[webkit-changes] [WebKit/WebKit] 1eba2c: Explicitly destroy the render tree in WebPage::close

Alex Christensen noreply at github.com
Tue Dec 3 21:23:25 PST 2024 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 1eba2ca13db0a4949ad07a1053cb29a5152bbbb0
      https://github.com/WebKit/WebKit/commit/1eba2ca13db0a4949ad07a1053cb29a5152bbbb0
  Author: Alex Christensen <achristensen at apple.com>
  Date:   2024-12-03 (Tue, 03 Dec 2024)

  Changed paths:
    M Source/WebCore/history/BackForwardCache.cpp
    M Source/WebCore/page/Page.cpp
    M Source/WebCore/page/Page.h
    M Source/WebKit/WebProcess/WebPage/WebPage.cpp

  Log Message:
  -----------
  Explicitly destroy the render tree in WebPage::close
https://bugs.webkit.org/show_bug.cgi?id=283992
rdar://140868579

Reviewed by Simon Fraser.

This should fix some crashes I'm seeing with site isolation enabled,
particularly after https://github.com/WebKit/WebKit/pull/37381 introduces
more uses of WebPage::close in normal browsing.  The crash was a null
dereference with this stack trace:

WebCore::Page::WeakValueType* WTF::WeakPtrImplBase<WTF::DefaultWeakPtrImpl>::get<WebCore::Page>() + 0 (WeakPtrImpl.h:48) [inlined]
WTF::WeakPtr<WebCore::Page, WTF::DefaultWeakPtrImpl, WTF::RawPtrTraits<WTF::DefaultWeakPtrImpl>>::get() const + 4 (WeakPtr.h:95) [inlined]
WebCore::Frame::page() const + 4 (Page.h:1686) [inlined]
WebCore::RenderObject::page() const + 28 (RenderObject.h:1356) [inlined]
WebCore::RenderLayerCompositor::page() const + 32 (RenderLayerCompositor.cpp:5934) [inlined]
WebCore::RenderLayerCompositor::scheduleRenderingUpdate() + 32 (RenderLayerCompositor.cpp:780) [inlined]
WebCore::RenderLayerCompositor::notifyFlushRequired(WebCore::GraphicsLayer const*) + 32 (RenderLayerCompositor.cpp:773)
WebCore::ThreadTimers::sharedTimerFiredInternal() + 264 (ThreadTimers.cpp:128)
WebCore::timerFired(__CFRunLoopTimer*, void*) + 32 (MainThreadSharedTimerCF.cpp:85)
__CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 32

* Source/WebCore/history/BackForwardCache.cpp:
(WebCore::BackForwardCache::trySuspendPage):
(WebCore::destroyRenderTree): Deleted.
* Source/WebCore/page/Page.cpp:
(WebCore::Page::destroyRenderTrees):
* Source/WebCore/page/Page.h:
* Source/WebKit/WebProcess/WebPage/WebPage.cpp:
(WebKit::WebPage::close):

Canonical link: https://commits.webkit.org/287329@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications

More information about the webkit-changes mailing list