Title: [236157] trunk/Source/WebKit
- Revision
- 236157
- Author
- [email protected]
- Date
- 2018-09-18 15:05:51 -0700 (Tue, 18 Sep 2018)
Log Message
[iOS] Crash under WebPageProxy::navigationGestureSnapshotWasRemoved()
https://bugs.webkit.org/show_bug.cgi?id=189714
<rdar://problem/32839498>
Reviewed by Tim Horton.
The ViewGestureController::removeSwipeSnapshot() implementation for iOS calls
navigationGestureSnapshotWasRemoved() on m_webPageProxyForBackForwardListForCurrentSwipe.
m_webPageProxyForBackForwardListForCurrentSwipe can differ from m_webPageProxy, and
is a RefPtr<>. This means that this WebPageProxy's WKWebView might have been deallocated,
in which case we'll crash when trying to use the pageClient in
WebPageProxy::navigationGestureSnapshotWasRemoved(). To address the issue, we now return
early in WebPageProxy::navigationGestureSnapshotWasRemoved() if m_isClosed is true,
after resetting m_isShowingNavigationGestureSnapshot to false but *before* trying to use
the pageClient. When a WKWebView is deallocated, it calls WebPageProxy::close(), which
sets m_isClosed to true.
* UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::navigationGestureSnapshotWasRemoved):
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (236156 => 236157)
--- trunk/Source/WebKit/ChangeLog 2018-09-18 21:52:10 UTC (rev 236156)
+++ trunk/Source/WebKit/ChangeLog 2018-09-18 22:05:51 UTC (rev 236157)
@@ -1,3 +1,25 @@
+2018-09-18 Chris Dumez <[email protected]>
+
+ [iOS] Crash under WebPageProxy::navigationGestureSnapshotWasRemoved()
+ https://bugs.webkit.org/show_bug.cgi?id=189714
+ <rdar://problem/32839498>
+
+ Reviewed by Tim Horton.
+
+ The ViewGestureController::removeSwipeSnapshot() implementation for iOS calls
+ navigationGestureSnapshotWasRemoved() on m_webPageProxyForBackForwardListForCurrentSwipe.
+ m_webPageProxyForBackForwardListForCurrentSwipe can differ from m_webPageProxy, and
+ is a RefPtr<>. This means that this WebPageProxy's WKWebView might have been deallocated,
+ in which case we'll crash when trying to use the pageClient in
+ WebPageProxy::navigationGestureSnapshotWasRemoved(). To address the issue, we now return
+ early in WebPageProxy::navigationGestureSnapshotWasRemoved() if m_isClosed is true,
+ after resetting m_isShowingNavigationGestureSnapshot to false but *before* trying to use
+ the pageClient. When a WKWebView is deallocated, it calls WebPageProxy::close(), which
+ sets m_isClosed to true.
+
+ * UIProcess/WebPageProxy.cpp:
+ (WebKit::WebPageProxy::navigationGestureSnapshotWasRemoved):
+
2018-09-18 Basuke Suzuki <[email protected]>
[Curl] Limit capturing extra metrics for Web Inspector when not required.
Modified: trunk/Source/WebKit/UIProcess/WebPageProxy.cpp (236156 => 236157)
--- trunk/Source/WebKit/UIProcess/WebPageProxy.cpp 2018-09-18 21:52:10 UTC (rev 236156)
+++ trunk/Source/WebKit/UIProcess/WebPageProxy.cpp 2018-09-18 22:05:51 UTC (rev 236157)
@@ -7105,6 +7105,11 @@
{
m_isShowingNavigationGestureSnapshot = false;
+ // The ViewGestureController may call this method on a WebPageProxy whose view has been destroyed. In such case,
+ // we need to return early as the pageClient will not be valid below.
+ if (m_isClosed)
+ return;
+
pageClient().didRemoveNavigationGestureSnapshot();
m_navigationClient->didRemoveNavigationGestureSnapshot(*this);
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
