[webkit-changes] [WebKit/WebKit] 825d9d: StabilityTracer: Crash in IPC::MessageReceiverMap:...

Tue, 19 May 2026 10:07:13 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 825d9df3072fa0235e57fb6408d0d9725a858da7
      
https://github.com/WebKit/WebKit/commit/825d9df3072fa0235e57fb6408d0d9725a858da7
  Author: Rupin Mittal <[email protected]>
  Date:   2026-05-19 (Tue, 19 May 2026)

  Changed paths:
    M Source/WebKit/Platform/IPC/MessageReceiverMap.cpp
    M Source/WebKit/UIProcess/Extensions/WebExtensionController.cpp

  Log Message:
  -----------
  StabilityTracer: Crash in IPC::MessageReceiverMap::invalidate()
https://bugs.webkit.org/show_bug.cgi?id=314930
rdar://177091898

Reviewed by Chris Dumez.

The crash in IPC::MessageReceiverMap::invalidate() is most likely because either
m_globalMessageReceivers or m_messageReceivers contain a 
WeakPtr<MessageReceiver>
that is null and attempting to dereference it to call 
willBeRemovedFromMessageReceiverMap()
hits the RELEASE_ASSERT in WeakPtr::operator->().

The MessageReceiver destructor asserts that the MessageReceiver is not in any
MessageReceiverMap. So these two maps should never contain a null WeakPtr. But
given that we see this crash and it's not obvious which MessageReceiver is not
removing itself from a map before destruction, we fix this crash by adding null
checks in invalidate(). We also add an ASSERT and RELEASE_LOG_FAULT so that we
can later catch which MessageReceiver is not removing itself from a map.

Even though it's not clear from the crash log alone which MessageReceiver is not
removing itself from a map, there is a case that we can speculatively fix:

WebExtensionController is added to the map in 
WebExtensionController::addProcessPool()
and removed in WebExtensionController::removeProcessPool(). But it seems 
possible
that it can be destroyed without removeProcessPool() being called, and its 
destructor
does not remove it from the map. This could possibly be the reason for the 
crash. So
we ensure that the destructor will remove it.

This is a speculative fix.

* Source/WebKit/Platform/IPC/MessageReceiverMap.cpp:
(IPC::MessageReceiverMap::invalidate):
* Source/WebKit/UIProcess/Extensions/WebExtensionController.cpp:
(WebKit::WebExtensionController::~WebExtensionController):

Canonical link: https://commits.webkit.org/313494@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to