[webkit-changes] [WebKit/WebKit] 4473b1: [iOS] Crash when closing and removing a WKWebView ...

Aditya Keerthi noreply at github.com
Fri Sep 15 18:33:05 PDT 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 4473b145e8373e09ae26f6550f2d5acbf745b9d9
      https://github.com/WebKit/WebKit/commit/4473b145e8373e09ae26f6550f2d5acbf745b9d9
  Author: Aditya Keerthi <akeerthi at apple.com>
  Date:   2023-09-15 (Fri, 15 Sep 2023)

  Changed paths:
    M Source/WebKit/UIProcess/API/ios/WKWebViewIOS.mm
    M Tools/TestWebKitAPI/Tests/WebKitCocoa/FindInPage.mm

  Log Message:
  -----------
  [iOS] Crash when closing and removing a WKWebView with an active find interaction
https://bugs.webkit.org/show_bug.cgi?id=261623
rdar://115543506

Reviewed by Wenson Hsieh.

In 267443 at main, `WKWebView` began driving find overlay display logic from the
UI process, rather than the Web process. Specifically, the `CALayer` representing
the overlay is directly manipulated from `WKWebView`, rather than `PageOverlay`.

`-[WKWebView _layerForFindOverlay]` can be used to retrieve the current find
overlay layer, using the `DrawingAreaProxy` and a layer identifier.

The crashing scenario is as follows:
1. Begin a find interaction. This creates a find overlay layer, referenced as `_perProcessState.committedFindLayerID`.
2. Close the `WKWebView` using `-[WKWebView _close]`. This results in the `DrawingAreaProxy` being nulled out.
3. Remove the `WKWebView` from the view hierarchy. This triggers the end of the find interaction.
4. Since the find interaction is ending, the web view attempts to hide the overlay layer.
5. Null dereference of `_page->drawingArea()` as current layer is retrieved prior to hiding.

The underlying assumption that was incorrect here was that `_perProcessState`
gets reset when the `WKWebView` is closed. That would fix the crash, since
`committedFindLayerID` would be unavailable. However, this state is not reset,
presumably since the overall web view state no longer has useful meaning.

To fix, simply null-check the `DrawingAreaProxy` as is done in other parts of
the code. `committedFindLayerID` does not need to be reset, as a new search
cannot be initiated with a closed web view.

* Source/WebKit/UIProcess/API/ios/WKWebViewIOS.mm:
(-[WKWebView _layerForFindOverlay]):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/FindInPage.mm:
(TEST):

Canonical link: https://commits.webkit.org/268044@main

More information about the webkit-changes mailing list