Title: [185673] trunk/Source/WebKit2
- Revision
- 185673
- Author
- [email protected]
- Date
- 2015-06-17 15:47:56 -0700 (Wed, 17 Jun 2015)
Log Message
Repro crash when swiping back from a NY Times article @ WebPageProxy::navigationGestureDidEnd
https://bugs.webkit.org/show_bug.cgi?id=146083
<rdar://problem/20974232>
Reviewed by Darin Adler.
* UIProcess/ios/ViewGestureControllerIOS.mm:
(WebKit::ViewGestureController::didSameDocumentNavigationForMainFrame):
(WebKit::ViewGestureController::activeLoadMonitoringTimerFired):
It is possible to get didSameDocumentNavigationForMainFrame *before*
endSwipeGesture, while the user is still interactively swiping. We
cannot remove the snapshot in this case, nor should we start the active
load monitoring timer; all of these things should happen only after the
swipe is completed and we've performed the navigation.
This was particularly bad (a crash instead of just a disappearing snapshot)
because removing the snapshot also causes m_webPageProxyForBackForwardListForCurrentSwipe
to be nulled out, but then it is dereferenced during endSwipeGesture.
Make sure that we never call removeSwipeSnapshotIfReady unless we were actually
waiting to remove the swipe snapshot (because the gesture had completed).
Most callers already did ensure this, but these two did not.
Modified Paths
Diff
Modified: trunk/Source/WebKit2/ChangeLog (185672 => 185673)
--- trunk/Source/WebKit2/ChangeLog 2015-06-17 21:38:24 UTC (rev 185672)
+++ trunk/Source/WebKit2/ChangeLog 2015-06-17 22:47:56 UTC (rev 185673)
@@ -1,3 +1,28 @@
+2015-06-17 Tim Horton <[email protected]>
+
+ Repro crash when swiping back from a NY Times article @ WebPageProxy::navigationGestureDidEnd
+ https://bugs.webkit.org/show_bug.cgi?id=146083
+ <rdar://problem/20974232>
+
+ Reviewed by Darin Adler.
+
+ * UIProcess/ios/ViewGestureControllerIOS.mm:
+ (WebKit::ViewGestureController::didSameDocumentNavigationForMainFrame):
+ (WebKit::ViewGestureController::activeLoadMonitoringTimerFired):
+ It is possible to get didSameDocumentNavigationForMainFrame *before*
+ endSwipeGesture, while the user is still interactively swiping. We
+ cannot remove the snapshot in this case, nor should we start the active
+ load monitoring timer; all of these things should happen only after the
+ swipe is completed and we've performed the navigation.
+
+ This was particularly bad (a crash instead of just a disappearing snapshot)
+ because removing the snapshot also causes m_webPageProxyForBackForwardListForCurrentSwipe
+ to be nulled out, but then it is dereferenced during endSwipeGesture.
+
+ Make sure that we never call removeSwipeSnapshotIfReady unless we were actually
+ waiting to remove the swipe snapshot (because the gesture had completed).
+ Most callers already did ensure this, but these two did not.
+
2015-06-17 Joseph Pecoraro <[email protected]>
Web Inspector: Improve Full Screen support for Web Inspector windows
Modified: trunk/Source/WebKit2/UIProcess/ios/ViewGestureControllerIOS.mm (185672 => 185673)
--- trunk/Source/WebKit2/UIProcess/ios/ViewGestureControllerIOS.mm 2015-06-17 21:38:24 UTC (rev 185672)
+++ trunk/Source/WebKit2/UIProcess/ios/ViewGestureControllerIOS.mm 2015-06-17 22:47:56 UTC (rev 185673)
@@ -391,6 +391,9 @@
return;
// This is nearly equivalent to didFinishLoad in the same document navigation case.
+ if (!m_swipeWaitingForDidFinishLoad)
+ return;
+
m_swipeWaitingForDidFinishLoad = false;
if (type != SameDocumentNavigationSessionStateReplace && type != SameDocumentNavigationSessionStatePop)
@@ -404,6 +407,9 @@
if (m_webPageProxy.pageLoadState().isLoading())
return;
+ if (!m_swipeWaitingForSubresourceLoads)
+ return;
+
m_swipeWaitingForSubresourceLoads = false;
removeSwipeSnapshotIfReady();
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
