Modified: trunk/Source/WebKit/ChangeLog (263995 => 263996)
--- trunk/Source/WebKit/ChangeLog 2020-07-06 23:27:56 UTC (rev 263995)
+++ trunk/Source/WebKit/ChangeLog 2020-07-06 23:30:05 UTC (rev 263996)
@@ -1,3 +1,25 @@
+2020-07-06 Chris Dumez <[email protected]>
+
+ Regression(r249303) Crash under NetworkLoad::NetworkLoad()
+ https://bugs.webkit.org/show_bug.cgi?id=214008
+ <rdar://problem/64853936>
+
+ Reviewed by Alex Christensen.
+
+ * NetworkProcess/cache/NetworkCacheSpeculativeLoad.cpp:
+ (WebKit::NetworkCache::SpeculativeLoad::SpeculativeLoad):
+ Do some hardening and fail the SpeculativeLoad if the network session is null, instead of dereferencing
+ the network session unconditionally. The NetworkCache owns the NetworkCacheSpeculativeLoadManager and
+ the NetworkCache is RefCounted so it may outlive its NetworkSession in theory and schedule speculative
+ loads for a session that was just destroyed.
+
+ * NetworkProcess/cache/NetworkCacheSpeculativeLoadManager.cpp:
+ (WebKit::NetworkCache::SpeculativeLoadManager::registerLoad):
+ (WebKit::NetworkCache::SpeculativeLoadManager::preloadEntry):
+ * NetworkProcess/cache/NetworkCacheSpeculativeLoadManager.h:
+ Capture weakThis in a few lambda and check it when the lambda gets called. It looked unsafe so I
+ decided to do some hardening.
+
2020-07-06 Peng Liu <[email protected]>
REGRESSION (r261001): ASSERTION FAILED: m_clientCounts.contains(contextId) in WebKit::VideoFullscreenManagerProxy::removeClientForContext
Modified: trunk/Source/WebKit/NetworkProcess/cache/NetworkCacheSpeculativeLoad.cpp (263995 => 263996)
--- trunk/Source/WebKit/NetworkProcess/cache/NetworkCacheSpeculativeLoad.cpp 2020-07-06 23:27:56 UTC (rev 263995)
+++ trunk/Source/WebKit/NetworkProcess/cache/NetworkCacheSpeculativeLoad.cpp 2020-07-06 23:30:05 UTC (rev 263996)
@@ -51,6 +51,14 @@
{
ASSERT(!m_cacheEntry || m_cacheEntry->needsValidation());
+ auto* networkSession = m_cache->networkProcess().networkSession(m_cache->sessionID());
+ if (!networkSession) {
+ RunLoop::main().dispatch([completionHandler = WTFMove(m_completionHandler)]() mutable {
+ completionHandler(nullptr);
+ });
+ return;
+ }
+
NetworkLoadParameters parameters;
parameters.webPageProxyID = globalFrameID.webPageProxyID;
parameters.webPageID = globalFrameID.webPageID;
@@ -60,7 +68,7 @@
parameters.contentEncodingSniffingPolicy = ContentEncodingSniffingPolicy::Sniff;
parameters.request = m_originalRequest;
parameters.isNavigatingToAppBoundDomain = isNavigatingToAppBoundDomain;
- m_networkLoad = makeUnique<NetworkLoad>(*this, nullptr, WTFMove(parameters), *cache.networkProcess().networkSession(cache.sessionID()));
+ m_networkLoad = makeUnique<NetworkLoad>(*this, nullptr, WTFMove(parameters), *networkSession);
}
SpeculativeLoad::~SpeculativeLoad()
Modified: trunk/Source/WebKit/NetworkProcess/cache/NetworkCacheSpeculativeLoadManager.cpp (263995 => 263996)
--- trunk/Source/WebKit/NetworkProcess/cache/NetworkCacheSpeculativeLoadManager.cpp 2020-07-06 23:27:56 UTC (rev 263995)
+++ trunk/Source/WebKit/NetworkProcess/cache/NetworkCacheSpeculativeLoadManager.cpp 2020-07-06 23:30:05 UTC (rev 263996)
@@ -367,7 +367,10 @@
m_pendingFrameLoads.add(frameID, pendingFrameLoad.copyRef());
// Retrieve the subresources entry if it exists to start speculative revalidation and to update it.
- retrieveSubresourcesEntry(resourceKey, [this, frameID, pendingFrameLoad = WTFMove(pendingFrameLoad), isNavigatingToAppBoundDomain](std::unique_ptr<SubresourcesEntry> entry) {
+ retrieveSubresourcesEntry(resourceKey, [this, weakThis = makeWeakPtr(*this), frameID, pendingFrameLoad = WTFMove(pendingFrameLoad), isNavigatingToAppBoundDomain](std::unique_ptr<SubresourcesEntry> entry) {
+ if (!weakThis)
+ return;
+
if (entry)
startSpeculativeRevalidation(frameID, *entry, isNavigatingToAppBoundDomain);
@@ -559,7 +562,10 @@
return;
m_pendingPreloads.add(key, nullptr);
- retrieveEntryFromStorage(subresourceInfo, [this, key, subresourceInfo, frameID, isNavigatingToAppBoundDomain](std::unique_ptr<Entry> entry) {
+ retrieveEntryFromStorage(subresourceInfo, [this, weakThis = makeWeakPtr(*this), key, subresourceInfo, frameID, isNavigatingToAppBoundDomain](std::unique_ptr<Entry> entry) {
+ if (!weakThis)
+ return;
+
ASSERT(!m_pendingPreloads.get(key));
bool removed = m_pendingPreloads.remove(key);
ASSERT_UNUSED(removed, removed);
Modified: trunk/Source/WebKit/NetworkProcess/cache/NetworkCacheSpeculativeLoadManager.h (263995 => 263996)
--- trunk/Source/WebKit/NetworkProcess/cache/NetworkCacheSpeculativeLoadManager.h 2020-07-06 23:27:56 UTC (rev 263995)
+++ trunk/Source/WebKit/NetworkProcess/cache/NetworkCacheSpeculativeLoadManager.h 2020-07-06 23:30:05 UTC (rev 263996)
@@ -33,6 +33,7 @@
#include <WebCore/ResourceRequest.h>
#include <wtf/HashMap.h>
#include <wtf/Vector.h>
+#include <wtf/WeakPtr.h>
namespace WebKit {
@@ -43,7 +44,7 @@
class SubresourceInfo;
class SubresourcesEntry;
-class SpeculativeLoadManager {
+class SpeculativeLoadManager : public CanMakeWeakPtr<SpeculativeLoadManager> {
WTF_MAKE_FAST_ALLOCATED;
public:
explicit SpeculativeLoadManager(Cache&, Storage&);
