Bug 185877

Summary:

Avoid keeping FormState alive longer than necessary

Product:

WebKit

Reporter:

Brent Fulgham <bfulgham>

Component:

WebCore Misc.

Assignee:

Brent Fulgham <bfulgham>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

cdumez, commit-queue, dbates, ews-watchlist, japhet, realdawei, rniwa

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Bug Depends on:

185895

Bug Blocks:

Attachments:

Description	Flags
Patch	none
Patch	none
Patch for landing	none
Patch for landing	none
Patch	none
Patch	none
Patch for landing	none

Brent Fulgham

Reported 2018-05-22 12:25:45 PDT

A number of crash fixes were done to prevent FormState objects from being accessed after their relevant Frames had been destroyed. Unfortunately, this could cause the FormState to persist after the owning Frame had been destroyed, resulting in nullptr dereferences. This patch does the following: 1. Changes to use WeakPtr's for FormState objects passed to completion handlers, rather than RetainPtr, since those completion handlers might fire as part of the clean-up process during Frame destruction. This allows us to use the FormState if they are still valid, but gracefully handle cases where a form submission is cancelled in-flight. 2. Removes some extraneous WTFMove() calls being made on bare FormState pointers. 3. Changes the trap from Bug 183704 so that it only fires if the FormState object is being retained more than once.

Attachments
Patch (22.37 KB, patch) 2018-05-22 12:31 PDT, Brent Fulgham	no flags	Details Formatted Diff Diff
Patch (22.84 KB, patch) 2018-05-22 13:44 PDT, Brent Fulgham	no flags	Details Formatted Diff Diff
Patch for landing (22.83 KB, patch) 2018-05-22 14:03 PDT, Brent Fulgham	no flags	Details Formatted Diff Diff
Patch for landing (22.82 KB, patch) 2018-05-22 14:16 PDT, Brent Fulgham	no flags	Details Formatted Diff Diff
Patch (21.32 KB, patch) 2018-05-22 21:54 PDT, Brent Fulgham	no flags	Details Formatted Diff Diff
Patch (42.74 KB, patch) 2018-05-23 20:36 PDT, Brent Fulgham	no flags	Details Formatted Diff Diff
Patch for landing (42.74 KB, patch) 2018-05-23 21:44 PDT, Brent Fulgham	no flags	Details Formatted Diff Diff
Show Obsolete (6) View All Add attachment proposed patch, testcase, etc.

Brent Fulgham

Comment 1 2018-05-22 12:26:35 PDT

<rdar://problem/39329219>

Brent Fulgham

Comment 2 2018-05-22 12:31:31 PDT

Created attachment 341006 [details] Patch

Brent Fulgham

Comment 3 2018-05-22 13:44:19 PDT

Created attachment 341013 [details] Patch

Ryosuke Niwa

Comment 4 2018-05-22 13:45:00 PDT

Comment on attachment 341006 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=341006&action=review > Source/WebCore/ChangeLog:17 > + rather than RetainPtr, since those completion handlers might fire as part of You mean RefPtr. RetainPtr is for objective-C.

Brent Fulgham

Comment 5 2018-05-22 14:03:15 PDT

Created attachment 341019 [details] Patch for landing

Brent Fulgham

Comment 6 2018-05-22 14:16:12 PDT

Created attachment 341023 [details] Patch for landing

WebKit Commit Bot

Comment 7 2018-05-22 15:01:40 PDT

Comment on attachment 341023 [details] Patch for landing Clearing flags on attachment: 341023 Committed r232081: <https://trac.webkit.org/changeset/232081>

WebKit Commit Bot

Comment 8 2018-05-22 15:01:42 PDT

All reviewed patches have been landed. Closing bug.

Dawei Fenton (:realdawei)

Comment 9 2018-05-22 16:47:47 PDT

I've observed 2 API test failures after this patch was landed. https://build.webkit.org/builders/Apple%20High%20Sierra%20Release%20WK1%20%28Tests%29/builds/5530/steps/run-api-tests/logs/stdio Failed TestWebKitAPI.WebKit.FormSubmission /Volumes/Data/slave/highsierra-release/build/Tools/TestWebKitAPI/Tests/WebKitCocoa/_WKInputDelegate.mm:53 Value of: willSubmitFormValuesCalled Actual: false Expected: true Timeout TestWebKitAPI.WebKit.DuplicateCompletionHandlerCalls

Chris Dumez

Comment 10 2018-05-22 16:57:25 PDT

Comment on attachment 341023 [details] Patch for landing View in context: https://bugs.webkit.org/attachment.cgi?id=341023&action=review > Source/WebCore/loader/PolicyChecker.cpp:171 > + m_frame.loader().client().dispatchDecidePolicyForNavigationAction(action, request, didReceiveRedirectResponse, formState, policyDecisionMode, [this, function = WTFMove(function), request = ResourceRequest(request), formState = makeWeakPtr(formState), suggestedFilename = WTFMove(suggestedFilename), blobURLLifetimeExtension = WTFMove(blobURLLifetimeExtension)](PolicyAction policyAction) mutable { It seems wrong to be that we could loose the FormState during the async policy decision now. We initiated the navigation with a FormState, but then, after the client tells us to go for it, we may not end up using that FormState.

WebKit Commit Bot

Comment 11 2018-05-22 17:16:19 PDT

Re-opened since this is blocked by bug 185895

Brent Fulgham

Comment 12 2018-05-22 21:54:44 PDT

Created attachment 341070 [details] Patch

Brent Fulgham

Comment 13 2018-05-23 20:36:10 PDT

Created attachment 341166 [details] Patch

Brent Fulgham

Comment 14 2018-05-23 21:44:09 PDT

Created attachment 341170 [details] Patch for landing

WebKit Commit Bot

Comment 15 2018-05-23 22:23:05 PDT

Comment on attachment 341170 [details] Patch for landing Clearing flags on attachment: 341170 Committed r232147: <https://trac.webkit.org/changeset/232147>

WebKit Commit Bot

Comment 16 2018-05-23 22:23:07 PDT

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.