[webkit-changes] [WebKit/WebKit] f204a8: Crash in WebPushD::Connection::connectionReceivedE...

Thu, 04 Jun 2026 21:15:41 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: f204a8b967f7a64657e51c1db88c1e08b3450334
      
https://github.com/WebKit/WebKit/commit/f204a8b967f7a64657e51c1db88c1e08b3450334
  Author: Chris Dumez <[email protected]>
  Date:   2026-06-04 (Thu, 04 Jun 2026)

  Changed paths:
    M Source/WebKit/Platform/IPC/cocoa/DaemonConnectionCocoa.mm

  Log Message:
  -----------
  Crash in WebPushD::Connection::connectionReceivedEvent() from XPC 
reestablishment after webpushd interruption
https://bugs.webkit.org/show_bug.cgi?id=316362
rdar://178675392

Reviewed by Brady Eidson.

When webpushd is interrupted, libxpc fires our event handler block with
XPC_ERROR_CONNECTION_INTERRUPTED. The handler clears m_connection, which
can drop the last strong reference to the xpc_connection_t and trigger
its teardown — including release of the very event-handler block we are
currently executing inside. Releasing the block frees the heap-allocated
captures (the `weakThis` WeakPtr), so the trailing
`weakThis->connectionReceivedEvent(event)` call reads garbage from freed
block memory and dispatches a virtual call through a corrupt vtable,
which faults with a PAC failure on arm64e.

This was observed as repeated NetworkProcess crashes during Safari
automation runs, with stacks of the form:
```
      WebKit:        WebPushD::Connection::connectionReceivedEvent + 0
      libxpc.dylib:  _xpc_connection_call_event_handler
      libxpc.dylib:  _xpc_connection_reestablish
      libxpc.dylib:  do_mach_notify_port_destroyed
      ...
```
  and accompanied in the log by:
```
      libxpc: Re-initialization successful; calling out to event handler
              with XPC_ERROR_CONNECTION_INTERRUPTED
      WebKit: Connection to mach service com.apple.webkit.webpushd.service
              is interrupted
      libxpc: invalidated after the last release of the connection object
```

Promote `weakThis` to a stack-local RefPtr at the top of the lambda and
use it for the rest of the body. The strong reference lives on the
lambda's stack rather than in the block's captures, so it keeps the
Daemon::Connection alive across `m_connection = nullptr` even when
that release tears down the block underneath us. The fix also covers
the PrivateClickMeasurement connection, which shares this lambda.

* Source/WebKit/Platform/IPC/cocoa/DaemonConnectionCocoa.mm:
(WebKit::Daemon::ConnectionToMachService<Traits>::initializeConnectionIfNeeded 
const):

Canonical link: https://commits.webkit.org/314611@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to