            return;
+        }
+
+        m_page = nullptr;
+        delete this;
+    }
+
+    std::unique_ptr<Page> m_page;
+};
+
+} // namespace WebKit
+
 @interface WebView (WebFileInternal)
 #if !PLATFORM(IOS)
@@ -2149 +2181 @@
     // See comment in HistoryItem::releaseAllPendingPageCaches() for more information.
     Page* page = _private->page;
-    _private->page = 0;
-    delete page;
+    _private->page = nullptr;
+    WebKit::DeferredPageDestructor::createDeferredPageDestructor(std::unique_ptr<Page>(page));
 
 #if !PLATFORM(IOS)

trunk/Source/WebKit2/ChangeLog

@@ +1 @@
+2017-01-17  Joseph Pecoraro  <pecoraro@apple.com>
+
+        Crash when closing tab with debugger paused
+        https://bugs.webkit.org/show_bug.cgi?id=161746
+        <rdar://problem/15607819>
+
+        Reviewed by Brian Burg and Brent Fulgham.
+
+        * WebProcess/WebPage/WebPage.cpp:
+        (WebKit::DeferredPageDestructor::createDeferredPageDestructor):
+        (WebKit::DeferredPageDestructor::DeferredPageDestructor):
+        (WebKit::DeferredPageDestructor::tryDestruction):
+        (WebKit::WebPage::close):
+        Defer destruction of the Page and WebPage if we are in a nested runloop.
+        Also, proactively close all inspector frontends, including remote frontends.
+
+        * WebProcess/WebPage/ios/WebPageIOS.mm:
+        (WebKit::WebPage::handleSyntheticClick):
+        (WebKit::WebPage::completeSyntheticClick):
+        Return early in some cases where a nested run loop may have closed
+        the WebPage on us while handling JavaScript events.
+
 2017-01-16  Joseph Pecoraro  <pecoraro@apple.com>
 

trunk/Source/WebKit2/WebProcess/WebPage/WebPage.cpp

@@ -145 +145 @@
 #include <WebCore/HistoryItem.h>
 #include <WebCore/HitTestResult.h>
+#include <WebCore/InspectorController.h>
 #include <WebCore/JSDOMWindow.h>
 #include <WebCore/KeyboardEvent.h>
@@ -280 +281 @@
 };
 
+class DeferredPageDestructor {
+public:
+    static void createDeferredPageDestructor(std::unique_ptr<Page> page, WebPage* webPage)
+    {
+        new DeferredPageDestructor(WTFMove(page), webPage);
+    }
+
+private:
+    DeferredPageDestructor(std::unique_ptr<Page> page, WebPage* webPage)
+        : m_page(WTFMove(page))
+        , m_webPage(webPage)
+    {
+        tryDestruction();
+    }
+
+    void tryDestruction()
+    {
+        if (m_page->insideNestedRunLoop()) {
+            m_page->whenUnnested([this] { tryDestruction(); });
+            return;
+        }
+
+        m_page = nullptr;
+        m_webPage = nullptr;
+        delete this;
+    }
+
+    std::unique_ptr<Page> m_page;
+    RefPtr<WebPage> m_webPage;
+};
+
 DEFINE_DEBUG_ONLY_GLOBAL(WTF::RefCountedLeakCounter, webPageCounter, ("WebPage"));
 
@@ -1028 +1060 @@
     }
 
+    m_page->inspectorController().disconnectAllFrontends();
+
 #if ENABLE(FULLSCREEN_API)
     m_fullScreenManager = nullptr;
@@ -1085 +1119 @@
     m_printContext = nullptr;
     m_mainFrame->coreFrame()->loader().detachFromParent();
-    m_page = nullptr;
     m_drawingArea = nullptr;
+
+    DeferredPageDestructor::createDeferredPageDestructor(WTFMove(m_page), this);
 
     bool isRunningModal = m_isRunningModal;
@@ -2399 +2434 @@
     send(Messages::WebPageProxy::DidReceiveEvent(static_cast<uint32_t>(gestureEvent.type()), handled));
 }
-
 #endif
 

trunk/Source/WebKit2/WebProcess/WebPage/ios/WebPageIOS.mm

@@ -536 +536 @@
     m_pendingSyntheticClickLocation = FloatPoint();
 
+    if (m_isClosed)
+        return;
+
     switch (WKObservedContentChange()) {
     case WKContentVisibilityChange:
@@ -571 +574 @@
     RefPtr<Frame> oldFocusedFrame = m_page->focusController().focusedFrame();
     RefPtr<Element> oldFocusedElement = oldFocusedFrame ? oldFocusedFrame->document()->focusedElement() : nullptr;
-    m_userIsInteracting = true;
+
+    SetForScope<bool> userIsInteractingChange { m_userIsInteracting, true };
 
     bool tapWasHandled = false;
     m_lastInteractionLocation = roundedAdjustedPoint;
+
     tapWasHandled |= mainframe.eventHandler().handleMousePressEvent(PlatformMouseEvent(roundedAdjustedPoint, roundedAdjustedPoint, LeftButton, PlatformEvent::MousePressed, 1, false, false, false, false, currentTime(), WebCore::ForceAtClick, syntheticClickType));
+    if (m_isClosed)
+        return;
+
     tapWasHandled |= mainframe.eventHandler().handleMouseReleaseEvent(PlatformMouseEvent(roundedAdjustedPoint, roundedAdjustedPoint, LeftButton, PlatformEvent::MouseReleased, 1, false, false, false, false, currentTime(), WebCore::ForceAtClick, syntheticClickType));
+    if (m_isClosed)
+        return;
 
     RefPtr<Frame> newFocusedFrame = m_page->focusController().focusedFrame();
@@ -587 +597 @@
     if (newFocusedElement && newFocusedElement == oldFocusedElement)
         elementDidFocus(newFocusedElement.get());
-
-    m_userIsInteracting = false;
 
     if (!tapWasHandled || !nodeRespondingToClick || !nodeRespondingToClick->isElementNode())