[webkit-changes] [240772] trunk/Source/WebKit

[rniwa]

Title: [240772] trunk/Source/WebKit

Revision

240772

Author

rn...@webkit.org

Date

2019-01-31 00:40:58 -0800 (Thu, 31 Jan 2019)

Log Message

iOS: Crash in InteractiveUpdateHandler set by ViewGestureController::beginSwipeGesture
https://bugs.webkit.org/show_bug.cgi?id=194083

Reviewed by Tim Horton.

We think this crash is a regression from r236966. Prior to r236966, we could only called
removeSwipeSnapshot() only when m_provisionalOrSameDocumentLoadCallback was set but now
we can call it either when m_snapshotRemovalTracker::start was called, or it had been reset.
This can result in m_webPageProxyForBackForwardListForCurrentSwipe getting cleared before
InteractiveUpdateHandler is called by UIGestureRecognizer, resulting in the crash.

This patch tries to restore the behavior prior to r236966 by only invoking removeSwipeSnapshot()
when SnapshotRemovalTracker has a valid removal callback set.

Unfortunately no new tests since there is no reproducible test case, and neither API tests
nor layout tests seem to have the capability to trigger swipe gestures via UIGestureRecognizer,
which is required for this crash to occur. Notably, back-forward swipe tests I enabled in
r240765 bypass UIKit and emulates the action instead.

* UIProcess/Cocoa/ViewGestureController.cpp:
(WebKit::ViewGestureController::didReachMainFrameLoadTerminalState):
* UIProcess/Cocoa/ViewGestureController.h:
(WebKit::ViewGestureController::SnapshotRemovalTracker::hasRemovalCallback const):

Modified Paths

• trunk/Source/WebKit/ChangeLog
• trunk/Source/WebKit/UIProcess/Cocoa/ViewGestureController.cpp
• trunk/Source/WebKit/UIProcess/Cocoa/ViewGestureController.h

Diff

Modified: trunk/Source/WebKit/ChangeLog (240771 => 240772)

--- trunk/Source/WebKit/ChangeLog	2019-01-31 08:10:36 UTC (rev 240771)
+++ trunk/Source/WebKit/ChangeLog	2019-01-31 08:40:58 UTC (rev 240772)
@@ -1,3 +1,29 @@
+2019-01-31  Ryosuke Niwa  <rn...@webkit.org>
+
+        iOS: Crash in InteractiveUpdateHandler set by ViewGestureController::beginSwipeGesture
+        https://bugs.webkit.org/show_bug.cgi?id=194083
+
+        Reviewed by Tim Horton.
+
+        We think this crash is a regression from r236966. Prior to r236966, we could only called
+        removeSwipeSnapshot() only when m_provisionalOrSameDocumentLoadCallback was set but now
+        we can call it either when m_snapshotRemovalTracker::start was called, or it had been reset.
+        This can result in m_webPageProxyForBackForwardListForCurrentSwipe getting cleared before
+        InteractiveUpdateHandler is called by UIGestureRecognizer, resulting in the crash.
+
+        This patch tries to restore the behavior prior to r236966 by only invoking removeSwipeSnapshot()
+        when SnapshotRemovalTracker has a valid removal callback set.
+
+        Unfortunately no new tests since there is no reproducible test case, and neither API tests
+        nor layout tests seem to have the capability to trigger swipe gestures via UIGestureRecognizer,
+        which is required for this crash to occur. Notably, back-forward swipe tests I enabled in
+        r240765 bypass UIKit and emulates the action instead.
+
+        * UIProcess/Cocoa/ViewGestureController.cpp:
+        (WebKit::ViewGestureController::didReachMainFrameLoadTerminalState):
+        * UIProcess/Cocoa/ViewGestureController.h:
+        (WebKit::ViewGestureController::SnapshotRemovalTracker::hasRemovalCallback const):
+
 2019-01-30  Benjamin Poulain  <benja...@webkit.org>
 
         <rdar://problem/47570443> Responsiveness timers are too expensive for frequent events

Modified: trunk/Source/WebKit/UIProcess/Cocoa/ViewGestureController.cpp (240771 => 240772)

--- trunk/Source/WebKit/UIProcess/Cocoa/ViewGestureController.cpp	2019-01-31 08:10:36 UTC (rev 240771)
+++ trunk/Source/WebKit/UIProcess/Cocoa/ViewGestureController.cpp	2019-01-31 08:40:58 UTC (rev 240772)
@@ -188,7 +188,7 @@
 
 void ViewGestureController::didReachMainFrameLoadTerminalState()
 {
-    if (m_snapshotRemovalTracker.isPaused()) {
+    if (m_snapshotRemovalTracker.isPaused() && m_snapshotRemovalTracker.hasRemovalCallback()) {
         removeSwipeSnapshot();
         return;
     }

Modified: trunk/Source/WebKit/UIProcess/Cocoa/ViewGestureController.h (240771 => 240772)

--- trunk/Source/WebKit/UIProcess/Cocoa/ViewGestureController.h	2019-01-31 08:10:36 UTC (rev 240771)
+++ trunk/Source/WebKit/UIProcess/Cocoa/ViewGestureController.h	2019-01-31 08:40:58 UTC (rev 240772)
@@ -179,6 +179,7 @@
         void pause() { m_paused = true; }
         void resume();
         bool isPaused() const { return m_paused; }
+        bool hasRemovalCallback() const { return !!m_removalCallback; }
 
         bool eventOccurred(Events);
         bool cancelOutstandingEvent(Events);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes