Title: [201202] trunk/Source/WebKit2
- Revision
- 201202
- Author
- [email protected]
- Date
- 2016-05-19 17:20:36 -0700 (Thu, 19 May 2016)
Log Message
Mail crashes under TiledCoreAnimationDrawingAreaProxy::createFenceForGeometryUpdate() when the Web process crashes
https://bugs.webkit.org/show_bug.cgi?id=157927
<rdar://problem/24793374>
Reviewed by Dean Jackson.
* UIProcess/mac/TiledCoreAnimationDrawingAreaProxy.mm:
(WebKit::TiledCoreAnimationDrawingAreaProxy::createFence):
With just the right combination of layout mechanisms and Web Content process
crash timing, it is possible to get a frame change underneath WebPageProxy::processDidCrash,
before the DrawingArea has been nulled out but after the Connection has.
This can lead to a null dereference. I had a lot of trouble writing a API
test for this, though I'm certain it's possible.
Modified Paths
Diff
Modified: trunk/Source/WebKit2/ChangeLog (201201 => 201202)
--- trunk/Source/WebKit2/ChangeLog 2016-05-19 23:54:32 UTC (rev 201201)
+++ trunk/Source/WebKit2/ChangeLog 2016-05-20 00:20:36 UTC (rev 201202)
@@ -1,3 +1,19 @@
+2016-05-19 Tim Horton <[email protected]>
+
+ Mail crashes under TiledCoreAnimationDrawingAreaProxy::createFenceForGeometryUpdate() when the Web process crashes
+ https://bugs.webkit.org/show_bug.cgi?id=157927
+ <rdar://problem/24793374>
+
+ Reviewed by Dean Jackson.
+
+ * UIProcess/mac/TiledCoreAnimationDrawingAreaProxy.mm:
+ (WebKit::TiledCoreAnimationDrawingAreaProxy::createFence):
+ With just the right combination of layout mechanisms and Web Content process
+ crash timing, it is possible to get a frame change underneath WebPageProxy::processDidCrash,
+ before the DrawingArea has been nulled out but after the Connection has.
+ This can lead to a null dereference. I had a lot of trouble writing a API
+ test for this, though I'm certain it's possible.
+
2016-05-16 Enrica Casucci <[email protected]>
No candidate punctuation when typing punctuation in WK2 text field.
Modified: trunk/Source/WebKit2/UIProcess/mac/TiledCoreAnimationDrawingAreaProxy.mm (201201 => 201202)
--- trunk/Source/WebKit2/UIProcess/mac/TiledCoreAnimationDrawingAreaProxy.mm 2016-05-19 23:54:32 UTC (rev 201201)
+++ trunk/Source/WebKit2/UIProcess/mac/TiledCoreAnimationDrawingAreaProxy.mm 2016-05-20 00:20:36 UTC (rev 201202)
@@ -160,6 +160,13 @@
if (!rootLayerContext)
return MachSendRight();
+ // Don't fence if we don't have a connection, because the message
+ // will likely get dropped on the floor (if the Web process is terminated)
+ // or queued up until process launch completes, and there's nothing useful
+ // to synchronize in these cases.
+ if (!m_webPageProxy.process().connection())
+ return MachSendRight();
+
// Don't fence if we have incoming synchronous messages, because we may not
// be able to reply to the message until the fence times out.
if (m_webPageProxy.process().connection()->hasIncomingSyncMessage())
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
