Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 69d300842d37d62d8e54a0e11c66dfcafec72e41
https://github.com/WebKit/WebKit/commit/69d300842d37d62d8e54a0e11c66dfcafec72e41
Author: Abrar Rahman Protyasha <[email protected]>
Date: 2026-05-20 (Wed, 20 May 2026)
Changed paths:
M Source/WebKit/UIProcess/ios/PageClientImplIOS.mm
Log Message:
-----------
[iOS] Possible WebPreferences null deref under
PageClientImpl::didCommitLoadForMainFrame() during WKWebView dealloc
https://bugs.webkit.org/show_bug.cgi?id=315148
rdar://177270748
Reviewed by Aditya Keerthi.
If the weak ref to WKWebView held by PageClient is null, then the
unconditional dereference of WebPageProxy to read the system text
extraction preference is UB. It turns out that said weak ref _can_ be
null if we receive a load commit IPC during WKWebView dealloc. In that
window, [nil _page] returns a nullptr (WebPageProxy), following which
we see a null deref crash in this access chain WebPageProxy ->
WebPreferences -> WebPreferencesStore. The other lines in this method
are okay with a nil web view since they are just sending ObjC messages
to nil.
In this patch, we introduce a specualtive fix by gating the deref behind
a null check.
I was not able to add test coverage that deterministically produces a
load commit IPC during the dealloc window.
* Source/WebKit/UIProcess/ios/PageClientImplIOS.mm:
(WebKit::PageClientImpl::didCommitLoadForMainFrame):
Canonical link: https://commits.webkit.org/313555@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
