[Webkit-unassigned] [Bug 185877] New: Avoid keeping FormState alive longer than necessary

Tue May 22 12:25:45 PDT 2018

https://bugs.webkit.org/show_bug.cgi?id=185877

            Bug ID: 185877
           Summary: Avoid keeping FormState alive longer than necessary
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: bfulgham at webkit.org

A number of crash fixes were done to prevent FormState objects from being accessed after their relevant Frames had been destroyed. Unfortunately, this could cause the FormState to persist after the owning Frame had been destroyed, resulting in nullptr dereferences.

This patch does the following:

1. Changes to use WeakPtr's for FormState objects passed to completion handlers, rather than RetainPtr, since those completion handlers might fire as part of the clean-up process during Frame destruction. This allows us to use the FormState if they are still valid, but gracefully handle cases where a form submission is cancelled in-flight.
2. Removes some extraneous WTFMove() calls being made on bare FormState pointers.
3. Changes the trap from Bug 183704 so that it only fires if the FormState object is being retained more than once.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180522/6ad77568/attachment.html>