Changeset 219852 in webkit


Ignore:
Timestamp:
Jul 24, 2017 6:17:51 PM (7 years ago)
Author:
Simon Fraser
Message:

[iOS WK2] Crash under PageOverlayController::uninstallPageOverlay when doing multiple finds
https://bugs.webkit.org/show_bug.cgi?id=174806
rdar://problem/33501664

Reviewed by Tim Horton.

Calling TextIndicator::createWithSelectionInFrame can trigger layout via VisibleSelection code,
which can re-enter FindController::updateFindIndicator which has by now removed m_findIndicatorOverlay
from pageOverlayController's map, but not deleted it. The second call to uninstallPageOverlay()
thus crashes at m_overlayGraphicsLayers.take(&overlay)->removeFromParent().

Fix by nulling out m_findIndicatorOverlay as soon as we uninstall it.

  • WebProcess/WebPage/ios/FindControllerIOS.mm:

(WebKit::FindController::updateFindIndicator):

Location:
trunk/Source/WebKit
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/WebKit/ChangeLog

    r219845 r219852  
     12017-07-24  Simon Fraser  <simon.fraser@apple.com>
     2
     3        [iOS WK2] Crash under PageOverlayController::uninstallPageOverlay when doing multiple finds
     4        https://bugs.webkit.org/show_bug.cgi?id=174806
     5        rdar://problem/33501664
     6
     7        Reviewed by Tim Horton.
     8       
     9        Calling TextIndicator::createWithSelectionInFrame can trigger layout via VisibleSelection code,
     10        which can re-enter FindController::updateFindIndicator which has by now removed m_findIndicatorOverlay
     11        from pageOverlayController's map, but not deleted it. The second call to uninstallPageOverlay()
     12        thus crashes at m_overlayGraphicsLayers.take(&overlay)->removeFromParent().
     13       
     14        Fix by nulling out m_findIndicatorOverlay as soon as we uninstall it.
     15
     16        * WebProcess/WebPage/ios/FindControllerIOS.mm:
     17        (WebKit::FindController::updateFindIndicator):
     18
    1192017-07-24  Chris Dumez  <cdumez@apple.com>
    220

  • trunk/Source/WebKit/WebProcess/WebPage/ios/FindControllerIOS.mm

    r218068 r219852  
    9090bool FindController::updateFindIndicator(Frame& selectedFrame, bool isShowingOverlay, bool shouldAnimate)
    9191{
    92     if (m_findIndicatorOverlay)
     92    if (m_findIndicatorOverlay) {
    9393        m_webPage->mainFrame()->pageOverlayController().uninstallPageOverlay(*m_findIndicatorOverlay, PageOverlay::FadeMode::DoNotFade);
     94        m_findIndicatorOverlay = nullptr;
     95        m_isShowingFindIndicator = false;
     96    }
    9497
    9598    RefPtr<TextIndicator> textIndicator = TextIndicator::createWithSelectionInFrame(selectedFrame, findTextIndicatorOptions, TextIndicatorPresentationTransition::None, FloatSize(totalHorizontalMargin, totalVerticalMargin));
    96     if (!textIndicator) {
    97         m_findIndicatorOverlay = nullptr;
    98         m_isShowingFindIndicator = false;
     99    if (!textIndicator)
    99100        return false;
    100     }
    101101
    102102    m_findIndicatorOverlayClient = std::make_unique<FindIndicatorOverlayClientIOS>(selectedFrame, textIndicator.get());
Note: See TracChangeset for help on using the changeset viewer.