[webkit-changes] [WebKit/WebKit] 46b03a: WebPageProxy::setToolTip accesses a null PageClient

[Abrar Rahman Protyasha]

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 46b03afa5a231970ac09fdd9cbfeeaaa68dc31b0
      https://github.com/WebKit/WebKit/commit/46b03afa5a231970ac09fdd9cbfeeaaa68dc31b0
  Author: Abrar Rahman Protyasha <a_protyasha at apple.com>
  Date:   2023-06-23 (Fri, 23 Jun 2023)

  Changed paths:
    M Source/WebKit/UIProcess/WebPageProxy.cpp
    M Tools/TestWebKitAPI/Tests/WebKitCocoa/UIDelegate.mm

  Log Message:
  -----------
  WebPageProxy::setToolTip accesses a null PageClient
https://bugs.webkit.org/show_bug.cgi?id=258313
rdar://110501313

Reviewed by Chris Dumez and Wenson Hsieh.

In 264455 at main, we introduced
`WebPageProxy::dispatchMouseDidMoveOverElementAsynchronously`, which asks
to perform `WebPageProxy::mouseDidMoveOverElement` at a future time. It
turns out there's a null access on `m_pageClient` when we then call into
`WebPageProxy::setToolTip`, which happens because we hold a
`WeakPtr<PageClient>` instance to the `PageClient` object, meaning there
are no guarantees on the PageClient instance's lifetime.

To avoid this null dereference, we should only inform the web page about
a `MouseMove` event upon consulting whether the web page is closed
through `WebPageProxy::isClosed()`.

We also add an API test that crashes without this mitigation in place.

* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::dispatchMouseDidMoveOverElementAsynchronously):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/UIDelegate.mm:
(+[TestEventMonitor addLocalMonitorForEventsMatchingMask:handler:]):

Canonical link: https://commits.webkit.org/265456@main