[Webkit-unassigned] [Bug 222336] WKScriptMessage can race against WKWebView destruction
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Mar 17 07:32:06 PDT 2021
https://bugs.webkit.org/show_bug.cgi?id=222336
--- Comment #5 from Chris Dumez <cdumez at apple.com> ---
(In reply to Joshua Wise from comment #4)
> Hi Chris --
>
> In general, I agree with you: the UIKit API (and the WKWebView API)
> shouldn't be called off the main thread. I think that `release`ing -- and,
> by extension, `dealloc`ing -- a WKWebView needs to be a special exception to
> this rule, though. It is very difficult to avoid accidentally causing a
> `[WKWebView dealloc]` off of the main thread: although in this minimal
> reproducer case, a `WKWebView` is directly held off the main thread,
> consider the case in which another object deeply holds a strong reference to
> a `WKWebView`, and another thread happens to hold a strong reference to this
> object.
>
> It seems like an exceptionally non-obvious pitfall that this can go wrong,
> along three axes of surprise for a programmer:
>
> 1) There is no textual representation in the source that a disallowed use of
> `WKWebView` will occur: even if a block does not directly make mention of a
> `WKWebView`, the failure can occur. (Phrased another way, it would be
> expected that it is unsafe to use a `WKWebView` -- but it's not expected
> that it's unsafe to even "think about" a `WKWebView`.)
>
> 2) Although this is disallowed behavior for other `UIKit` APIs (and objects
> that derive from `UIView`), in practice, deallocation from off the main
> thread does not seem to fail for other `UIKit` APIs. (This is, admittedly,
> weak justification. But programmers are, if nothing else, pattern
> recognition machines...)
>
> 3) There is a violation of an otherwise-reasonable assumption in a
> programmer's mental model that ARC-managed objects should be, in general,
> responsible for avoiding wild pointers (i.e., that an ARC-managed object, if
> it needs to have a longer retain lifecycle than a local scope allows, should
> be managed by the holder of that pointer).
>
> Although `WKWebView` is technically *allowed* to fail in this fashion by its
> specification, it is probably not a good idea for it to do so
> nondeterministically: it should either be tolerant of this misuse, or
> reliably crash or emit a diagnostic on this misuse [1].
>
> Technically, it is probably not a bug, if the defect metric is "does
> WKWebView correctly implement the specification". But if the question is
> "does WKWebView present an interface that avoids footguns", I would probably
> classify this as a defect.
>
> Thanks for your consideration --
> joshua
>
> [1] One way that `WKWebView` could emit a diagnostic is particularly
> unpleasant: it could implement `[WKWebView release]` on its own (eventually
> calling into `[NSObject release]`), and call into the particularly-reviled
> `[self retainCount]` to determine whether the system is about to deallocate
> the object. If it is, and the `release` operation is happening off the main
> thread -- i.e., `[self retainCount] == 1 && ![NSThread isMainThread]` --
> then WKWebView could subsequently assert, or minimally, emit a warning.
>
> This relies on additional undefined and unpleasant behavior -- `[NSObject
> retainCount]` is specified to be unspecified. But not only does it *happen*
> to work for this application, examination of the Objective-C runtime reveals
> that it *will* work for this application, too. Tests of this by swizzling
> `[WKWebView release]` reliably catch this behavior in user applications.
> (Astute observers may note that this cannot be 100% reliable, and that there
> is another -- smaller -- race condition here. That's true, but the
> diagnostic now occurs when we 'win' the race, not when we 'lose', and as a
> best-effort method to help users avoid API misuse, that's probably good
> enough.)
>
> All that said, doing that is not pleasant. It may just be better to make
> WKWebView tolerant of this misuse :-)
Deallocating a WKWebView (and other WK API objects) on a non-main thread was made safe very recently via Bug 223013.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210317/10be6d47/attachment-0001.htm>
More information about the webkit-unassigned
mailing list