Skip to site navigation (Press enter)

[webkit-changes] [269260] branches/safari-610-branch

alancoon Mon, 02 Nov 2020 11:21:29 -0800

Title: [269260] branches/safari-610-branch

Revision: 269260
Author: [email protected]
Date: 2020-11-02 11:20:27 -0800 (Mon, 02 Nov 2020)

Log Message

Cherry-pick r268199. rdar://problem/70952726


    Crash under WebKit::WebProcessCache::clear()
    https://bugs.webkit.org/show_bug.cgi?id=217480

    Reviewed by Geoffrey Garen.

    Source/WebKit:

    Protect |process| in the responsiveness check lambda in WebProcessCache::addProcessIfPossible().
    If we fail to do so and WebProcessCache::clear() gets called while the responsiveness check is
    pending, the WebProcessProxy destructor may get called while clear() clears m_pendingAddRequests,
    which would resolve the responsiveness check with responsive=false, and cause the lambda to
    try and remove the entry from m_pendingAddRequests (while clear() is clearing it).

    * UIProcess/WebProcessCache.cpp:
    (WebKit::WebProcessCache::addProcessIfPossible):

    Tools:

    Add API test coverage.

    * TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm:

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@268199 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Modified Paths

branches/safari-610-branch/Source/WebKit/ChangeLog
branches/safari-610-branch/Source/WebKit/UIProcess/WebProcessCache.cpp
branches/safari-610-branch/Tools/ChangeLog
branches/safari-610-branch/Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm

Diff

Modified: branches/safari-610-branch/Source/WebKit/ChangeLog (269259 => 269260)


--- branches/safari-610-branch/Source/WebKit/ChangeLog	2020-11-02 19:20:24 UTC (rev 269259)
+++ branches/safari-610-branch/Source/WebKit/ChangeLog	2020-11-02 19:20:27 UTC (rev 269260)
@@ -1,3 +1,48 @@
+2020-11-02  Russell Epstein  <[email protected]>
+
+        Cherry-pick r268199. rdar://problem/70952726
+
+    Crash under WebKit::WebProcessCache::clear()
+    https://bugs.webkit.org/show_bug.cgi?id=217480
+    
+    Reviewed by Geoffrey Garen.
+    
+    Source/WebKit:
+    
+    Protect |process| in the responsiveness check lambda in WebProcessCache::addProcessIfPossible().
+    If we fail to do so and WebProcessCache::clear() gets called while the responsiveness check is
+    pending, the WebProcessProxy destructor may get called while clear() clears m_pendingAddRequests,
+    which would resolve the responsiveness check with responsive=false, and cause the lambda to
+    try and remove the entry from m_pendingAddRequests (while clear() is clearing it).
+    
+    * UIProcess/WebProcessCache.cpp:
+    (WebKit::WebProcessCache::addProcessIfPossible):
+    
+    Tools:
+    
+    Add API test coverage.
+    
+    * TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm:
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@268199 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2020-10-08  Chris Dumez  <[email protected]>
+
+            Crash under WebKit::WebProcessCache::clear()
+            https://bugs.webkit.org/show_bug.cgi?id=217480
+
+            Reviewed by Geoffrey Garen.
+
+            Protect |process| in the responsiveness check lambda in WebProcessCache::addProcessIfPossible().
+            If we fail to do so and WebProcessCache::clear() gets called while the responsiveness check is
+            pending, the WebProcessProxy destructor may get called while clear() clears m_pendingAddRequests,
+            which would resolve the responsiveness check with responsive=false, and cause the lambda to
+            try and remove the entry from m_pendingAddRequests (while clear() is clearing it).
+
+            * UIProcess/WebProcessCache.cpp:
+            (WebKit::WebProcessCache::addProcessIfPossible):
+
 2020-10-29  Russell Epstein  <[email protected]>
 
         Cherry-pick r269118. rdar://problem/70795320

Modified: branches/safari-610-branch/Source/WebKit/UIProcess/WebProcessCache.cpp (269259 => 269260)


--- branches/safari-610-branch/Source/WebKit/UIProcess/WebProcessCache.cpp	2020-11-02 19:20:24 UTC (rev 269259)
+++ branches/safari-610-branch/Source/WebKit/UIProcess/WebProcessCache.cpp	2020-11-02 19:20:27 UTC (rev 269260)
@@ -93,7 +93,7 @@
     m_pendingAddRequests.add(requestIdentifier, makeUnique<CachedProcess>(process.copyRef()));
 
     WEBPROCESSCACHE_RELEASE_LOG("addProcessIfPossible: Checking if process is responsive before caching it", process->processIdentifier());
-    process->isResponsive([this, processPool = makeRef(process->processPool()), requestIdentifier](bool isResponsive) {
+    process->isResponsive([this, processPool = makeRef(process->processPool()), process, requestIdentifier](bool isResponsive) {
         auto cachedProcess = m_pendingAddRequests.take(requestIdentifier);
         if (!cachedProcess)
             return;

Modified: branches/safari-610-branch/Tools/ChangeLog (269259 => 269260)


--- branches/safari-610-branch/Tools/ChangeLog	2020-11-02 19:20:24 UTC (rev 269259)
+++ branches/safari-610-branch/Tools/ChangeLog	2020-11-02 19:20:27 UTC (rev 269260)
@@ -1,3 +1,43 @@
+2020-11-02  Russell Epstein  <[email protected]>
+
+        Cherry-pick r268199. rdar://problem/70952726
+
+    Crash under WebKit::WebProcessCache::clear()
+    https://bugs.webkit.org/show_bug.cgi?id=217480
+    
+    Reviewed by Geoffrey Garen.
+    
+    Source/WebKit:
+    
+    Protect |process| in the responsiveness check lambda in WebProcessCache::addProcessIfPossible().
+    If we fail to do so and WebProcessCache::clear() gets called while the responsiveness check is
+    pending, the WebProcessProxy destructor may get called while clear() clears m_pendingAddRequests,
+    which would resolve the responsiveness check with responsive=false, and cause the lambda to
+    try and remove the entry from m_pendingAddRequests (while clear() is clearing it).
+    
+    * UIProcess/WebProcessCache.cpp:
+    (WebKit::WebProcessCache::addProcessIfPossible):
+    
+    Tools:
+    
+    Add API test coverage.
+    
+    * TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm:
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@268199 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2020-10-08  Chris Dumez  <[email protected]>
+
+            Crash under WebKit::WebProcessCache::clear()
+            https://bugs.webkit.org/show_bug.cgi?id=217480
+
+            Reviewed by Geoffrey Garen.
+
+            Add API test coverage.
+
+            * TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm:
+
 2020-10-28  Russell Epstein  <[email protected]>
 
         Cherry-pick r269094. rdar://problem/70795299

Modified: branches/safari-610-branch/Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm (269259 => 269260)


--- branches/safari-610-branch/Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm	2020-11-02 19:20:24 UTC (rev 269259)
+++ branches/safari-610-branch/Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm	2020-11-02 19:20:27 UTC (rev 269260)
@@ -6831,3 +6831,49 @@
         TestWebKitAPI::Util::run(&finishedRunningScript);
     }];
 }
+
+TEST(WebProcessCache, ClearWhenEnteringCache)
+{
+    auto processPoolConfiguration = adoptNS([[_WKProcessPoolConfiguration alloc] init]);
+    processPoolConfiguration.get().usesWebProcessCache = YES;
+    auto processPool = adoptNS([[WKProcessPool alloc] _initWithConfiguration:processPoolConfiguration.get()]);
+
+    auto webViewConfiguration = adoptNS([[WKWebViewConfiguration alloc] init]);
+    [webViewConfiguration setProcessPool:processPool.get()];
+    auto handler = adoptNS([[PSONScheme alloc] init]);
+    [webViewConfiguration setURLSchemeHandler:handler.get() forURLScheme:@"PSON"];
+
+    @autoreleasepool {
+        auto webView1 = adoptNS([[WKWebView alloc] initWithFrame:CGRectMake(0, 0, 800, 800) configuration:webViewConfiguration.get()]);
+        auto webView2 = adoptNS([[WKWebView alloc] initWithFrame:CGRectMake(0, 0, 800, 800) configuration:webViewConfiguration.get()]);
+        auto webView3 = adoptNS([[WKWebView alloc] initWithFrame:CGRectMake(0, 0, 800, 800) configuration:webViewConfiguration.get()]);
+
+        auto delegate = adoptNS([[PSONNavigationDelegate alloc] init]);
+        [webView1 setNavigationDelegate:delegate.get()];
+        [webView2 setNavigationDelegate:delegate.get()];
+        [webView3 setNavigationDelegate:delegate.get()];
+
+        NSURLRequest *request = [NSURLRequest requestWithURL:[NSURL URLWithString:@"pson://www.webkit.org/main.html"]];
+        [webView1 loadRequest:request];
+
+        TestWebKitAPI::Util::run(&done);
+        done = false;
+
+        request = [NSURLRequest requestWithURL:[NSURL URLWithString:@"pson://www.apple.com/main.html"]];
+        [webView2 loadRequest:request];
+
+        TestWebKitAPI::Util::run(&done);
+        done = false;
+
+        request = [NSURLRequest requestWithURL:[NSURL URLWithString:@"pson://www.google.com/main.html"]];
+        [webView3 loadRequest:request];
+
+        TestWebKitAPI::Util::run(&done);
+        done = false;
+    }
+
+    TestWebKitAPI::Util::spinRunLoop();
+
+    // Clear the WebProcess cache while the processes are being checked for responsiveness.
+    [processPool _clearWebProcessCache];
+}

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes