[webkit-changes] [WebKit/WebKit] 31b24d: Crash under WebKit::WebBackForwardCache::removeEnt...
Chris Dumez
noreply at github.com
Mon Jul 31 11:51:19 PDT 2023
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 31b24d6be480ea184a9a4eeee52d3d7d52a3bb2f
https://github.com/WebKit/WebKit/commit/31b24d6be480ea184a9a4eeee52d3d7d52a3bb2f
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M Source/WebKit/Shared/WebBackForwardListItem.h
M Source/WebKit/UIProcess/WebBackForwardCache.cpp
M Source/WebKit/UIProcess/WebBackForwardCache.h
Log Message:
-----------
Crash under WebKit::WebBackForwardCache::removeEntry()
https://bugs.webkit.org/show_bug.cgi?id=258698
rdar://111524465
Reviewed by Ryosuke Niwa.
In WebBackForwardCache::removeEntry(), the call to `item.setBackForwardCacheEntry(nullptr)`
may cause the `item` to get destroyed. However, we were using `item` on the next line for
logging purpose. To fix the bug, I am moving the logging before the setBackForwardCacheEntry()
call.
for hardening purposes, I am also updating m_itemsWithCachedPage to contain WeakPtrs instead
of raw pointers.
* Source/WebKit/Shared/WebBackForwardListItem.h:
* Source/WebKit/UIProcess/WebBackForwardCache.cpp:
(WebKit::WebBackForwardCache::removeEntry):
(WebKit::WebBackForwardCache::removeEntriesMatching):
(WebKit::WebBackForwardCache::clear):
* Source/WebKit/UIProcess/WebBackForwardCache.h:
Originally-landed-as: 259548.865 at safari-7615-branch (cb256ae0cae9). rdar://111524465
Canonical link: https://commits.webkit.org/266453@main
More information about the webkit-changes
mailing list