[webkit-changes] [WebKit/WebKit] f8c1b2: [iOS] fast/forms/ios/remove-view-after-focus.html ...

Fri, 05 Sep 2025 17:18:29 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: f8c1b2ca2c261898b09e248a03856678ea7947a3
      
https://github.com/WebKit/WebKit/commit/f8c1b2ca2c261898b09e248a03856678ea7947a3
  Author: Aditya Keerthi <[email protected]>
  Date:   2025-09-05 (Fri, 05 Sep 2025)

  Changed paths:
    M Tools/TestRunnerShared/UIScriptContext/UIScriptContext.cpp

  Log Message:
  -----------
  [iOS] fast/forms/ios/remove-view-after-focus.html is a constant crash
https://bugs.webkit.org/show_bug.cgi?id=298454
rdar://158973297

Reviewed by Richard Robinson.

fast/forms/ios/remove-view-after-focus.html is flakily crashing on iOS 18.4 and
constantly crashing on iOS 26. However, the crash is due to an issue with the
test runner and is not a bug in WebKit.

Specifically, `UIScriptContext` is not robust against callbacks that 
synchronously
invoke other callbacks. `UIScriptContext::fireCallback` sets
`m_currentScriptCallbackID`, invokes the callback, and then resets
`m_currentScriptCallbackID` to 0. This is problematic, since if the invoked
callback fires another callback, `m_currentScriptCallbackID` will be zeroed out
before the outer callback finishes processing. That is,
`tryToCompleteUIScriptForCurrentParentCallback` will be called when
`m_currentScriptCallbackID` is 0. This results in accessing the `HashMap`
`m_uiScriptResultsPendingCompletion` with a key of 0, which is disallowed for
`unsigned` traits, causing a crash.

For fast/forms/ios/remove-view-after-focus.html, UIKit changes have made it
so that keyboard show/hide notifications can be synchronously dispatched under
view addition/removal. This means that `didShowKeyboardCallback` gets invoked
under `willCreateNewPageCallback`, resulting in the issue described above.

Fix by restoring the current script callback ID after a callback is invoked.
An inner callback should not affect the processing of an outer callback.

* Tools/TestRunnerShared/UIScriptContext/UIScriptContext.cpp:
(UIScriptContext::fireCallback):

Canonical link: https://commits.webkit.org/299654@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to