Bug 137770

Summary: Various crashes in ViewGestureControllerIOS when closing a tab while a swipe gesture is in progress
Product: WebKit Reporter: Tim Horton <thorton>
Component: WebKit2Assignee: Tim Horton <thorton>
Status: RESOLVED FIXED    
Severity: Normal CC: andersca, commit-queue, mitz, sam, simon.fraser
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
patch mitz: review+

Tim Horton
Reported 2014-10-15 22:42:34 PDT
A multitude of crashes are possible here: 1. We can attempt to access a deleted ViewGestureController from inside a CA callback. 2. We can attempt to access a deleted WebBackForwardListItem from inside a CA callback. 3. We can attempt to dereference a null DrawingArea from a page that's on its way down. 4. UIKit can become fairly unhappy with dangling '_UINavigationInteractiveTransitionBase's. Let's fix these things. <rdar://problem/17916459>
Attachments
patch (10.71 KB, patch)
2014-10-16 00:07 PDT, Tim Horton 		mitz: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Tim Horton
Comment 1 2014-10-16 00:07:17 PDT
Created attachment 239935 [details] patch
WebKit Commit Bot
Comment 2 2014-10-16 00:08:32 PDT
Attachment 239935 [details] did not pass style-queue: ERROR: Source/WebKit2/UIProcess/ios/ViewGestureControllerIOS.mm:241: Place brace on its own line for function definitions. [whitespace/braces] [4] ERROR: Source/WebKit2/UIProcess/ios/ViewGestureControllerIOS.mm:246: Place brace on its own line for function definitions. [whitespace/braces] [4] ERROR: Source/WebKit2/UIProcess/mac/ViewGestureController.h:43: _UIViewControllerOneToOneTransitionContext is incorrectly named. Don't use underscores in your identifier names. [readability/naming/underscores] [4] ERROR: Source/WebKit2/UIProcess/mac/ViewGestureController.h:44: _UIViewControllerTransitionContext is incorrectly named. Don't use underscores in your identifier names. [readability/naming/underscores] [4] Total errors found: 4 in 3 files If any of these errors are false positives, please file a bug against check-webkit-style.
mitz
Comment 3 2014-10-16 08:40:48 PDT
Comment on attachment 239935 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=239935&action=review > Source/WebKit2/UIProcess/ios/ViewGestureControllerIOS.mm:97 > + _backTransitionController = nullptr; > + _forwardTransitionController = nullptr; Isn’t nil more appropriate for these, since the underlying type is an id? I’m not convinced that we should clear these. Doing so doesn’t really guarantee anything except that if -directionForTransition: were to be called it would return the wrong answer.
Simon Fraser (smfr)
Comment 4 2014-10-16 08:43:03 PDT
Comment on attachment 239935 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=239935&action=review > Source/WebKit2/ChangeLog:9 > + Reviewed by NOBODY (OOPS!). > + > + * UIProcess/ios/ViewGestureControllerIOS.mm: I would like to read a summary of the issue and how you fixed it here.
Tim Horton
Comment 5 2014-10-16 11:25:47 PDT
(In reply to comment #3) > Comment on attachment 239935 [details] > patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=239935&action=review > > > Source/WebKit2/UIProcess/ios/ViewGestureControllerIOS.mm:97 > > + _backTransitionController = nullptr; > > + _forwardTransitionController = nullptr; > > Isn’t nil more appropriate for these, since the underlying type is an id? > > I’m not convinced that we should clear these. Doing so doesn’t really > guarantee anything except that if -directionForTransition: were to be called > it would return the wrong answer. A valid point. This wasn't the key to the crash in the end, so I guess there's no point. We agree that the ViewGestureController pointer should be cleared, though? (In reply to comment #4) > Comment on attachment 239935 [details] > patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=239935&action=review > > > Source/WebKit2/ChangeLog:9 > > + Reviewed by NOBODY (OOPS!). > > + > > + * UIProcess/ios/ViewGestureControllerIOS.mm: > > I would like to read a summary of the issue and how you fixed it here. There are four issues and four fixes, they're detailed individually below :D "this avoids"x3 + "null-check". But I will add a summary of some sort.
Tim Horton
Comment 6 2014-10-16 12:54:02 PDT
http://trac.webkit.org/changeset/174788
Note You need to log in before you can comment on or make changes to this bug.