Bug 312296
| Summary: | WebKitTestRunner leaks WKTypeRef out-parameter value from WKBundlePagePostSynchronousMessageForTesting() | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | David Kilzer (:ddkilzer) <ddkilzer> |
| Component: | Tools / Tests | Assignee: | David Kilzer (:ddkilzer) <ddkilzer> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
David Kilzer (:ddkilzer)
Several functions in `InjectedBundle.cpp` leak the retained `WKTypeRef` returned via the out-parameter of `WKBundlePagePostSynchronousMessageForTesting()`. The out-parameter returns a +1 retained object (via `toAPILeakingRef()`), but these callers never adopt or release it.
Two patterns are affected:
1. `shouldForceRepaint()` and `isPrinting()` pass the raw `WKTypeRef` to `booleanValue()` without ever releasing it, leaking an `API::Boolean` object (visible as `WKNSNumber` in leak reports).
2. `getBackgroundFetchIdentifier()`, `lastAddedBackgroundFetchIdentifier()`, `lastRemovedBackgroundFetchIdentifier()`, `lastUpdatedBackgroundFetchIdentifier()`, and `backgroundFetchState()` return `static_cast<WKStringRef>(result)` into a `WKRetainPtr<WKStringRef>`. The `WKRetainPtr` constructor retains the pointer again without adopting the existing +1, so the original ownership is never balanced.
Other callers in the same file (`shouldProcessWorkQueue()`, `isGeolocationClientActive()`, `imageCountInGeneralPasteboard()`, `userMediaPermissionRequestCount()`) already use `adoptWK(result).get()` correctly.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/174764247>
David Kilzer (:ddkilzer)
Pull request: https://github.com/WebKit/WebKit/pull/62757
EWS
Committed 311347@main (112967a3c973): <https://commits.webkit.org/311347@main>
Reviewed commits have been landed. Closing PR #62757 and removing active labels.