[Webkit-unassigned] [Bug 222336] WKScriptMessage can race against WKWebView destruction

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Mar 17 10:34:44 PDT 2021


https://bugs.webkit.org/show_bug.cgi?id=222336

--- Comment #6 from Joshua Wise <joshua.wise at fullstory.com> ---
Hi Chris --

*Very* interesting!

Although I don't have an environment to test this locally, I strongly suspect that if you run this reproducer against a WebKit that has been patched with Bug 223013, however, you will discover that the crash still occurs.  When I tried the thing I mentioned in [1] in comment #4 below, I initially implemented this as a swizzle on `[WKWebView dealloc]` that teleported the `dealloc` to the main thread (much as Bug 223013 does), rather than `[WKWebView release]`, and I found that I would still crash inside of `weak_register_no_lock`.

The reason why is that deallocation of an ARC or MRC managed object actually happens in two phases in Objective-C (much to my consternation...).  The base implementation of `[NSObject release]` is implemented as the C++ function `objc_object::rootRelease`: https://github.com/opensource-apple/objc4/blob/cd5e62a5597ea7a31dccef089317abb3a661c154/runtime/objc-object.h#L567 .  But, as you note in the linked line, just *before* it calls into `[self dealloc]`, it sets a flag in the object's internal state, `deallocating`!

Unfortunately, the core implementation of a weak pointer store -- weak_register_no_lock -- checks for this `deallocating` flag as set by `release`, not as set by `dealloc`: https://github.com/opensource-apple/objc4/blob/master/runtime/objc-weak.mm#L402

So teleporting `dealloc` to the main thread is not sufficient, and instead we need to teleport `release`.

I will make reference to this in Bug 223013 too.

Thanks,
joshua

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210317/718abbf5/attachment.htm>


More information about the webkit-unassigned mailing list