Created attachment 327273 [details]
Patch

Comment on attachment 327273 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=327273&action=review

I worry that the issue is deeper than just a bd cast. If _setFullscreenDelegate: does nothing because we are on a different fullscreen client, then the old fullscreen client might be left with the delegate still set. That could be a dangling pointer.

> Source/WebKit/UIProcess/API/Cocoa/WKWebView.mm:4778
>      return nullptr;

I think this should be return nil.

(In reply to Darin Adler from comment #2)
> Comment on attachment 327273 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=327273&action=review
> 
> I worry that the issue is deeper than just a bd cast. If
> _setFullscreenDelegate: does nothing because we are on a different
> fullscreen client, then the old fullscreen client might be left with the
> delegate still set. That could be a dangling pointer.

The various client objects are owned by the page. When the page clears those clients, those objects and references are destroyed.

Looking over WKWebView, I see the same unsafe pattern that caused this crash also affects the find delegate:

https://bugs.webkit.org/show_bug.cgi?id=180054

> 
> > Source/WebKit/UIProcess/API/Cocoa/WKWebView.mm:4778
> >      return nullptr;
> 
> I think this should be return nil.

Done.

Created attachment 327674 [details]
Patch for landing.

Comment on attachment 327674 [details]
Patch for landing.

Clearing flags on attachment: 327674

Committed r225195: <https://trac.webkit.org/changeset/225195>

Closing now since patch landed.

<rdar://problem/40484031>