Bug 197079 - Crash in FrameLoader::stopAllLoaders via [WebView dealloc] inside ~ObjCEventListener
Summary: Crash in FrameLoader::stopAllLoaders via [WebView dealloc] inside ~ObjCEventL...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit API (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Ryosuke Niwa
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2019-04-18 15:48 PDT by Ryosuke Niwa
Modified: 2019-05-08 17:16 PDT (History)
6 users (show)

See Also:

Attachments
Fixes the bug (6.13 KB, patch)
2019-04-18 16:02 PDT, Ryosuke Niwa 		no flags Details | Formatted Diff | Diff
Fixes the bug (9.74 KB, patch)
2019-04-18 16:03 PDT, Ryosuke Niwa 		darin: review+
Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ryosuke Niwa 2019-04-18 15:48:21 PDT 
Some WebKit clients crash in FrameLoader::stopAllLoaders via [WebView dealloc] inside ~ObjCEventListener while deleting event targets.

<rdar://problem/40888424>
Comment 1 Ryosuke Niwa 2019-04-18 16:02:31 PDT 
Created attachment 367769 [details]
Fixes the bug
Comment 2 Ryosuke Niwa 2019-04-18 16:03:48 PDT 
Created attachment 367770 [details]
Fixes the bug
Comment 3 Darin Adler 2019-04-19 09:59:58 PDT 
Comment on attachment 367770 [details]
Fixes the bug

View in context: https://bugs.webkit.org/attachment.cgi?id=367770&action=review

> Source/WebKitLegacy/mac/DOM/ObjCEventListener.mm:75
> +    // Avoid executing arbitrary code during GC; e.g. inside Node::~Node.
> +    [m_listener.get() retain];
> +    [m_listener.get() autorelease];

Some day we will move to ARC. To be prepared for when we do, it will be much more future-proof to use CFRetain and CFAutorelease, which can be used for this purpose even under ARC. I suggest doing that.

    CFRetain((__bridge CFTypeRef)m_listener.get());
    CFAutorelease((__bridge CFTypeRef)m_listener.get());

To make it cleaner, if this idiom comes up more often, we could add a RetainPtr member function designed for this purpose. Unfortunately, the current RetainPtr::autorelease is not what we want because it compiles to a bridging release under ARC, not an autorelease.
Comment 4 Ryosuke Niwa 2019-04-19 11:46:51 PDT 
(In reply to Darin Adler from comment #3)
> Comment on attachment 367770 [details]
> Fixes the bug
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=367770&action=review
> 
> > Source/WebKitLegacy/mac/DOM/ObjCEventListener.mm:75
> > +    // Avoid executing arbitrary code during GC; e.g. inside Node::~Node.
> > +    [m_listener.get() retain];
> > +    [m_listener.get() autorelease];
> 
> Some day we will move to ARC. To be prepared for when we do, it will be much
> more future-proof to use CFRetain and CFAutorelease, which can be used for
> this purpose even under ARC. I suggest doing that.
> 
>     CFRetain((__bridge CFTypeRef)m_listener.get());
>     CFAutorelease((__bridge CFTypeRef)m_listener.get());
> 
> To make it cleaner, if this idiom comes up more often, we could add a
> RetainPtr member function designed for this purpose. Unfortunately, the
> current RetainPtr::autorelease is not what we want because it compiles to a
> bridging release under ARC, not an autorelease.

Okay, sure, I'll use CF*.
Comment 5 Ryosuke Niwa 2019-04-19 12:01:40 PDT 
Committed r244459: <https://trac.webkit.org/changeset/244459>