[webkit-changes] [WebKit/WebKit] 0c2e3d: [iOS] Various editing layout tests occasionally cr...

[Wenson Hsieh]

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 0c2e3d5a3e16e1883524cf902e2398d23de8197b
      https://github.com/WebKit/WebKit/commit/0c2e3d5a3e16e1883524cf902e2398d23de8197b
  Author: Wenson Hsieh <wenson_hsieh at apple.com>
  Date:   2023-07-17 (Mon, 17 Jul 2023)

  Changed paths:
    M Tools/TestRunnerShared/cocoa/LayoutTestSpellChecker.mm

  Log Message:
  -----------
  [iOS] Various editing layout tests occasionally crash under TextChecker::closeSpellDocumentWithTag
https://bugs.webkit.org/show_bug.cgi?id=259253

Reviewed by Aditya Keerthi.

After my prior change in 265869 at main to enable swizzling out grammar checking results on iOS, some
layout tests crash due to an invalid `LayoutTestSpellChecker` instance. This is because
`ensureGlobalLayoutTestSpellChecker()` lazily initializes the fake spell checker for layout tests
with a retain count of 1, and continues holding on to it as a singleton; however, the logic to
swizzle out the text checker returned by `-_initWithAsynchronousLoading:` only returns the result of
`ensureGlobalLayoutTestSpellChecker()`.

WebKit code that's calling into `-_initWithAsynchronousLoading:` expects a +1 object and proceeds to
store the pointer in a `RetainPtr`, releasing (and destroying it) after the spell document is closed
(i.e. if the web view is destroyed). This means that the next time anything attempts to reset the
global spell checker, we end up accessing invalid memory.

Fix this by simply retaining the global `LayoutTestSpellChecker` before returning it in the swizzled
initializer, to make the retain counting work as intended.

* Tools/TestRunnerShared/cocoa/LayoutTestSpellChecker.mm:
(swizzledInitializeTextChecker):
(+[LayoutTestSpellChecker checker]):

Canonical link: https://commits.webkit.org/266103@main