Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 942298caa18b5dafb99e0843216868bfe4992071
https://github.com/WebKit/WebKit/commit/942298caa18b5dafb99e0843216868bfe4992071
Author: Alex Christensen <[email protected]>
Date: 2025-10-03 (Fri, 03 Oct 2025)
Changed paths:
M Source/WebCore/page/WebKitJSHandle.cpp
M Source/WebCore/page/WebKitJSHandle.h
M Source/WebCore/page/WebKitNamespace.cpp
M Source/WebCore/page/WebKitNamespace.h
M Source/WebCore/page/WebKitNamespace.idl
M Source/WebKit/Shared/JSHandleInfo.cpp
M Source/WebKit/Shared/JSHandleInfo.h
M Source/WebKit/Shared/JavaScriptEvaluationResult.cpp
M Source/WebKit/Shared/JavaScriptEvaluationResult.mm
M Source/WebKit/UIProcess/API/APIJSHandle.cpp
M Source/WebKit/UIProcess/API/APIJSHandle.h
M Source/WebKit/UIProcess/API/Cocoa/WKWebView.mm
M Source/WebKit/UIProcess/API/Cocoa/_WKContentWorldConfiguration.h
M Source/WebKit/UIProcess/API/Cocoa/_WKJSHandle.h
M Source/WebKit/UIProcess/API/Cocoa/_WKJSHandle.mm
M Source/WebKit/WebProcess/WebPage/WebPage.cpp
M Tools/TestWebKitAPI/Tests/WebKitCocoa/JSHandle.mm
M Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebViewSnapshot.mm
M Tools/WebKitTestRunner/TestController.cpp
Log Message:
-----------
Fix race condition between _WKJSHandle and WebKitJSHandle destruction
https://bugs.webkit.org/show_bug.cgi?id=300073
rdar://161868858
Reviewed by Timothy Hatcher.
In 299859@main I introduced a lifetime model of _WKJSHandle that allowed them
to be
put into arrays and dictionaries with later messages from JS able to remove the
same
object representation from the containers. This worked well, except it
introduced a
race condition if you are rapidly creating and destroying _WKJSHandles:
If a _WKJSHandle is destroyed near the same time when the web process is
sending a
message to the UI process with the same handle, the web process would receive a
message
saying the handle was destroyed near the same time as when the UI process
receives a
message with the _WKJSHandle, which would then fail when used because the
JSC::Strong
had already been removed from the map, so lookup with the identifier would
fail. This
caused assertions when running TestWebKitAPI.SiteIsolation.HitTesting:
ASSERTION FAILED: objectMap().contains(strong.get())
.../Source/WebCore/page/WebKitJSHandle.cpp(71) : static void
WebCore::WebKitJSHandle::jsHandleDestroyed(JSHandleIdentifier)
I fix this issue by removing the unneeded === equality in JS and pointer
equality
in ObjC while maintaining the isEqual equality in ObjC, which is what really
mattered.
I make a ref counting system that allows multiple handles to point to the same
object
and be destroyed whenever they are destroyed. I also rename the JS entry point
from
jsHandle back to createJSHandle because we are creating new handles each time
again.
Tests: Tools/TestWebKitAPI/Tests/WebKitCocoa/JSHandle.mm
Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebViewSnapshot.mm
Tools/TestWebKitAPI/Tests/WebKitCocoa/WebTransport.mm
* Source/WebCore/page/WebKitJSHandle.cpp:
(WebCore::WebKitJSHandle::create):
(WebCore::WebKitJSHandle::jsHandleDestroyed):
(WebCore::WebKitJSHandle::WebKitJSHandle):
(WebCore::objectMap): Deleted.
(WebCore::WebKitJSHandle::getOrCreate): Deleted.
* Source/WebCore/page/WebKitJSHandle.h:
* Source/WebCore/page/WebKitNamespace.cpp:
(WebCore::WebKitNamespace::createJSHandle):
(WebCore::WebKitNamespace::jsHandle): Deleted.
* Source/WebCore/page/WebKitNamespace.h:
* Source/WebCore/page/WebKitNamespace.idl:
* Source/WebKit/Shared/JSHandleInfo.cpp:
(WebKit::JSHandleInfo::operator== const):
* Source/WebKit/Shared/JSHandleInfo.h:
* Source/WebKit/Shared/JavaScriptEvaluationResult.cpp:
(WebKit::JavaScriptEvaluationResult::APIInserter::toAPI):
* Source/WebKit/Shared/JavaScriptEvaluationResult.mm:
(WebKit::JavaScriptEvaluationResult::ObjCInserter::toID):
* Source/WebKit/UIProcess/API/APIJSHandle.cpp:
(API::JSHandle::create):
(API::JSHandle::JSHandle):
(API::JSHandle::~JSHandle):
(API::handleMap): Deleted.
(API::JSHandle::getOrCreate): Deleted.
* Source/WebKit/UIProcess/API/APIJSHandle.h:
* Source/WebKit/UIProcess/API/Cocoa/WKWebView.mm:
(-[WKWebView _hitTestAtPoint:inFrameCoordinateSpace:completionHandler:]):
* Source/WebKit/UIProcess/API/Cocoa/_WKContentWorldConfiguration.h:
* Source/WebKit/UIProcess/API/Cocoa/_WKJSHandle.h:
* Source/WebKit/UIProcess/API/Cocoa/_WKJSHandle.mm:
(-[_WKJSHandle isEqual:]):
(-[_WKJSHandle hash]):
(-[_WKJSHandle copyWithZone:]):
* Source/WebKit/WebProcess/WebPage/WebPage.cpp:
(WebKit::WebPage::hitTestAtPoint):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/JSHandle.mm:
(TestWebKitAPI::TEST(JSHandle, Basic)):
(TestWebKitAPI::TEST(JSHandle, Equality)):
(TestWebKitAPI::TEST(JSHandle, WebpagePreferences)):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebViewSnapshot.mm:
(TestWebKitAPI::TEST(WKWebView, SnapshotNodeByJSHandle)):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/WebTransport.mm:
(TestWebKitAPI::TEST(WebTransport, CreateStreamsBeforeReady)):
* Tools/WebKitTestRunner/TestController.cpp:
Canonical link: https://commits.webkit.org/300950@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
