RESOLVED FIXED 185877
Avoid keeping FormState alive longer than necessary 
https://bugs.webkit.org/show_bug.cgi?id=185877
Summary Avoid keeping FormState alive longer than necessary
Brent Fulgham
Reported 2018-05-22 12:25:45 PDT
A number of crash fixes were done to prevent FormState objects from being accessed after their relevant Frames had been destroyed. Unfortunately, this could cause the FormState to persist after the owning Frame had been destroyed, resulting in nullptr dereferences. This patch does the following: 1. Changes to use WeakPtr's for FormState objects passed to completion handlers, rather than RetainPtr, since those completion handlers might fire as part of the clean-up process during Frame destruction. This allows us to use the FormState if they are still valid, but gracefully handle cases where a form submission is cancelled in-flight. 2. Removes some extraneous WTFMove() calls being made on bare FormState pointers. 3. Changes the trap from Bug 183704 so that it only fires if the FormState object is being retained more than once.
Attachments
Patch (22.37 KB, patch)
2018-05-22 12:31 PDT, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Patch (22.84 KB, patch)
2018-05-22 13:44 PDT, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Patch for landing (22.83 KB, patch)
2018-05-22 14:03 PDT, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Patch for landing (22.82 KB, patch)
2018-05-22 14:16 PDT, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Patch (21.32 KB, patch)
2018-05-22 21:54 PDT, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Patch (42.74 KB, patch)
2018-05-23 20:36 PDT, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Patch for landing (42.74 KB, patch)
2018-05-23 21:44 PDT, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Show Obsolete (6) View All Add attachment proposed patch, testcase, etc.
Brent Fulgham
Comment 1 2018-05-22 12:26:35 PDT
<rdar://problem/39329219>
Brent Fulgham
Comment 2 2018-05-22 12:31:31 PDT
Created attachment 341006 [details] Patch
Brent Fulgham
Comment 3 2018-05-22 13:44:19 PDT
Created attachment 341013 [details] Patch
Ryosuke Niwa
Comment 4 2018-05-22 13:45:00 PDT
Comment on attachment 341006 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=341006&action=review > Source/WebCore/ChangeLog:17 > + rather than RetainPtr, since those completion handlers might fire as part of You mean RefPtr. RetainPtr is for objective-C.
Brent Fulgham
Comment 5 2018-05-22 14:03:15 PDT
Created attachment 341019 [details] Patch for landing
Brent Fulgham
Comment 6 2018-05-22 14:16:12 PDT
Created attachment 341023 [details] Patch for landing
WebKit Commit Bot
Comment 7 2018-05-22 15:01:40 PDT
Comment on attachment 341023 [details] Patch for landing Clearing flags on attachment: 341023 Committed r232081: <https://trac.webkit.org/changeset/232081>
WebKit Commit Bot
Comment 8 2018-05-22 15:01:42 PDT
All reviewed patches have been landed. Closing bug.
Dawei Fenton (:realdawei)
Comment 9 2018-05-22 16:47:47 PDT
I've observed 2 API test failures after this patch was landed. https://build.webkit.org/builders/Apple%20High%20Sierra%20Release%20WK1%20%28Tests%29/builds/5530/steps/run-api-tests/logs/stdio Failed TestWebKitAPI.WebKit.FormSubmission /Volumes/Data/slave/highsierra-release/build/Tools/TestWebKitAPI/Tests/WebKitCocoa/_WKInputDelegate.mm:53 Value of: willSubmitFormValuesCalled Actual: false Expected: true Timeout TestWebKitAPI.WebKit.DuplicateCompletionHandlerCalls
Chris Dumez
Comment 10 2018-05-22 16:57:25 PDT
Comment on attachment 341023 [details] Patch for landing View in context: https://bugs.webkit.org/attachment.cgi?id=341023&action=review > Source/WebCore/loader/PolicyChecker.cpp:171 > + m_frame.loader().client().dispatchDecidePolicyForNavigationAction(action, request, didReceiveRedirectResponse, formState, policyDecisionMode, [this, function = WTFMove(function), request = ResourceRequest(request), formState = makeWeakPtr(formState), suggestedFilename = WTFMove(suggestedFilename), blobURLLifetimeExtension = WTFMove(blobURLLifetimeExtension)](PolicyAction policyAction) mutable { It seems wrong to be that we could loose the FormState during the async policy decision now. We initiated the navigation with a FormState, but then, after the client tells us to go for it, we may not end up using that FormState.
WebKit Commit Bot
Comment 11 2018-05-22 17:16:19 PDT
Re-opened since this is blocked by bug 185895
Brent Fulgham
Comment 12 2018-05-22 21:54:44 PDT
Created attachment 341070 [details] Patch
Brent Fulgham
Comment 13 2018-05-23 20:36:10 PDT
Created attachment 341166 [details] Patch
Brent Fulgham
Comment 14 2018-05-23 21:44:09 PDT
Created attachment 341170 [details] Patch for landing
WebKit Commit Bot
Comment 15 2018-05-23 22:23:05 PDT
Comment on attachment 341170 [details] Patch for landing Clearing flags on attachment: 341170 Committed r232147: <https://trac.webkit.org/changeset/232147>
WebKit Commit Bot
Comment 16 2018-05-23 22:23:07 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.