Changeset 249444 in webkit


Ignore:
Timestamp:
Sep 3, 2019 4:21:38 PM (5 years ago)
Author:
timothy_horton@apple.com
Message:

Null deref under -[WKWebView _addUpdateVisibleContentRectPreCommitHandler]'s handler block
https://bugs.webkit.org/show_bug.cgi?id=201436
<rdar://problem/40640475>

Reviewed by Simon Fraser.

  • UIProcess/API/Cocoa/WKWebView.mm:

(-[WKWebView dealloc]):
(-[WKWebView _addUpdateVisibleContentRectPreCommitHandler]):
We crash sending a message to a deallocated WKWebView inside the handler block
passed to +[CATransaction addCommitHandler:]. This seems impossible, because
we carefully retain it, but it's possible that it could be the result of
the handler block being installed under -dealloc (in which case retaining
the WKWebView wouldn't actually extend its lifetime). -[WKWebView dealloc]
is fairly sizable, and it's hard to follow all paths from it, so instead
add a RELEASE_LOG_FAULT, so we'll get simulated crash logs, and bail,
so we'll stop actually crashing (if this is the cause).

This is just a speculative fix, but a hopeful one, since intentionally calling
-_addUpdateVisibleContentRectPreCommitHandler: from dealloc yields a similar-looking
crash under the handler block.

Location:
trunk/Source/WebKit
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/WebKit/ChangeLog

    r249436 r249444  
     12019-09-03  Tim Horton  <timothy_horton@apple.com>
     2
     3        Null deref under -[WKWebView _addUpdateVisibleContentRectPreCommitHandler]'s handler block
     4        https://bugs.webkit.org/show_bug.cgi?id=201436
     5        <rdar://problem/40640475>
     6
     7        Reviewed by Simon Fraser.
     8
     9        * UIProcess/API/Cocoa/WKWebView.mm:
     10        (-[WKWebView dealloc]):
     11        (-[WKWebView _addUpdateVisibleContentRectPreCommitHandler]):
     12        We crash sending a message to a deallocated WKWebView inside the handler block
     13        passed to +[CATransaction addCommitHandler:]. This seems impossible, because
     14        we carefully retain it, but it's possible that it could be the result of
     15        the handler block being installed under -dealloc (in which case retaining
     16        the WKWebView wouldn't actually extend its lifetime). -[WKWebView dealloc]
     17        is fairly sizable, and it's hard to follow all paths from it, so instead
     18        add a RELEASE_LOG_FAULT, so we'll get simulated crash logs, and bail,
     19        so we'll stop actually crashing (if this is the cause).
     20
     21        This is just a speculative fix, but a hopeful one, since intentionally calling
     22        -_addUpdateVisibleContentRectPreCommitHandler: from dealloc yields a similar-looking
     23        crash under the handler block.
     24
    1252019-09-03  Jiewen Tan  <jiewen_tan@apple.com>
    226

  • trunk/Source/WebKit/UIProcess/API/Cocoa/WKWebView.mm

    r249368 r249444  
    375375    NSUInteger _focusPreservationCount;
    376376    NSUInteger _activeFocusedStateRetainCount;
     377
     378    BOOL _hasEnteredDealloc;
    377379#endif
    378380#if PLATFORM(MAC)
     
    875877
    876878#if PLATFORM(IOS_FAMILY)
     879    _hasEnteredDealloc = YES;
     880
    877881    [_contentView _webViewDestroyed];
    878882
     
    30123016- (void)_addUpdateVisibleContentRectPreCommitHandler
    30133017{
     3018    if (_hasEnteredDealloc) {
     3019        RELEASE_LOG_FAULT(ViewState, "-[WKWebView %p _addUpdateVisibleContentRectPreCommitHandler]: Attempted to add pre-commit handler under -dealloc. Bailing.", self);
     3020        return;
     3021    }
     3022
    30143023    auto retainedSelf = retainPtr(self);
    30153024    [CATransaction addCommitHandler:[retainedSelf] {
Note: See TracChangeset for help on using the changeset viewer.