Changeset 260330 in webkit

Timestamp:

Apr 18, 2020 7:08:52 PM (4 years ago)

Author:

beidson@apple.com

Message:

Fix WebUserContentControllerProxy vs ContentWorld lifetime
​https://bugs.webkit.org/show_bug.cgi?id=210700

Reviewed by Alex Christensen.

Source/WebKit:

Covered by API test.

WebUserContentControllerProxy currently keeps all of its associated API::ContentWorlds alive via RefPtrs.

This is despite the fact that all of the associated WebScriptMessageHandlers, UserScripts, and
UserStyleSheets already keep their associated API::ContentWorlds alive.

It then decideds to tell WebProcesses to forget a content world after all of its clients are removed.

Unfortunately, content worlds are used for more than just content controller stuff. They're used for direct
JavaScript evaluation as well.

So a client could:

• Add a script message handler in a content world.
• Evaluate JavaScript in that content world, setting up some persistent state.
• Remove the script message handler.
• Find that their persistent state from the JavaScript evaluation is gone from that world, even though they still retain a usable handle to that world.

The only party who has any business managing the lifetime of an API::ContentWorld is the API::ContentWorld itself.

Making this change is:

1 - Nice cleanup
2 - Fixes the above mentioned bug

• UIProcess/API/APIContentWorld.cpp:

(API::ContentWorld::worldForIdentifier):
(API::ContentWorld::ContentWorld):
(API::ContentWorld::sharedWorldWithName):
(API::ContentWorld::~ContentWorld):
(API::ContentWorld::addAssociatedUserContentControllerProxy):
(API::ContentWorld::userContentControllerProxyDestroyed):

• UIProcess/API/APIContentWorld.h:

• UIProcess/UserContent/WebUserContentControllerProxy.cpp:

(WebKit::WebUserContentControllerProxy::parameters const):
(WebKit::WebUserContentControllerProxy::addContentWorld):
(WebKit::WebUserContentControllerProxy::contentWorldDestroyed):
(WebKit::WebUserContentControllerProxy::addUserScript):
(WebKit::WebUserContentControllerProxy::removeUserScript):
(WebKit::WebUserContentControllerProxy::removeAllUserScripts):
(WebKit::WebUserContentControllerProxy::addUserStyleSheet):
(WebKit::WebUserContentControllerProxy::removeUserStyleSheet):
(WebKit::WebUserContentControllerProxy::removeAllUserStyleSheets):
(WebKit::WebUserContentControllerProxy::addUserScriptMessageHandler):
(WebKit::WebUserContentControllerProxy::removeUserMessageHandlerForName):
(WebKit::WebUserContentControllerProxy::removeAllUserMessageHandlers):
(WebKit::WebUserContentControllerProxy::addContentWorldUse): Deleted.
(WebKit::WebUserContentControllerProxy::shouldSendRemoveContentWorldsMessage): Deleted.
(WebKit::WebUserContentControllerProxy::removeContentWorldUses): Deleted.

• UIProcess/UserContent/WebUserContentControllerProxy.h:

Tools:

• TestWebKitAPI/Tests/WebKitCocoa/WKWebViewEvaluateJavaScript.mm:

(-[DummyMessageHandler userContentController:didReceiveScriptMessage:]):
(TEST): Make sure removing a script message handler from a particular world

doesn't also destroy the other JavaScript contents of that world.

Location:

trunk

Files:

• Source/WebKit/ChangeLog (modified) (1 diff)
• Source/WebKit/UIProcess/API/APIContentWorld.cpp (modified) (3 diffs)
• Source/WebKit/UIProcess/API/APIContentWorld.h (modified) (3 diffs)
• Source/WebKit/UIProcess/UserContent/WebUserContentControllerProxy.cpp (modified) (14 diffs)
• Source/WebKit/UIProcess/UserContent/WebUserContentControllerProxy.h (modified) (5 diffs)
• Tools/ChangeLog (modified) (1 diff)
• Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebViewEvaluateJavaScript.mm (modified) (5 diffs)

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2020-04-18  Brady Eidson  <beidson@apple.com>
+
+        Fix WebUserContentControllerProxy vs ContentWorld lifetime
+        https://bugs.webkit.org/show_bug.cgi?id=210700
+
+        Reviewed by Alex Christensen.
+
+        Covered by API test.
+        
+        WebUserContentControllerProxy currently keeps all of its associated API::ContentWorlds alive via RefPtrs.
+        
+        This is despite the fact that all of the associated WebScriptMessageHandlers, UserScripts, and 
+        UserStyleSheets already keep their associated API::ContentWorlds alive.
+
+        It then decideds to tell WebProcesses to forget a content world after all of its clients are removed.
+        
+        Unfortunately, content worlds are used for more than just content controller stuff. They're used for direct
+        JavaScript evaluation as well.
+        
+        So a client could:
+          - Add a script message handler in a content world.
+          - Evaluate JavaScript in that content world, setting up some persistent state.
+          - Remove the script message handler.
+          - Find that their persistent state from the JavaScript evaluation is gone from that world, even though they
+            still retain a usable handle to that world.
+        
+        The only party who has any business managing the lifetime of an API::ContentWorld is the API::ContentWorld itself.
+        
+        Making this change is:
+          1 - Nice cleanup
+          2 - Fixes the above mentioned bug
+        
+        * UIProcess/API/APIContentWorld.cpp:
+        (API::ContentWorld::worldForIdentifier):
+        (API::ContentWorld::ContentWorld):
+        (API::ContentWorld::sharedWorldWithName):
+        (API::ContentWorld::~ContentWorld):
+        (API::ContentWorld::addAssociatedUserContentControllerProxy):
+        (API::ContentWorld::userContentControllerProxyDestroyed):
+        * UIProcess/API/APIContentWorld.h:
+
+        * UIProcess/UserContent/WebUserContentControllerProxy.cpp:
+        (WebKit::WebUserContentControllerProxy::parameters const):
+        (WebKit::WebUserContentControllerProxy::addContentWorld):
+        (WebKit::WebUserContentControllerProxy::contentWorldDestroyed):
+        (WebKit::WebUserContentControllerProxy::addUserScript):
+        (WebKit::WebUserContentControllerProxy::removeUserScript):
+        (WebKit::WebUserContentControllerProxy::removeAllUserScripts):
+        (WebKit::WebUserContentControllerProxy::addUserStyleSheet):
+        (WebKit::WebUserContentControllerProxy::removeUserStyleSheet):
+        (WebKit::WebUserContentControllerProxy::removeAllUserStyleSheets):
+        (WebKit::WebUserContentControllerProxy::addUserScriptMessageHandler):
+        (WebKit::WebUserContentControllerProxy::removeUserMessageHandlerForName):
+        (WebKit::WebUserContentControllerProxy::removeAllUserMessageHandlers):
+        (WebKit::WebUserContentControllerProxy::addContentWorldUse): Deleted.
+        (WebKit::WebUserContentControllerProxy::shouldSendRemoveContentWorldsMessage): Deleted.
+        (WebKit::WebUserContentControllerProxy::removeContentWorldUses): Deleted.
+        * UIProcess/UserContent/WebUserContentControllerProxy.h:
+
 2020-04-18  David Kilzer  <ddkilzer@apple.com>
 

trunk/Source/WebKit/UIProcess/API/APIContentWorld.cpp

@@ -28 +28 @@
 
 #include "ContentWorldShared.h"
+#include "WebUserContentControllerProxy.h"
 #include <wtf/HashMap.h>
 #include <wtf/text/StringHash.h>
 
 namespace API {
+
+static HashMap<WTF::String, ContentWorld*>& sharedWorldNameMap()
+{
+    static NeverDestroyed<HashMap<WTF::String, ContentWorld*>> sharedMap;
+    return sharedMap;
+}
+
+static HashMap<WebKit::ContentWorldIdentifier, ContentWorld*>& sharedWorldIdentifierMap()
+{
+    static NeverDestroyed<HashMap<WebKit::ContentWorldIdentifier, ContentWorld*>> sharedMap;
+    return sharedMap;
+}
+
+ContentWorld* ContentWorld::worldForIdentifier(WebKit::ContentWorldIdentifier identifer)
+{
+    return sharedWorldIdentifierMap().get(identifer);
+}
 
 ContentWorld::ContentWorld(const WTF::String& name)
@@ -45 +63 @@
 
     m_identifier = WebKit::ContentWorldIdentifier::generate();
+    auto addResult = sharedWorldIdentifierMap().add(m_identifier, this);
+    ASSERT_UNUSED(addResult, addResult.isNewEntry);
 }
 
-static HashMap<WTF::String, ContentWorld*>& sharedWorldMap()
+ContentWorld::ContentWorld(WebKit::ContentWorldIdentifier identifier)
+    : m_identifier(identifier)
 {
-    static HashMap<WTF::String, ContentWorld*>* sharedMap = new HashMap<WTF::String, ContentWorld*>;
-    return *sharedMap;
+    ASSERT(m_identifier == WebKit::pageContentWorldIdentifier());
 }
 
 Ref<ContentWorld> ContentWorld::sharedWorldWithName(const WTF::String& name)
 {
-    auto result = sharedWorldMap().add(name, nullptr);
+    auto result = sharedWorldNameMap().add(name, nullptr);
     if (result.isNewEntry) {
         result.iterator->value = new ContentWorld(name);
@@ -78 +98 @@
 ContentWorld::~ContentWorld()
 {
-    if (name().isNull())
-        return;
+    ASSERT(m_identifier != WebKit::pageContentWorldIdentifier());
 
-    auto taken = sharedWorldMap().take(name());
-    ASSERT_UNUSED(taken, taken == this);
+    auto result = sharedWorldIdentifierMap().take(m_identifier);
+    ASSERT_UNUSED(result, result == this || m_identifier == WebKit::pageContentWorldIdentifier());
+
+    if (!name().isNull()) {
+        auto taken = sharedWorldNameMap().take(name());
+        ASSERT_UNUSED(taken, taken == this);
+    }
+
+    for (auto proxy : m_associatedContentControllerProxies)
+        proxy->contentWorldDestroyed(*this);
+}
+
+void ContentWorld::addAssociatedUserContentControllerProxy(WebKit::WebUserContentControllerProxy& proxy)
+{
+    auto addResult = m_associatedContentControllerProxies.add(&proxy);
+    ASSERT_UNUSED(addResult, addResult.isNewEntry);
+}
+
+void ContentWorld::userContentControllerProxyDestroyed(WebKit::WebUserContentControllerProxy& proxy)
+{
+    bool removed = m_associatedContentControllerProxies.remove(&proxy);
+    ASSERT_UNUSED(removed, removed);
 }
 

trunk/Source/WebKit/UIProcess/API/APIContentWorld.h

@@ -28 +28 @@
 #include "APIObject.h"
 #include "ContentWorldShared.h"
+#include <wtf/HashSet.h>
 #include <wtf/text/WTFString.h>
+
+namespace WebKit {
+class WebUserContentControllerProxy;
+}
 
 namespace API {
@@ -34 +39 @@
 class ContentWorld final : public API::ObjectImpl<API::Object::Type::ContentWorld> {
 public:
+    static ContentWorld* worldForIdentifier(WebKit::ContentWorldIdentifier);
     static Ref<ContentWorld> sharedWorldWithName(const WTF::String&);
     static ContentWorld& pageContentWorld();
@@ -44 +50 @@
     std::pair<WebKit::ContentWorldIdentifier, WTF::String> worldData() const { return { m_identifier, m_name }; }
 
+    void addAssociatedUserContentControllerProxy(WebKit::WebUserContentControllerProxy&);
+    void userContentControllerProxyDestroyed(WebKit::WebUserContentControllerProxy&);
+
 private:
     explicit ContentWorld(const WTF::String&);
-    explicit ContentWorld(WebKit::ContentWorldIdentifier identifier)
-        : m_identifier(identifier) { }
+    explicit ContentWorld(WebKit::ContentWorldIdentifier);
 
     WebKit::ContentWorldIdentifier m_identifier;
     WTF::String m_name;
+    HashSet<WebKit::WebUserContentControllerProxy*> m_associatedContentControllerProxies;
 };
 

trunk/Source/WebKit/UIProcess/UserContent/WebUserContentControllerProxy.cpp

@@ -74 +74 @@
 WebUserContentControllerProxy::~WebUserContentControllerProxy()
 {
+    for (const auto& identifier : m_associatedContentWorlds) {
+        auto* world = API::ContentWorld::worldForIdentifier(identifier);
+        RELEASE_ASSERT(world);
+        world->userContentControllerProxyDestroyed(*this);
+    }
+    
     webUserContentControllerProxies().remove(m_identifier);
     for (auto& process : m_processes) {
@@ -111 +117 @@
     parameters.identifier = identifier();
     
-    for (const auto& world : m_contentWorlds)
-        parameters.userContentWorlds.append(world.key->worldData());
+    ASSERT(parameters.userContentWorlds.isEmpty());
+    for (const auto& identifier : m_associatedContentWorlds) {
+        auto* world = API::ContentWorld::worldForIdentifier(identifier);
+        RELEASE_ASSERT(world);
+        parameters.userContentWorlds.append(world->worldData());
+    }
 
     for (auto userScript : m_userScripts->elementsOfType<API::UserScript>())
@@ -150 +160 @@
 }
 
-void WebUserContentControllerProxy::addContentWorldUse(API::ContentWorld& world)
-{
-    if (&world == &API::ContentWorld::pageContentWorld())
-        return;
-
-    auto addResult = m_contentWorlds.add(&world);
-    if (addResult.isNewEntry) {
-        for (auto& process : m_processes)
-            process.send(Messages::WebUserContentController::AddContentWorlds({ world.worldData() }), identifier());
-    }
-}
-
-bool WebUserContentControllerProxy::shouldSendRemoveContentWorldsMessage(API::ContentWorld& world, unsigned numberOfUsesToRemove)
-{
-    if (&world == &API::ContentWorld::pageContentWorld())
-        return false;
-
-    auto it = m_contentWorlds.find(&world);
-    for (unsigned i = 0; i < numberOfUsesToRemove; ++i) {
-        if (m_contentWorlds.remove(it)) {
-            ASSERT(i == (numberOfUsesToRemove - 1));
-            return true;
-        }
-    }
-    
-    return false;
-}
-
-void WebUserContentControllerProxy::removeContentWorldUses(API::ContentWorld& world, unsigned numberOfUsesToRemove)
-{
-    if (shouldSendRemoveContentWorldsMessage(world, numberOfUsesToRemove)) {
-        for (auto& process : m_processes)
-            process.send(Messages::WebUserContentController::RemoveContentWorlds({ world.identifier() }), identifier());
-    }
-}
-
-void WebUserContentControllerProxy::removeContentWorldUses(HashCountedSet<RefPtr<API::ContentWorld>>& worlds)
-{
-    Vector<ContentWorldIdentifier> worldsToRemove;
-    for (auto& worldUsePair : worlds) {
-        if (shouldSendRemoveContentWorldsMessage(*worldUsePair.key.get(), worldUsePair.value))
-            worldsToRemove.append(worldUsePair.key->identifier());
-    }
-
-    for (auto& process : m_processes)
-        process.send(Messages::WebUserContentController::RemoveContentWorlds(worldsToRemove), identifier());
+void WebUserContentControllerProxy::addContentWorld(API::ContentWorld& world)
+{
+    if (world.identifier() == pageContentWorldIdentifier())
+        return;
+
+    auto addResult = m_associatedContentWorlds.add(world.identifier());
+    if (!addResult.isNewEntry)
+        return;
+
+    world.addAssociatedUserContentControllerProxy(*this);
+    for (auto& process : m_processes)
+        process.send(Messages::WebUserContentController::AddContentWorlds({ world.worldData() }), identifier());
+}
+
+void WebUserContentControllerProxy::contentWorldDestroyed(API::ContentWorld& world)
+{
+    bool result = m_associatedContentWorlds.remove(world.identifier());
+    ASSERT_UNUSED(result, result);
+
+    for (auto& process : m_processes)
+        process.send(Messages::WebUserContentController::RemoveContentWorlds({ world.identifier() }), identifier());
 }
 
@@ -202 +187 @@
     Ref<API::ContentWorld> world = userScript.contentWorld();
 
-    addContentWorldUse(world.get());
+    addContentWorld(world.get());
 
     m_userScripts->elements().append(&userScript);
@@ -218 +203 @@
 
     m_userScripts->elements().removeAll(&userScript);
-
-    removeContentWorldUses(world.get(), 1);
 }
 
@@ -227 +210 @@
         process.send(Messages::WebUserContentController::RemoveAllUserScripts({ world.identifier() }), identifier());
 
-    unsigned userScriptsRemoved = m_userScripts->removeAllOfTypeMatching<API::UserScript>([&](const auto& userScript) {
+    m_userScripts->removeAllOfTypeMatching<API::UserScript>([&](const auto& userScript) {
         return &userScript->contentWorld() == &world;
     });
-
-    removeContentWorldUses(world, userScriptsRemoved);
 }
 
@@ -249 +230 @@
 
     m_userScripts->elements().clear();
-
-    removeContentWorldUses(worlds);
 }
 
@@ -257 +236 @@
     Ref<API::ContentWorld> world = userStyleSheet.contentWorld();
 
-    addContentWorldUse(world.get());
+    addContentWorld(world.get());
 
     m_userStyleSheets->elements().append(&userStyleSheet);
@@ -273 +252 @@
 
     m_userStyleSheets->elements().removeAll(&userStyleSheet);
-
-    removeContentWorldUses(world.get(), 1);
 }
 
@@ -282 +259 @@
         process.send(Messages::WebUserContentController::RemoveAllUserStyleSheets({ world.identifier() }), identifier());
 
-    unsigned userStyleSheetsRemoved = m_userStyleSheets->removeAllOfTypeMatching<API::UserStyleSheet>([&](const auto& userStyleSheet) {
+    m_userStyleSheets->removeAllOfTypeMatching<API::UserStyleSheet>([&](const auto& userStyleSheet) {
         return &userStyleSheet->contentWorld() == &world;
     });
-
-    removeContentWorldUses(world, userStyleSheetsRemoved);
 }
 
@@ -304 +279 @@
 
     m_userStyleSheets->elements().clear();
-
-    removeContentWorldUses(worlds);
 }
 
@@ -317 +290 @@
     }
 
-    addContentWorldUse(world);
+    addContentWorld(world);
 
     m_scriptMessageHandlers.add(handler.identifier(), &handler);
@@ -336 +309 @@
             m_scriptMessageHandlers.remove(it);
 
-            removeContentWorldUses(world, 1);
             return;
         }
@@ -355 +327 @@
         return false;
     });
-
-    removeContentWorldUses(world, numberRemoved);
 }
 

trunk/Source/WebKit/UIProcess/UserContent/WebUserContentControllerProxy.h

@@ -27 +27 @@
 
 #include "APIObject.h"
+#include "ContentWorldShared.h"
 #include "MessageReceiver.h"
 #include "UserContentControllerIdentifier.h"
@@ -94 +95 @@
     void removeAllUserStyleSheets();
 
-    void removeAllUserContent(API::ContentWorld&);
-
     // Returns false if there was a name conflict.
     bool addUserScriptMessageHandler(WebScriptMessageHandler&);
@@ -114 +113 @@
     UserContentControllerIdentifier identifier() const { return m_identifier; }
 
+    void contentWorldDestroyed(API::ContentWorld&);
+
 private:
     // IPC::MessageReceiver.
@@ -120 +121 @@
     void didPostMessage(IPC::Connection&, WebPageProxyIdentifier, FrameInfoData&&, uint64_t messageHandlerID, const IPC::DataReference&);
 
-    void addContentWorldUse(API::ContentWorld&);
-    void removeContentWorldUses(API::ContentWorld&, unsigned numberOfUsesToRemove);
-    void removeContentWorldUses(HashCountedSet<RefPtr<API::ContentWorld>>&);
-    bool shouldSendRemoveContentWorldsMessage(API::ContentWorld&, unsigned numberOfUsesToRemove);
+    void addContentWorld(API::ContentWorld&);
 
     UserContentControllerIdentifier m_identifier;
@@ -130 +128 @@
     Ref<API::Array> m_userStyleSheets;
     HashMap<uint64_t, RefPtr<WebScriptMessageHandler>> m_scriptMessageHandlers;
-    HashCountedSet<RefPtr<API::ContentWorld>> m_contentWorlds;
+    HashSet<ContentWorldIdentifier> m_associatedContentWorlds;
 
 #if ENABLE(CONTENT_EXTENSIONS)

trunk/Tools/ChangeLog

@@ +1 @@
+2020-04-18  Brady Eidson  <beidson@apple.com>
+
+        Fix WebUserContentControllerProxy vs ContentWorld lifetime
+        https://bugs.webkit.org/show_bug.cgi?id=210700
+
+        Reviewed by Alex Christensen.
+
+        * TestWebKitAPI/Tests/WebKitCocoa/WKWebViewEvaluateJavaScript.mm:
+        (-[DummyMessageHandler userContentController:didReceiveScriptMessage:]):
+        (TEST): Make sure removing a script message handler from a particular world
+          doesn't also destroy the other JavaScript contents of that world.
+
 2020-04-18  Daniel Bates  <dabates@apple.com>
 

trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebViewEvaluateJavaScript.mm

@@ -35 +35 @@
 #import "TestWKWebView.h"
 #import "WKWebViewConfigurationExtras.h"
-#import <WebKit/WKWebViewConfigurationPrivate.h>
-#import <WebKit/WKContentWorld.h>
+#import <WebKit/WKContentWorldPrivate.h>
 #import <WebKit/WKErrorPrivate.h>
 #import <WebKit/WKPreferencesPrivate.h>
 #import <WebKit/WKPreferencesRef.h>
+#import <WebKit/WKUserContentControllerPrivate.h>
+#import <WebKit/WKWebViewConfigurationPrivate.h>
 #import <WebKit/WKWebViewPrivate.h>
 #import <WebKit/_WKFrameTreeNode.h>
@@ -134 +135 @@
 }
 
+@interface DummyMessageHandler : NSObject <WKScriptMessageHandler>
+@end
+
+@implementation DummyMessageHandler
+- (void)userContentController:(WKUserContentController *)userContentController didReceiveScriptMessage:(WKScriptMessage *)message
+{
+}
+@end
+
 TEST(WKWebView, EvaluateJavaScriptInWorlds)
 {
@@ -186 +196 @@
     isDone = false;
 
-    // Set a varibale value in a named world.
+    // Add a scriptMessageHandler in a named world.
     RetainPtr<WKContentWorld> namedWorld = [WKContentWorld worldWithName:@"NamedWorld"];
+    id handler = [[[DummyMessageHandler alloc] init] autorelease];
+    [webView.get().configuration.userContentController _addScriptMessageHandler:handler name:@"testHandlerName" userContentWorld:namedWorld.get()._userContentWorld];
+
+    // Set a variable value in that named world.
     [webView evaluateJavaScript:@"var bar = 'baz'" inContentWorld:namedWorld.get() completionHandler:^(id result, NSError *error) {
         EXPECT_NULL(result);
@@ -196 +210 @@
     isDone = false;
 
-    // Set a global variable value in a named world via a function call.
+    // Set a global variable value in that named world via a function call.
     [webView callAsyncJavaScript:@"window.baz = 'bat'" arguments:nil inContentWorld:namedWorld.get() completionHandler:^(id result, NSError *error) {
         EXPECT_NULL(result);
@@ -206 +220 @@
     isDone = false;
 
-    // Verify they are there in that named world.
+    // Remove the dummy message handler
+    [webView.get().configuration.userContentController _removeScriptMessageHandlerForName:@"testHandlerName" userContentWorld:namedWorld.get()._userContentWorld];
+
+    // Verify the variables we set are there in that named world.
     [webView evaluateJavaScript:@"bar" inContentWorld:namedWorld.get() completionHandler:^(id result, NSError *error) {
         EXPECT_TRUE([result isKindOfClass:[NSString class]]);