Branch: refs/heads/webkitglib/2.48
Home: https://github.com/WebKit/WebKit
Commit: 39cd9255bd41c1850e52df6cfdc72058a007ffc7
https://github.com/WebKit/WebKit/commit/39cd9255bd41c1850e52df6cfdc72058a007ffc7
Author: Nathan Solomon <[email protected]>
Date: 2025-03-13 (Thu, 13 Mar 2025)
Changed paths:
M Source/WebCore/page/MemoryRelease.cpp
Log Message:
-----------
Cherry-pick 291644@main (20c26a93818c).
https://bugs.webkit.org/show_bug.cgi?id=289117
Fix invalid WeakRef deference crash in WebCore's Memory Pressure Handler
https://bugs.webkit.org/show_bug.cgi?id=289117
rdar://144487022
Reviewed by Ryan Reno, Cameron McCormack, and Matthieu Dubet.
We received crash reports of an invalid access to the document
WeakRef while iterating through the allDocuments() map in
releaseNoncriticalMemory.
It is not clear what is causing the document to be deleted, perhaps
related to clearing async node deletion list . Although, this should not be
possible due
to excluding iframes to be added to the deletion queue and dissallowing
Documents
and DocumentFragments to have their immediate children be async deleted.
A fix to this specific crash is to create a list of Ref<Document> from the
allDocuments() map,
and iterate through this list.
Change the WeakRef<Document> used to call member functions on the
document into a Ref<Document>, and ensure that the DocumentsMap is not being
modified while clearing the various data structures that the Document holds.
Now, no documents in the map can be deleted while in this function.
* Source/WebCore/page/MemoryRelease.cpp:
(WebCore::releaseNoncriticalMemory):
Canonical link: https://commits.webkit.org/291644@main
Canonical link: https://commits.webkit.org/290945.60@webkitglib/2.48
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
