Created attachment 327273 [details] Patch

Comment on attachment 327273 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=327273&action=review I worry that the issue is deeper than just a bd cast. If _setFullscreenDelegate: does nothing because we are on a different fullscreen client, then the old fullscreen client might be left with the delegate still set. That could be a dangling pointer. > Source/WebKit/UIProcess/API/Cocoa/WKWebView.mm:4778 > return nullptr; I think this should be return nil.

(In reply to Darin Adler from comment #2) > Comment on attachment 327273 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=327273&action=review > > I worry that the issue is deeper than just a bd cast. If > _setFullscreenDelegate: does nothing because we are on a different > fullscreen client, then the old fullscreen client might be left with the > delegate still set. That could be a dangling pointer. The various client objects are owned by the page. When the page clears those clients, those objects and references are destroyed. Looking over WKWebView, I see the same unsafe pattern that caused this crash also affects the find delegate: https://bugs.webkit.org/show_bug.cgi?id=180054 > > > Source/WebKit/UIProcess/API/Cocoa/WKWebView.mm:4778 > > return nullptr; > > I think this should be return nil. Done.

Created attachment 327674 [details] Patch for landing.

Comment on attachment 327674 [details] Patch for landing. Clearing flags on attachment: 327674 Committed r225195: <https://trac.webkit.org/changeset/225195>

Closing now since patch landed.

<rdar://problem/40484031>