[webkit-changes] [WebKit/WebKit] 703a5b: REGRESSION (iOS 17.2): Infinite recursion in -[WKC...

Wenson Hsieh noreply at github.com
Fri Jun 7 18:15:10 PDT 2024 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 703a5b6bfcf1ff18afc3c0b46042d9ccee39371f
      https://github.com/WebKit/WebKit/commit/703a5b6bfcf1ff18afc3c0b46042d9ccee39371f
  Author: Wenson Hsieh <wenson_hsieh at apple.com>
  Date:   2024-06-07 (Fri, 07 Jun 2024)

  Changed paths:
    M Source/WebKit/UIProcess/ios/WKContentViewInteraction.h
    M Source/WebKit/UIProcess/ios/WKContentViewInteraction.mm

  Log Message:
  -----------
  REGRESSION (iOS 17.2): Infinite recursion in -[WKContentView(WKInteraction) inputViewForWebView]
https://bugs.webkit.org/show_bug.cgi?id=275171
rdar://127722998

Reviewed by Richard Robinson.

The changes in rdar://116751305&104994662 seem to have made it possible for `-inputViewForWebView`
to trigger infinite recursion, due to a new `-[UITextInputAssistantItem leadingBarButtonGroups]`
KVO listener in UIKit. Underneath this new KVO logic, UIKit calls into some internal methods which
ultimately call back into `-[WKContentView inputViewForWebView]`. In order of stack depth (growing
downwards), the reentrant calls to update the input accessory view look like this:

```
-[WKContentView(WKInteraction) _updateAccessory]
-[WKContentView(WKInteraction) formAccessoryView]
-[WKFormAccessoryView _initForUniversalControlBar:] // <--- Setting up WKFormAccessoryView

  … (KVO triggered by setting leading/trailing bar button groups)

-[UISystemInputAssistantViewController observeValueForKeyPath:ofObject:change:context:]
-[TUISystemInputAssistantView setInputAssistantItem:force:]

  … (UIKit internals)

-[UIKeyboardSceneDelegate expectedInputViewSetIsCustom]
-[WKContentView(WKInteraction) inputViewForWebView]
-[WKContentView(WKInteraction) _updateAccessory]
-[WKContentView(WKInteraction) formAccessoryView]
-[WKFormAccessoryView _initForUniversalControlBar:] // <--- Setting up WKFormAccessoryView (reentrancy!)
```

While I wasn't able to reproduce the crash at all, we can at least harden against this scenario by
making `-_updateAccessory` robust against reentrancy. Achieve this by adding a new ivar that's only
set during the scope of `-_updateAccessory`, and return early if it's set.

* Source/WebKit/UIProcess/ios/WKContentViewInteraction.h:
* Source/WebKit/UIProcess/ios/WKContentViewInteraction.mm:
(-[WKContentView setUpInteraction]):
(-[WKContentView _updateAccessory]):

Canonical link: https://commits.webkit.org/279845@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications

More information about the webkit-changes mailing list