When a tab is closed, WebProcess goes away, but NetworkProcess will still sometimes attempt to send messages to it if there were outstanding loads. NetworkResourceLoader and NetworkConnectionToWebProcess both have m_connection that is zeroed on on connection close, and that causes null pointer crashes in IPC machinery. This is easy to reproduce on sites that use long-standing connections, like gmail. <rdar://problem/12870065>
Created attachment 179283 [details] proposed patch
Comment on attachment 179283 [details] proposed patch View in context: https://bugs.webkit.org/attachment.cgi?id=179283&action=review > Source/WebKit2/NetworkProcess/NetworkResourceLoader.cpp:-147 > - m_connection->unregisterObserver(this); Why arbitrarily delta this and not have if (RefPtr<blah> connection = m_connection) connection->unregisterObserver(this) ? > Source/WebKit2/NetworkProcess/NetworkResourceLoader.cpp:-148 > - m_connection = 0; If connection is null this doesn't hurt, does it hurt to explicitly clear m_connection if it is non-null?
Comment on attachment 179283 [details] proposed patch View in context: https://bugs.webkit.org/attachment.cgi?id=179283&action=review >> Source/WebKit2/NetworkProcess/NetworkResourceLoader.cpp:-147 >> - m_connection->unregisterObserver(this); > > Why arbitrarily delta this and not have if (RefPtr<blah> connection = m_connection) connection->unregisterObserver(this) ? There is another unregisterObserver call in destructor, there is no reason to do this twice. >> Source/WebKit2/NetworkProcess/NetworkResourceLoader.cpp:-148 >> - m_connection = 0; > > If connection is null this doesn't hurt, does it hurt to explicitly clear m_connection if it is non-null? I'm not sure if I understand the question. m_connection being null is why this crash happens, so it definitely hurts to clear it.
Committed <http://trac.webkit.org/changeset/137610>.