[Webkit-unassigned] [Bug 222336] New: WKScriptMessage can race against WKWebView destruction

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Feb 23 16:15:41 PST 2021 

https://bugs.webkit.org/show_bug.cgi?id=222336

            Bug ID: 222336
           Summary: WKScriptMessage can race against WKWebView destruction
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: iPhone / iPad
                OS: iOS 14
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit API
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: joshua.wise at fullstory.com

Created attachment 421367

  --> https://bugs.webkit.org/attachment.cgi?id=421367&action=review

Minimized reproducer for WKScriptMessage _initWithBody / WKWebView release race.

If a `WKWebView` is destroyed while the main thread is processing a `WKScriptMessage` that is sent from the JavaScript to the embedder, then the weak reference to the `WKWebView` as part of `[WKScriptMessage _initWithBody]` can fall apart, with the following stack trace:

* thread #1, queue = 'com.apple.main-thread', stop reason = signal SIGABRT
    frame #0: 0x00000001c6fe21f0 libsystem_kernel.dylib`__abort_with_payload + 8
    frame #1: 0x00000001c6fe69c0 libsystem_kernel.dylib`abort_with_payload_wrapper_internal + 100
    frame #2: 0x00000001c6fe695c libsystem_kernel.dylib`abort_with_reason + 28
    frame #3: 0x00000001af7ca4cc libobjc.A.dylib`_objc_fatalv(unsigned long long, unsigned long long, char const*, char*) + 104
    frame #4: 0x00000001af7ca464 libobjc.A.dylib`_objc_fatal(char const*, ...) + 28
    frame #5: 0x00000001af7c61ec libobjc.A.dylib`weak_register_no_lock + 344
    frame #6: 0x00000001af7c7ff0 libobjc.A.dylib`objc_storeWeak + 348
    frame #7: 0x00000001a72d3ed4 WebKit`-[WKScriptMessage _initWithBody:webView:frameInfo:name:world:] + 136
    frame #8: 0x00000001a72de3fc WebKit`ScriptMessageHandlerDelegate::didPostMessage(WebKit::WebPageProxy&, WebKit::FrameInfoData&&, API::ContentWorld&, WebCore::SerializedScriptValue&) + 204
    frame #9: 0x00000001a74cbeb8 WebKit`WebKit::WebUserContentControllerProxy::didPostMessage(WTF::ObjectIdentifier<WebKit::WebPageProxyIdentifierType>, WebKit::FrameInfoData&&, unsigned long long, IPC::DataReference const&, WTF::CompletionHandler<void (IPC::DataReference const&, WTF::String const&)>&&) + 556
    frame #10: 0x00000001a76f07c8 WebKit`void IPC::handleMessageAsync<Messages::WebUserContentControllerProxy::DidPostMessage, WebKit::WebUserContentControllerProxy, void (WebKit::WebUserContentControllerProxy::*)(WTF::ObjectIdentifier<WebKit::WebPageProxyIdentifierType>, WebKit::FrameInfoData&&, unsigned long long, IPC::DataReference const&, WTF::CompletionHandler<void (IPC::DataReference const&, WTF::String const&)>&&)>(IPC::Connection&, IPC::Decoder&, WebKit::WebUserContentControllerProxy*, void (WebKit::WebUserContentControllerProxy::*)(WTF::ObjectIdentifier<WebKit::WebPageProxyIdentifierType>, WebKit::FrameInfoData&&, unsigned long long, IPC::DataReference const&, WTF::CompletionHandler<void (IPC::DataReference const&, WTF::String const&)>&&)) + 3232
    frame #11: 0x00000001a76efb14 WebKit`WebKit::WebUserContentControllerProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&) + 76
    frame #12: 0x00000001a70e666c WebKit`IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) + 116
    frame #13: 0x00000001a73f4584 WebKit`WebKit::WebProcessProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&) + 36
    frame #14: 0x00000001a70ca218 WebKit`IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) + 596
    frame #15: 0x00000001a70c9b5c WebKit`IPC::Connection::dispatchIncomingMessages() + 492
    frame #16: 0x00000001a4f38bcc JavaScriptCore`WTF::RunLoop::performWork() + 528
    frame #17: 0x00000001a4f39718 JavaScriptCore`WTF::RunLoop::performWork(void*) + 32
    frame #18: 0x000000019b3a4bf0 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 24

It is generally considered to be bad etiquette in the UIKit world to call a function on a UIView without being on the main thread.  However, I would argue that this is something of an exception: in this case, `[WKWebView release]` is the function that races, which means that not only is it unsafe to call a method on a WKWebView, but it's unsafe even to hold a strong reference to a WKWebView (or to an object that holds a strong reference to a WKWebView deep in its hierarchy!) and do nothing with it.  This probably should be something that is safe to do.

Attached is a minimized reproducer for this crash.  On my iPod Touch (7th Generation), it crashes in about 5 to 10 seconds.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210224/3eca4ec0/attachment.htm>

More information about the webkit-unassigned mailing list