<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[238356] trunk</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/238356">238356</a></dd>
<dt>Author</dt> <dd>cdumez@apple.com</dd>
<dt>Date</dt> <dd>2018-11-17 16:25:20 -0800 (Sat, 17 Nov 2018)</dd>
</dl>

<h3>Log Message</h3>
<pre>ASSERTION FAILED: m_messageReceivers.contains(...) under ViewGestureController removeMessageReceiver
https://bugs.webkit.org/show_bug.cgi?id=191734
<rdar://problem/46151497>

Reviewed by Ryosuke Niwa.

Source/WebKit:

When a WebProcess crashes, we destroy the ViewGestureController and reconstruct it later
after we've relaunched a new WebProcess. The ViewGestureController controller takes care
of adding itself as an IPC message receiver to the WebProcessProxy, and the destructor
takes care of removing itself as an IPC message receiver.

However, when process-swapping on navigation, we do not destroy the ViewGestureController
because doing so would take down the swipe gesture snapshot on cross-site swipe navigation.
This led to hitting this assertion later on because the ViewGestureController is still
registered as an IPC message receiver with the old process after process swapping.

To address the issue, we now make sure the ViewGestureController unregisters itself from
the old process and registers itself with the new process on process-swap.

* UIProcess/Cocoa/ViewGestureController.cpp:
(WebKit::ViewGestureController::ViewGestureController):
(WebKit::ViewGestureController::~ViewGestureController):
(WebKit::ViewGestureController::disconnectFromProcess):
(WebKit::ViewGestureController::connectToProcess):
* UIProcess/Cocoa/ViewGestureController.h:
* UIProcess/Cocoa/WebViewImpl.mm:
(WebKit::WebViewImpl::processWillSwap):
(WebKit::WebViewImpl::didRelaunchProcess):

Tools:

Add API test coverage.

* TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm:</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceWebKitChangeLog">trunk/Source/WebKit/ChangeLog</a></li>
<li><a href="#trunkSourceWebKitUIProcessCocoaViewGestureControllercpp">trunk/Source/WebKit/UIProcess/Cocoa/ViewGestureController.cpp</a></li>
<li><a href="#trunkSourceWebKitUIProcessCocoaViewGestureControllerh">trunk/Source/WebKit/UIProcess/Cocoa/ViewGestureController.h</a></li>
<li><a href="#trunkSourceWebKitUIProcessCocoaWebViewImplmm">trunk/Source/WebKit/UIProcess/Cocoa/WebViewImpl.mm</a></li>
<li><a href="#trunkToolsChangeLog">trunk/Tools/ChangeLog</a></li>
<li><a href="#trunkToolsTestWebKitAPITestsWebKitCocoaProcessSwapOnNavigationmm">trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceWebKitChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit/ChangeLog (238355 => 238356)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit/ChangeLog    2018-11-17 23:27:24 UTC (rev 238355)
+++ trunk/Source/WebKit/ChangeLog       2018-11-18 00:25:20 UTC (rev 238356)
</span><span class="lines">@@ -1,5 +1,36 @@
</span><span class="cx"> 2018-11-17  Chris Dumez  <cdumez@apple.com>
</span><span class="cx"> 
</span><ins>+        ASSERTION FAILED: m_messageReceivers.contains(...) under ViewGestureController removeMessageReceiver
+        https://bugs.webkit.org/show_bug.cgi?id=191734
+        <rdar://problem/46151497>
+
+        Reviewed by Ryosuke Niwa.
+
+        When a WebProcess crashes, we destroy the ViewGestureController and reconstruct it later
+        after we've relaunched a new WebProcess. The ViewGestureController controller takes care
+        of adding itself as an IPC message receiver to the WebProcessProxy, and the destructor
+        takes care of removing itself as an IPC message receiver.
+
+        However, when process-swapping on navigation, we do not destroy the ViewGestureController
+        because doing so would take down the swipe gesture snapshot on cross-site swipe navigation.
+        This led to hitting this assertion later on because the ViewGestureController is still
+        registered as an IPC message receiver with the old process after process swapping.
+
+        To address the issue, we now make sure the ViewGestureController unregisters itself from
+        the old process and registers itself with the new process on process-swap.
+
+        * UIProcess/Cocoa/ViewGestureController.cpp:
+        (WebKit::ViewGestureController::ViewGestureController):
+        (WebKit::ViewGestureController::~ViewGestureController):
+        (WebKit::ViewGestureController::disconnectFromProcess):
+        (WebKit::ViewGestureController::connectToProcess):
+        * UIProcess/Cocoa/ViewGestureController.h:
+        * UIProcess/Cocoa/WebViewImpl.mm:
+        (WebKit::WebViewImpl::processWillSwap):
+        (WebKit::WebViewImpl::didRelaunchProcess):
+
+2018-11-17  Chris Dumez  <cdumez@apple.com>
+
</ins><span class="cx">         [PSON] ASSERTION FAILED: m_uncommittedState.state == State::Committed
</span><span class="cx">         https://bugs.webkit.org/show_bug.cgi?id=191781
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceWebKitUIProcessCocoaViewGestureControllercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit/UIProcess/Cocoa/ViewGestureController.cpp (238355 => 238356)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit/UIProcess/Cocoa/ViewGestureController.cpp    2018-11-17 23:27:24 UTC (rev 238355)
+++ trunk/Source/WebKit/UIProcess/Cocoa/ViewGestureController.cpp       2018-11-18 00:25:20 UTC (rev 238356)
</span><span class="lines">@@ -63,7 +63,7 @@
</span><span class="cx">     , m_pendingSwipeTracker(webPageProxy, *this)
</span><span class="cx"> #endif
</span><span class="cx"> {
</span><del>-    m_webPageProxy.process().addMessageReceiver(Messages::ViewGestureController::messageReceiverName(), m_webPageProxy.pageID(), *this);
</del><ins>+    connectToProcess();
</ins><span class="cx"> 
</span><span class="cx">     viewGestureControllersForAllPages().add(webPageProxy.pageID(), this);
</span><span class="cx"> }
</span><span class="lines">@@ -74,9 +74,27 @@
</span><span class="cx"> 
</span><span class="cx">     viewGestureControllersForAllPages().remove(m_webPageProxy.pageID());
</span><span class="cx"> 
</span><ins>+    disconnectFromProcess();
+}
+
+void ViewGestureController::disconnectFromProcess()
+{
+    if (!m_isConnectedToProcess)
+        return;
+
</ins><span class="cx">     m_webPageProxy.process().removeMessageReceiver(Messages::ViewGestureController::messageReceiverName(), m_webPageProxy.pageID());
</span><ins>+    m_isConnectedToProcess = false;
</ins><span class="cx"> }
</span><span class="cx"> 
</span><ins>+void ViewGestureController::connectToProcess()
+{
+    if (m_isConnectedToProcess)
+        return;
+
+    m_webPageProxy.process().addMessageReceiver(Messages::ViewGestureController::messageReceiverName(), m_webPageProxy.pageID(), *this);
+    m_isConnectedToProcess = true;
+}
+
</ins><span class="cx"> ViewGestureController* ViewGestureController::controllerForGesture(uint64_t pageID, ViewGestureController::GestureID gestureID)
</span><span class="cx"> {
</span><span class="cx">     auto gestureControllerIter = viewGestureControllersForAllPages().find(pageID);
</span></span></pre></div>
<a id="trunkSourceWebKitUIProcessCocoaViewGestureControllerh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit/UIProcess/Cocoa/ViewGestureController.h (238355 => 238356)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit/UIProcess/Cocoa/ViewGestureController.h      2018-11-17 23:27:24 UTC (rev 238355)
+++ trunk/Source/WebKit/UIProcess/Cocoa/ViewGestureController.h 2018-11-18 00:25:20 UTC (rev 238356)
</span><span class="lines">@@ -68,6 +68,9 @@
</span><span class="cx">     ViewGestureController(WebPageProxy&);
</span><span class="cx">     ~ViewGestureController();
</span><span class="cx">     void platformTeardown();
</span><ins>+
+    void disconnectFromProcess();
+    void connectToProcess();
</ins><span class="cx">     
</span><span class="cx">     enum class ViewGestureType {
</span><span class="cx">         None,
</span><span class="lines">@@ -306,6 +309,7 @@
</span><span class="cx">     RetainPtr<_UIViewControllerOneToOneTransitionContext> m_swipeTransitionContext;
</span><span class="cx">     uint64_t m_snapshotRemovalTargetRenderTreeSize { 0 };
</span><span class="cx"> #endif
</span><ins>+    bool m_isConnectedToProcess { false };
</ins><span class="cx"> 
</span><span class="cx">     SnapshotRemovalTracker m_snapshotRemovalTracker;
</span><span class="cx"> };
</span></span></pre></div>
<a id="trunkSourceWebKitUIProcessCocoaWebViewImplmm"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit/UIProcess/Cocoa/WebViewImpl.mm (238355 => 238356)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit/UIProcess/Cocoa/WebViewImpl.mm       2018-11-17 23:27:24 UTC (rev 238355)
+++ trunk/Source/WebKit/UIProcess/Cocoa/WebViewImpl.mm  2018-11-18 00:25:20 UTC (rev 238356)
</span><span class="lines">@@ -1477,6 +1477,8 @@
</span><span class="cx"> void WebViewImpl::processWillSwap()
</span><span class="cx"> {
</span><span class="cx">     handleProcessSwapOrExit();
</span><ins>+    if (m_gestureController)
+        m_gestureController->disconnectFromProcess();
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void WebViewImpl::processDidExit()
</span><span class="lines">@@ -1492,6 +1494,9 @@
</span><span class="cx"> 
</span><span class="cx"> void WebViewImpl::didRelaunchProcess()
</span><span class="cx"> {
</span><ins>+    if (m_gestureController)
+        m_gestureController->connectToProcess();
+
</ins><span class="cx">     accessibilityRegisterUIProcessTokens();
</span><span class="cx"> }
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkToolsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Tools/ChangeLog (238355 => 238356)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Tools/ChangeLog    2018-11-17 23:27:24 UTC (rev 238355)
+++ trunk/Tools/ChangeLog       2018-11-18 00:25:20 UTC (rev 238356)
</span><span class="lines">@@ -1,3 +1,15 @@
</span><ins>+2018-11-17  Chris Dumez  <cdumez@apple.com>
+
+        ASSERTION FAILED: m_messageReceivers.contains(...) under ViewGestureController removeMessageReceiver
+        https://bugs.webkit.org/show_bug.cgi?id=191734
+        <rdar://problem/46151497>
+
+        Reviewed by Ryosuke Niwa.
+
+        Add API test coverage.
+
+        * TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm:
+
</ins><span class="cx"> 2018-11-17  Zalan Bujtas  <zalan@apple.com>
</span><span class="cx"> 
</span><span class="cx">         [LFC][IFC] InlineFormattingState::addDetachingRule should accumulate rules.
</span></span></pre></div>
<a id="trunkToolsTestWebKitAPITestsWebKitCocoaProcessSwapOnNavigationmm"></a>
<div class="modfile"><h4>Modified: trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm (238355 => 238356)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm   2018-11-17 23:27:24 UTC (rev 238355)
+++ trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm      2018-11-18 00:25:20 UTC (rev 238356)
</span><span class="lines">@@ -27,6 +27,7 @@
</span><span class="cx"> 
</span><span class="cx"> #import "PlatformUtilities.h"
</span><span class="cx"> #import "Test.h"
</span><ins>+#import "TestNavigationDelegate.h"
</ins><span class="cx"> #import <WebKit/WKNavigationDelegatePrivate.h>
</span><span class="cx"> #import <WebKit/WKNavigationPrivate.h>
</span><span class="cx"> #import <WebKit/WKPreferencesPrivate.h>
</span><span class="lines">@@ -2727,6 +2728,60 @@
</span><span class="cx"> 
</span><span class="cx"> #if PLATFORM(MAC)
</span><span class="cx"> 
</span><ins>+TEST(ProcessSwap, TerminateProcessAfterProcessSwap)
+{
+    auto processPoolConfiguration = adoptNS([[_WKProcessPoolConfiguration alloc] init]);
+    [processPoolConfiguration setProcessSwapsOnNavigation:YES];
+    auto processPool = adoptNS([[WKProcessPool alloc] _initWithConfiguration:processPoolConfiguration.get()]);
+
+    auto webViewConfiguration = adoptNS([[WKWebViewConfiguration alloc] init]);
+    [webViewConfiguration setProcessPool:processPool.get()];
+    auto handler = adoptNS([[PSONScheme alloc] init]);
+    [webViewConfiguration setURLSchemeHandler:handler.get() forURLScheme:@"PSON"];
+
+    auto webView = adoptNS([[WKWebView alloc] initWithFrame:NSMakeRect(0, 0, 800, 600) configuration:webViewConfiguration.get()]);
+    [webView setAllowsBackForwardNavigationGestures:YES];
+
+    auto navigationDelegate = adoptNS([[TestNavigationDelegate alloc] init]);
+    [webView setNavigationDelegate:navigationDelegate.get()];
+    __block bool webProcessTerminated = false;
+    [navigationDelegate setWebContentProcessDidTerminate:^(WKWebView *) {
+        webProcessTerminated = true;
+    }];
+    [navigationDelegate setDidFinishNavigation:^(WKWebView *, WKNavigation *) {
+        done = true;
+    }];
+
+    // Make sure there is a gesture controller.
+    [webView _setCustomSwipeViewsTopContentInset:2.];
+
+    NSURLRequest *request = [NSURLRequest requestWithURL:[NSURL URLWithString:@"pson://www.webkit.org/main.html"]];
+    [webView loadRequest:request];
+    TestWebKitAPI::Util::run(&done);
+    done = false;
+
+    auto webkitPID = [webView _webProcessIdentifier];
+
+    request = [NSURLRequest requestWithURL:[NSURL URLWithString:@"pson://www.apple.com/main.html"]];
+
+    [webView loadRequest:request];
+    TestWebKitAPI::Util::run(&done);
+    done = false;
+
+    EXPECT_NE(webkitPID, [webView _webProcessIdentifier]);
+
+    webProcessTerminated = false;
+    kill([webView _webProcessIdentifier], 9);
+
+    TestWebKitAPI::Util::run(&webProcessTerminated);
+
+    TestWebKitAPI::Util::spinRunLoop(1);
+
+    [webView reload];
+    TestWebKitAPI::Util::run(&done);
+    done = false;
+}
+
</ins><span class="cx"> TEST(ProcessSwap, GoBackToSuspendedPageWithMainFrameIDThatIsNotOne)
</span><span class="cx"> {
</span><span class="cx">     auto processPoolConfiguration = adoptNS([[_WKProcessPoolConfiguration alloc] init]);
</span></span></pre>
</div>
</div>

</body>
</html>