[Webkit-unassigned] [Bug 222336] WKScriptMessage can race against WKWebView destruction
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Mar 17 10:34:44 PDT 2021
https://bugs.webkit.org/show_bug.cgi?id=222336
--- Comment #6 from Joshua Wise <joshua.wise at fullstory.com> ---
Hi Chris --
*Very* interesting!
Although I don't have an environment to test this locally, I strongly suspect that if you run this reproducer against a WebKit that has been patched with Bug 223013, however, you will discover that the crash still occurs. When I tried the thing I mentioned in [1] in comment #4 below, I initially implemented this as a swizzle on `[WKWebView dealloc]` that teleported the `dealloc` to the main thread (much as Bug 223013 does), rather than `[WKWebView release]`, and I found that I would still crash inside of `weak_register_no_lock`.
The reason why is that deallocation of an ARC or MRC managed object actually happens in two phases in Objective-C (much to my consternation...). The base implementation of `[NSObject release]` is implemented as the C++ function `objc_object::rootRelease`: https://github.com/opensource-apple/objc4/blob/cd5e62a5597ea7a31dccef089317abb3a661c154/runtime/objc-object.h#L567 . But, as you note in the linked line, just *before* it calls into `[self dealloc]`, it sets a flag in the object's internal state, `deallocating`!
Unfortunately, the core implementation of a weak pointer store -- weak_register_no_lock -- checks for this `deallocating` flag as set by `release`, not as set by `dealloc`: https://github.com/opensource-apple/objc4/blob/master/runtime/objc-weak.mm#L402
So teleporting `dealloc` to the main thread is not sufficient, and instead we need to teleport `release`.
I will make reference to this in Bug 223013 too.
Thanks,
joshua
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210317/718abbf5/attachment.htm>
More information about the webkit-unassigned
mailing list