[webkit-changes] [WebKit/WebKit] 7b904b: Crash in -[WKDateTimePicker removeDatePickerPresen...

Thu, 28 May 2026 09:23:15 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 7b904b118790e7f76366e63a97abe024e1a57a44
      
https://github.com/WebKit/WebKit/commit/7b904b118790e7f76366e63a97abe024e1a57a44
  Author: David Kilzer <[email protected]>
  Date:   2026-05-28 (Thu, 28 May 2026)

  Changed paths:
    M Source/WebKit/UIProcess/ios/forms/WKDateTimeInputControl.mm
    M Source/WebKit/UIProcess/ios/forms/WKFormPeripheralBase.mm

  Log Message:
  -----------
  Crash in -[WKDateTimePicker removeDatePickerPresentation] via SetForScope 
destructor writing to self
<https://bugs.webkit.org/show_bug.cgi?id=310591>
<rdar://173194730>

Reviewed by Geoffrey Garen.

Protect callers of `-[WKDateTimePicker removeDatePickerPresentation]`
and `-handleDatePickerPresentationDismissal` against deallocation of
the `WKDateTimePicker` object during the call.

When a `DidCommitLoadForFrame` IPC message triggers date picker
dismissal during navigation, `-removeDatePickerPresentation` calls
`-[UIViewController dismissViewControllerAnimated:NO completion:nil]`
on `_datePickerController`.  During this call, the `WKDateTimePicker`
object is freed by an unknown mechanism, and the `SetForScope<bool>`
destructor then writes `_isDismissingDatePicker = NO` to freed
memory.

Also protect the `__weak _delegate` in `WKDatePickerPopoverController`
and the `_datePickerController` member in `WKDateTimePicker` before
calling non-trivial methods through them.

No test since the conditions to reproduce the crash are not known.
Verified locally by reproducing with an arbitrary method swizzled.

* Source/WebKit/UIProcess/ios/forms/WKDatePickerPopoverController.mm:
(-[WKDatePickerPopoverController resetDatePicker]):
- Drive-by fix: protect `__weak _delegate` before calling through it.
(-[WKDatePickerPopoverController _dispatchPopoverControllerDidDismissIfNeeded]):
- Drive-by fix: protect `__weak _delegate` before calling through it.
* Source/WebKit/UIProcess/ios/forms/WKDateTimeInputControl.mm:
(-[WKDateTimePicker removeDatePickerPresentation]):
- Drive-by fix: protect `_datePickerController` before calling
  `dismissViewControllerAnimated:completion:`.
* Source/WebKit/UIProcess/ios/forms/WKFormPeripheralBase.mm:
(-[WKFormPeripheralBase beginEditing]):
- Drive-by fix: protect `_control` before calling
  `controlBeginEditing`.
(-[WKFormPeripheralBase endEditing]):
- Crash fix: protect `_control` before calling `controlEndEditing`.

Originally-landed-as: 305413.576@rapid/safari-7624.2.5.110-branch 
(a3ee68e14af5). rdar://176061926
Canonical link: https://commits.webkit.org/314043@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to