[webkit-changes] [WebKit/WebKit] 5f39d2: Crash under WebPageProxy::createSandboxExtensionsI...

Thu, 28 May 2026 15:17:13 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 5f39d2e3104ac9a2de8e76c4af7243be54fd4e1c
      
https://github.com/WebKit/WebKit/commit/5f39d2e3104ac9a2de8e76c4af7243be54fd4e1c
  Author: Chris Dumez <[email protected]>
  Date:   2026-05-28 (Thu, 28 May 2026)

  Changed paths:
    M Source/WebKit/UIProcess/ios/WKContentViewInteraction.mm
    M Source/WebKit/UIProcess/mac/WebViewImpl.mm
    M Tools/TestWebKitAPI/Tests/WebKit/WKWebView/ios/DragAndDropTestsIOS.mm
    M Tools/TestWebKitAPI/Tests/WebKit/WKWebView/mac/DragAndDropTestsMac.mm

  Log Message:
  -----------
  Crash under WebPageProxy::createSandboxExtensionsIfNeeded()
https://bugs.webkit.org/show_bug.cgi?id=315745
rdar://170160413

Reviewed by Per Arne Vollan.

When dropping files via the legacy NSFilenamesPboardType / file
promise pasteboard, performDragWithLegacyFiles() sends an async
AllowFilesAccessFromWebProcess IPC to the NetworkProcess and, on
reply, calls WebPageProxy::createSandboxExtensionsIfNeeded(), which
dereferences the legacy main-frame WebProcess connection. If that
WebProcess is gone by the time the reply lands, the access in
AuxiliaryProcessProxy::connection() fires its
RELEASE_ASSERT(m_connection) and crashes the UIProcess.

Bail out of the reply lambdas (both macOS and iOS drop paths) when
the page no longer has a running process. To avoid leaking drop
state in that case, also notify the page client via
didPerformDragOperation(false) so:

    - On macOS, _webView:didPerformDragOperation: fires on the UI
      delegate.
    - On iOS, _didPerformDragOperation: runs and decrements
      WebItemProviderPasteboard's pending-operation count, notifies
      the delegate, and cleans up drop session state.

Without this, a WebProcess crash mid-drop would leave clients
waiting on a delegate callback that never fires (and on iOS, leak
the pasteboard pending-operation count).

Tests: Tools/TestWebKitAPI/Tests/WebKit/WKWebView/mac/DragAndDropTestsMac.mm
       Tools/TestWebKitAPI/Tests/WebKit/WKWebView/ios/DragAndDropTestsIOS.mm

* Source/WebKit/UIProcess/ios/WKContentViewInteraction.mm:
(-[WKContentView dropInteraction:performDrop:]):
* Source/WebKit/UIProcess/mac/WebViewImpl.mm:
(WebKit::performDragWithLegacyFiles):
* Tools/TestWebKitAPI/Tests/WebKit/WKWebView/ios/DragAndDropTestsIOS.mm:
(TEST(DragAndDropTests, PerformDropAfterWebProcessTermination)):
* Tools/TestWebKitAPI/Tests/WebKit/WKWebView/mac/DragAndDropTestsMac.mm:
(TEST(DragAndDropTests, PerformDragWithLegacyFilesAfterWebProcessTermination)):

Canonical link: https://commits.webkit.org/314085@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to