[webkit-changes] [WebKit/WebKit] b11448: [Writing Tools] WebContent crashes during teardown...

Aditya Keerthi noreply at github.com
Thu Aug 22 16:02:34 PDT 2024 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: b11448bd2e64189b82d1bb4665f1e4695c824362
      https://github.com/WebKit/WebKit/commit/b11448bd2e64189b82d1bb4665f1e4695c824362
  Author: Aditya Keerthi <akeerthi at apple.com>
  Date:   2024-08-22 (Thu, 22 Aug 2024)

  Changed paths:
    M Source/WebKit/UIProcess/Cocoa/WebPageProxyCocoa.mm
    M Source/WebKit/UIProcess/WebPageProxy.h
    M Source/WebKit/UIProcess/WebPageProxy.messages.in
    M Source/WebKit/WebProcess/WebPage/Cocoa/WebPageCocoa.mm
    M Source/WebKit/WebProcess/WebPage/WebPage.h

  Log Message:
  -----------
  [Writing Tools] WebContent crashes during teardown after performing animations
https://bugs.webkit.org/show_bug.cgi?id=278495
rdar://134091847

Reviewed by Wenson Hsieh.

Writing Tools animations involve communication between the UI process and
WebContent process to coordinate the showing, hiding, and replacement of
ranges of text. This communication occurs via IPC and async reply handlers.

There are two high-level types of animations: "pondering", where the text
remains unchanged and has a constant shimmering animations, and "replace",
which is a transition between two types of text.

The "pondering" animation does not involve complex coordination, and
consequently, there is no completion handler called in the UI process as a
result of its addition. For this reason, the "pondering" animation uses a "null"
completion handler in the web process. However, as it uses the same IPC message
as the "replace" animations, which creates an async reply handler. As a result
"pondering" animations accumulate async reply handlers backed by null completion
handlers. This is problematic for two reasons:

1. Memory leaks. Since "pondering" animations are not associated with a completion
   handler with the native API in the UI process, the async replies continue to
   accumulate during the lifetime of the WebContent process.

2. During teardown in `WebPageProxy::resetState`, all outstanding completion
   handlers are called. This results in the async reply handlers backed by
   null completion handlers getting called in WebContent, culminating in a crash.

Fix by using one-way IPC for the "pondering" animation.

No new tests, as the issue is not reproducible using `-[WKWebView _close]`.

* Source/WebKit/UIProcess/Cocoa/WebPageProxyCocoa.mm:
(WebKit::WebPageProxy::addTextAnimationForAnimationID):
(WebKit::WebPageProxy::addTextAnimationForAnimationIDWithCompletionHandler):
* Source/WebKit/UIProcess/WebPageProxy.h:
* Source/WebKit/UIProcess/WebPageProxy.messages.in:

Introduce another IPC message to be used by animations that don't have a
completion handler.

* Source/WebKit/WebProcess/WebPage/Cocoa/WebPageCocoa.mm:
(WebKit::WebPage::addTextAnimationForAnimationID):

Dispatch the IPC message that does not create an async reply handler when no
completion handler is present.

* Source/WebKit/WebProcess/WebPage/WebPage.h:
(WebKit::WebPage::addTextAnimationForAnimationID):

Canonical link: https://commits.webkit.org/282637@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications

More information about the webkit-changes mailing list