Bug 112334

Summary: Reset all clients on WebPage close
Product: WebKit Reporter: Xan Lopez <xan.lopez>
Component: WebKit2Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: alex, andersca, benjamin, cgarcia, commit-queue, sam, svillar, xan.lopez
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
0001-Reset-all-clients-on-WebPage-close.patch none

Xan Lopez
Reported 2013-03-14 02:30:02 PDT
There's a small chance that someone will call one of the clients WebPage holds when the page has already been destructed, since the pointers are valid after ::close(). This won't work and will (at least in the GTK+ port) cause a bunch of warnings. To avoid this situation just reset all clients to null, like the WebPageProxy class does.
Attachments
0001-Reset-all-clients-on-WebPage-close.patch (2.44 KB, patch)
2013-03-14 02:32 PDT, Xan Lopez 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Xan Lopez
Comment 1 2013-03-14 02:32:08 PDT
Created attachment 193094 [details] 0001-Reset-all-clients-on-WebPage-close.patch
Xan Lopez
Comment 2 2013-04-19 02:35:29 PDT
Ping about this?
Sergio Villar Senin
Comment 3 2013-05-06 01:09:44 PDT
*** Bug 115509 has been marked as a duplicate of this bug. ***
Sergio Villar Senin
Comment 4 2013-05-23 03:55:25 PDT
(In reply to comment #0) > There's a small chance that someone will call one of the clients WebPage holds when the page has already been destructed, since the pointers are valid after ::close(). This won't work and will (at least in the GTK+ port) cause a bunch of warnings. To avoid this situation just reset all clients to null, like the WebPageProxy class does. Actually there is not only a small chance but I found an scenario where not reseting the clients causes a crash 100% of the times. So imagine that a webpage has some javascript that executes a XmlHttpRequest in the onunload() event handler. The ::close() method of the WebPage calls injectedBundle->willDestroyPage(). That will likely be used by the WKBundlePageResourceLoadClients to free their resources, including the clientInfo they have passed to the WKBundlePageSetResourceLoadClient. In the same ::close() method, we find a call to m_mainFrame->coreFrame()->loader()->detachFromParent() which will trigger the execution of the XMLHttpRequest, which will issue a willSendRequest among other notifications. As the client is still set, the method will be called but it will likely try to use client's already freed resources leading to crashes. So yeah I big +1 for this change :)
Xan Lopez
Comment 5 2013-05-23 04:52:28 PDT
If it's possible to make a layout test for this crasher I bet this patch would land a lot faster ;)
Alejandro G. Castro
Comment 6 2013-05-27 00:54:03 PDT
Fixes the issue for me, it was easy to reproduce just closing a tab while loading. We should add this to the release today.
Xan Lopez
Comment 7 2013-05-27 08:20:07 PDT
Comment on attachment 193094 [details] 0001-Reset-all-clients-on-WebPage-close.patch Thanks. Let's see if cq can still land it.
WebKit Commit Bot
Comment 8 2013-05-27 08:42:45 PDT
Comment on attachment 193094 [details] 0001-Reset-all-clients-on-WebPage-close.patch Clearing flags on attachment: 193094 Committed r150758: <http://trac.webkit.org/changeset/150758>
WebKit Commit Bot
Comment 9 2013-05-27 08:42:48 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.