[webkit-changes] [WebKit/WebKit] 703a5b: REGRESSION (iOS 17.2): Infinite recursion in -[WKC...

Wenson Hsieh Fri, 07 Jun 2024 18:15:17 -0700

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 703a5b6bfcf1ff18afc3c0b46042d9ccee39371f
      
https://github.com/WebKit/WebKit/commit/703a5b6bfcf1ff18afc3c0b46042d9ccee39371f
  Author: Wenson Hsieh <[email protected]>
  Date:   2024-06-07 (Fri, 07 Jun 2024)


  Changed paths:
    M Source/WebKit/UIProcess/ios/WKContentViewInteraction.h
    M Source/WebKit/UIProcess/ios/WKContentViewInteraction.mm

  Log Message:
  -----------
  REGRESSION (iOS 17.2): Infinite recursion in -[WKContentView(WKInteraction) 
inputViewForWebView]
https://bugs.webkit.org/show_bug.cgi?id=275171
rdar://127722998

Reviewed by Richard Robinson.

The changes in rdar://116751305&104994662 seem to have made it possible for 
`-inputViewForWebView`
to trigger infinite recursion, due to a new `-[UITextInputAssistantItem 
leadingBarButtonGroups]`
KVO listener in UIKit. Underneath this new KVO logic, UIKit calls into some 
internal methods which
ultimately call back into `-[WKContentView inputViewForWebView]`. In order of 
stack depth (growing
downwards), the reentrant calls to update the input accessory view look like 
this:

```
-[WKContentView(WKInteraction) _updateAccessory]
-[WKContentView(WKInteraction) formAccessoryView]
-[WKFormAccessoryView _initForUniversalControlBar:] // <--- Setting up 
WKFormAccessoryView

  … (KVO triggered by setting leading/trailing bar button groups)

-[UISystemInputAssistantViewController 
observeValueForKeyPath:ofObject:change:context:]
-[TUISystemInputAssistantView setInputAssistantItem:force:]

  … (UIKit internals)

-[UIKeyboardSceneDelegate expectedInputViewSetIsCustom]
-[WKContentView(WKInteraction) inputViewForWebView]
-[WKContentView(WKInteraction) _updateAccessory]
-[WKContentView(WKInteraction) formAccessoryView]
-[WKFormAccessoryView _initForUniversalControlBar:] // <--- Setting up 
WKFormAccessoryView (reentrancy!)
```

While I wasn't able to reproduce the crash at all, we can at least harden 
against this scenario by
making `-_updateAccessory` robust against reentrancy. Achieve this by adding a 
new ivar that's only
set during the scope of `-_updateAccessory`, and return early if it's set.

* Source/WebKit/UIProcess/ios/WKContentViewInteraction.h:
* Source/WebKit/UIProcess/ios/WKContentViewInteraction.mm:
(-[WKContentView setUpInteraction]):
(-[WKContentView _updateAccessory]):

Canonical link: https://commits.webkit.org/279845@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

[webkit-changes] [WebKit/WebKit] 703a5b: REGRESSION (iOS 17.2): Infinite recursion in -[WKC...

Reply via email to