174753 – [Mac WK2] Potential null deref in WKView if WebPageProxy callbacks are invalidated in -[WKView dealloc]

NEW174753

[Mac WK2] Potential null deref in WKView if WebPageProxy callbacks are invalidated in -[WKView dealloc]

https://bugs.webkit.org/show_bug.cgi?id=174753

Summary [Mac WK2] Potential null deref in WKView if WebPageProxy callbacks are invali...

Wenson Hsieh

Reported 2017-07-22 02:18:13 PDT

This code in WKView: - (void)dealloc { _data->_impl->page().setIconLoadingClient(nullptr); _data->_impl = nullptr; [_data release]; _data = nil; [super dealloc]; } ...seems like it would be susceptible to the same problem described in https://bugs.webkit.org/show_bug.cgi?id=174751. If ~WebViewImpl is called after setting _data->_impl to nullptr and one of the pending callbacks that get invoked when invalidating the callback map calls on WKView to do some work involving the _data's _impl, we'll probably end up with a null deref.

Attachments
Add attachment proposed patch, testcase, etc.

Wenson Hsieh

Comment 1 2017-08-05 15:21:33 PDT

Interestingly, this isn't normally an issue when closing the page because Safari actually tells the WebPageProxy to close() very early in the teardown process. That's not to say there shouldn't be a mechanism at the WebKit layer, though, to ensure that we don't crash if the WKView is released through some other codepath in Safari that doesn't explicitly close() the page before continuing with teardown.

Note You need to log in before you can comment on or make changes to this bug.

Status NEW

Resolution

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component WebKit2

Assignee

Nobody

Reported

2017-07-22 02:18 PDT

Modified

2017-08-05 15:21 PDT History

CC List

0 users

URL

Keywords

Depends on

Blocks