Skip to site navigation (Press enter)

[webkit-changes] [248598] trunk

cdumez Tue, 13 Aug 2019 11:08:08 -0700

Title: [248598] trunk

Revision: 248598
Author: [email protected]
Date: 2019-08-13 10:12:43 -0700 (Tue, 13 Aug 2019)

Log Message

Crash under IPC::Connection::markCurrentlyDispatchedMessageAsInvalid()
https://bugs.webkit.org/show_bug.cgi?id=200674
<rdar://problem/50692748>


Reviewed by Geoff Garen.

Source/WebKit:

When the client terminates a provisional process (e.g. via the [WKWebView _killWebContentProcessAndResetState]
SPI), the WebProcessProxy would notify its associated WebPageProxy objects that it had terminated but would fail
to notify its associated ProvisionalPageProxy objects. As a result, those objects would not get destroyed and
would still think that they were in the middle of a provisional load the next time a load started. This inconsistent
state would lead to crashes such as the one in the radar.

* UIProcess/ProvisionalPageProxy.cpp:
(WebKit::ProvisionalPageProxy::cancel):
* UIProcess/WebProcessProxy.cpp:
(WebKit::WebProcessProxy::requestTermination):

Tools:

Add API test coverage.

* TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm:

Modified Paths

trunk/Source/WebKit/ChangeLog
trunk/Source/WebKit/UIProcess/ProvisionalPageProxy.cpp
trunk/Source/WebKit/UIProcess/WebProcessProxy.cpp
trunk/Tools/ChangeLog
trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm

Diff

Modified: trunk/Source/WebKit/ChangeLog (248597 => 248598)


--- trunk/Source/WebKit/ChangeLog	2019-08-13 17:08:54 UTC (rev 248597)
+++ trunk/Source/WebKit/ChangeLog	2019-08-13 17:12:43 UTC (rev 248598)
@@ -1,3 +1,22 @@
+2019-08-13  Chris Dumez  <[email protected]>
+
+        Crash under IPC::Connection::markCurrentlyDispatchedMessageAsInvalid()
+        https://bugs.webkit.org/show_bug.cgi?id=200674
+        <rdar://problem/50692748>
+
+        Reviewed by Geoff Garen.
+
+        When the client terminates a provisional process (e.g. via the [WKWebView _killWebContentProcessAndResetState]
+        SPI), the WebProcessProxy would notify its associated WebPageProxy objects that it had terminated but would fail
+        to notify its associated ProvisionalPageProxy objects. As a result, those objects would not get destroyed and
+        would still think that they were in the middle of a provisional load the next time a load started. This inconsistent
+        state would lead to crashes such as the one in the radar.
+
+        * UIProcess/ProvisionalPageProxy.cpp:
+        (WebKit::ProvisionalPageProxy::cancel):
+        * UIProcess/WebProcessProxy.cpp:
+        (WebKit::WebProcessProxy::requestTermination):
+
 2019-08-13  Youenn Fablet  <[email protected]>
 
         Blob registries should be keyed by session IDs

Modified: trunk/Source/WebKit/UIProcess/ProvisionalPageProxy.cpp (248597 => 248598)


--- trunk/Source/WebKit/UIProcess/ProvisionalPageProxy.cpp	2019-08-13 17:08:54 UTC (rev 248597)
+++ trunk/Source/WebKit/UIProcess/ProvisionalPageProxy.cpp	2019-08-13 17:12:43 UTC (rev 248598)
@@ -120,6 +120,8 @@
     // If the provisional load started, then indicate that it failed due to cancellation by calling didFailProvisionalLoadForFrame().
     if (m_provisionalLoadURL.isEmpty())
         return;
+        
+    ASSERT(m_process->state() == WebProcessProxy::State::Running);
 
     RELEASE_LOG_IF_ALLOWED(ProcessSwapping, "cancel: Simulating a didFailProvisionalLoadForFrame for pageID = %" PRIu64, m_page.pageID().toUInt64());
     ASSERT(m_mainFrame);

Modified: trunk/Source/WebKit/UIProcess/WebProcessProxy.cpp (248597 => 248598)


--- trunk/Source/WebKit/UIProcess/WebProcessProxy.cpp	2019-08-13 17:08:54 UTC (rev 248597)
+++ trunk/Source/WebKit/UIProcess/WebProcessProxy.cpp	2019-08-13 17:12:43 UTC (rev 248598)
@@ -1033,6 +1033,7 @@
     if (webConnection())
         webConnection()->didClose();
 
+    auto provisionalPages = WTF::map(m_provisionalPages, [](auto* provisionalPage) { return makeWeakPtr(provisionalPage); });
     auto pages = copyToVectorOf<RefPtr<WebPageProxy>>(m_pageMap.values());
 
     shutDown();
@@ -1039,6 +1040,11 @@
 
     for (auto& page : pages)
         page->processDidTerminate(reason);
+        
+    for (auto& provisionalPage : provisionalPages) {
+        if (provisionalPage)
+            provisionalPage->processDidTerminate();
+    }
 }
 
 bool WebProcessProxy::isReleaseLoggingAllowed() const

Modified: trunk/Tools/ChangeLog (248597 => 248598)


--- trunk/Tools/ChangeLog	2019-08-13 17:08:54 UTC (rev 248597)
+++ trunk/Tools/ChangeLog	2019-08-13 17:12:43 UTC (rev 248598)
@@ -1,3 +1,15 @@
+2019-08-13  Chris Dumez  <[email protected]>
+
+        Crash under IPC::Connection::markCurrentlyDispatchedMessageAsInvalid()
+        https://bugs.webkit.org/show_bug.cgi?id=200674
+        <rdar://problem/50692748>
+
+        Reviewed by Geoff Garen.
+
+        Add API test coverage.
+
+        * TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm:
+
 2019-08-12  Takashi Komori  <[email protected]>
 
         [WTF] Thread::removeFromThreadGroup leaks weak pointers.

Modified: trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm (248597 => 248598)


--- trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm	2019-08-13 17:08:54 UTC (rev 248597)
+++ trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm	2019-08-13 17:12:43 UTC (rev 248598)
@@ -640,6 +640,48 @@
     done = false;
 }
 
+TEST(ProcessSwap, KillProvisionalWebContentProcessThenStartNewLoad)
+{
+    auto processPoolConfiguration = psonProcessPoolConfiguration();
+    auto processPool = adoptNS([[WKProcessPool alloc] _initWithConfiguration:processPoolConfiguration.get()]);
+
+    auto webViewConfiguration = adoptNS([[WKWebViewConfiguration alloc] init]);
+    [webViewConfiguration setProcessPool:processPool.get()];
+    auto handler = adoptNS([[PSONScheme alloc] init]);
+    [webViewConfiguration setURLSchemeHandler:handler.get() forURLScheme:@"PSON"];
+
+    auto webView = adoptNS([[WKWebView alloc] initWithFrame:NSMakeRect(0, 0, 800, 600) configuration:webViewConfiguration.get()]);
+    auto navigationDelegate = adoptNS([[PSONNavigationDelegate alloc] init]);
+    [webView setNavigationDelegate:navigationDelegate.get()];
+    
+    NSURLRequest *request = [NSURLRequest requestWithURL:[NSURL URLWithString:@"pson://www.webkit.org/main.html"]];
+    [webView loadRequest:request];
+
+    TestWebKitAPI::Util::run(&done);
+    done = false;
+    
+    // When the provisional load starts in the provisional process, kill the WebView's processes.
+    navigationDelegate->didStartProvisionalNavigationHandler = ^{
+        [webView _killWebContentProcessAndResetState];
+        done = true;
+    };
+    
+    // Start a new cross-site load, which should happen in a new provisional process.
+    request = [NSURLRequest requestWithURL:[NSURL URLWithString:@"pson://www.apple.com/main.html"]];
+    [webView loadRequest:request];
+    
+    TestWebKitAPI::Util::run(&done);
+    done = false;
+    
+    navigationDelegate->didStartProvisionalNavigationHandler = nil;
+    
+    request = [NSURLRequest requestWithURL:[NSURL URLWithString:@"pson://www.apple.com/main.html"]];
+    [webView loadRequest:request];
+
+    TestWebKitAPI::Util::run(&done);
+    done = false;
+}
+
 TEST(ProcessSwap, NoSwappingForeTLDPlus2)
 {
     auto processPoolConfiguration = psonProcessPoolConfiguration();

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes