Title: [204146] branches/safari-602-branch/Source/WebKit2
- Revision
- 204146
- Author
- bshaf...@apple.com
- Date
- 2016-08-04 15:11:00 -0700 (Thu, 04 Aug 2016)
Log Message
Merge r204135. rdar://problem/19814215
Modified Paths
Diff
Modified: branches/safari-602-branch/Source/WebKit2/ChangeLog (204145 => 204146)
--- branches/safari-602-branch/Source/WebKit2/ChangeLog 2016-08-04 22:05:00 UTC (rev 204145)
+++ branches/safari-602-branch/Source/WebKit2/ChangeLog 2016-08-04 22:11:00 UTC (rev 204146)
@@ -1,3 +1,35 @@
+2016-08-04 Babak Shafiei <bshaf...@apple.com>
+
+ Merge r204135. rdar://problem/19814215
+
+ 2016-08-04 Chris Dumez <cdu...@apple.com>
+
+ Crash under NavigationState::NavigationClient::processDidCrash()
+ https://bugs.webkit.org/show_bug.cgi?id=160563
+ <rdar://problem/19814215>
+
+ Reviewed by Sam Weinig.
+
+ When WebPageProxy::close() gets called, make sure we destroy the page's
+ navigationClient. If we don't then the navigationClient can outlive the
+ navigationState, causing crashes when navigationClient tries to use its
+ stale navigationState member reference later on. This happens when the
+ WebPageProxy outlives its WKWebView because:
+ 1. WebPageProxy owns the navigationClient
+ 2. WKWebView owns the navigationState
+ 3. navigationClient has a reference to the navigationState as member.
+
+ WebPageProxy can outlive the WKWebView because it is refCounted. It
+ can happen for example when the client application uses the
+ RelatedPage API as this extend the lifetime of the related WebPage's
+ proxy but the application may not keep the related WKWebView alive.
+
+ * UIProcess/WebPageProxy.cpp:
+ (WebKit::WebPageProxy::close):
+ Note that it is safe to null out m_navigationClient here instead of
+ creating a fresh one because there is a null check before every use
+ of m_navigationClient in WebPageProxy.
+
2016-08-02 Babak Shafiei <bshaf...@apple.com>
Merge r204057. rdar://problem/27534205
Modified: branches/safari-602-branch/Source/WebKit2/UIProcess/WebPageProxy.cpp (204145 => 204146)
--- branches/safari-602-branch/Source/WebKit2/UIProcess/WebPageProxy.cpp 2016-08-04 22:05:00 UTC (rev 204145)
+++ branches/safari-602-branch/Source/WebKit2/UIProcess/WebPageProxy.cpp 2016-08-04 22:11:00 UTC (rev 204146)
@@ -851,6 +851,7 @@
resetState(ResetStateReason::PageInvalidated);
m_loaderClient = std::make_unique<API::LoaderClient>();
+ m_navigationClient = nullptr;
m_policyClient = std::make_unique<API::PolicyClient>();
m_formClient = std::make_unique<API::FormClient>();
m_uiClient = std::make_unique<API::UIClient>();
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
