[webkit-changes] [WebKit/WebKit] d55e64: Crash under ProvisionalPageProxy::initializeWebPage()
Chris Dumez
noreply at github.com
Sat Mar 11 21:11:49 PST 2023
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: d55e642abe031c64cc1efbcf4a076253572ecfc9
https://github.com/WebKit/WebKit/commit/d55e642abe031c64cc1efbcf4a076253572ecfc9
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-03-11 (Sat, 11 Mar 2023)
Changed paths:
M Source/WebKit/UIProcess/WebPageProxy.cpp
Log Message:
-----------
Crash under ProvisionalPageProxy::initializeWebPage()
https://bugs.webkit.org/show_bug.cgi?id=253767
rdar://106597341
Reviewed by David Kilzer.
receivedNavigationPolicyDecision() calls continueNavigationInNewProcess(), which
creates a new ProvisionalPageProxy. The ProvisionalPageProxy constructor calls
ProvisionalPageProxy::initializeWebPage() which accessing m_page.pageClient()
and crashes with a null dereference.
receivedNavigationPolicyDecision() early returns if Page::isClosed() is true,
which should indicate that the pageClient couldn't have been null initially.
This means the pageClient must have been nulled out in between the isClosed()
check and the ProvisionalPageProxy::initializeWebPage() call. To protect
against this, I am adding a PageClientProtector to this code path, right after
the isClosed() check.
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::receivedNavigationPolicyDecision):
Canonical link: https://commits.webkit.org/261547@main
More information about the webkit-changes
mailing list