Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 31b24d6be480ea184a9a4eeee52d3d7d52a3bb2f
https://github.com/WebKit/WebKit/commit/31b24d6be480ea184a9a4eeee52d3d7d52a3bb2f
Author: Chris Dumez <[email protected]>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M Source/WebKit/Shared/WebBackForwardListItem.h
M Source/WebKit/UIProcess/WebBackForwardCache.cpp
M Source/WebKit/UIProcess/WebBackForwardCache.h
Log Message:
-----------
Crash under WebKit::WebBackForwardCache::removeEntry()
https://bugs.webkit.org/show_bug.cgi?id=258698
rdar://111524465
Reviewed by Ryosuke Niwa.
In WebBackForwardCache::removeEntry(), the call to
`item.setBackForwardCacheEntry(nullptr)`
may cause the `item` to get destroyed. However, we were using `item` on the
next line for
logging purpose. To fix the bug, I am moving the logging before the
setBackForwardCacheEntry()
call.
for hardening purposes, I am also updating m_itemsWithCachedPage to contain
WeakPtrs instead
of raw pointers.
* Source/WebKit/Shared/WebBackForwardListItem.h:
* Source/WebKit/UIProcess/WebBackForwardCache.cpp:
(WebKit::WebBackForwardCache::removeEntry):
(WebKit::WebBackForwardCache::removeEntriesMatching):
(WebKit::WebBackForwardCache::clear):
* Source/WebKit/UIProcess/WebBackForwardCache.h:
Originally-landed-as: 259548.865@safari-7615-branch (cb256ae0cae9).
rdar://111524465
Canonical link: https://commits.webkit.org/266453@main
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
