Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 46b03afa5a231970ac09fdd9cbfeeaaa68dc31b0 https://github.com/WebKit/WebKit/commit/46b03afa5a231970ac09fdd9cbfeeaaa68dc31b0 Author: Abrar Rahman Protyasha <a_protya...@apple.com> Date: 2023-06-23 (Fri, 23 Jun 2023)
Changed paths: M Source/WebKit/UIProcess/WebPageProxy.cpp M Tools/TestWebKitAPI/Tests/WebKitCocoa/UIDelegate.mm Log Message: ----------- WebPageProxy::setToolTip accesses a null PageClient https://bugs.webkit.org/show_bug.cgi?id=258313 rdar://110501313 Reviewed by Chris Dumez and Wenson Hsieh. In 264455@main, we introduced `WebPageProxy::dispatchMouseDidMoveOverElementAsynchronously`, which asks to perform `WebPageProxy::mouseDidMoveOverElement` at a future time. It turns out there's a null access on `m_pageClient` when we then call into `WebPageProxy::setToolTip`, which happens because we hold a `WeakPtr<PageClient>` instance to the `PageClient` object, meaning there are no guarantees on the PageClient instance's lifetime. To avoid this null dereference, we should only inform the web page about a `MouseMove` event upon consulting whether the web page is closed through `WebPageProxy::isClosed()`. We also add an API test that crashes without this mitigation in place. * Source/WebKit/UIProcess/WebPageProxy.cpp: (WebKit::WebPageProxy::dispatchMouseDidMoveOverElementAsynchronously): * Tools/TestWebKitAPI/Tests/WebKitCocoa/UIDelegate.mm: (+[TestEventMonitor addLocalMonitorForEventsMatchingMask:handler:]): Canonical link: https://commits.webkit.org/265456@main _______________________________________________ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes