[WPE] Crash under WebProcessProxy::setIsInProcessCache when closing w…

…eb view in debug builds https://bugs.webkit.org/show_bug.cgi?id=233933 Reviewed by Geoffrey Garen. The crash would occur because the WebProcessPool destructor would call WebProcessCache::clear() which would destroy WebProcessCache::CachedProcess objects, causing WebProcessProxy::setIsInProcessCache(false) to get called. Previously, this call to setIsInProcessCache() would convert the WeakPtr the WebProcessProxy held to its process pool into a RefPtr, thus causing the WebProcessPool to get ref'd while in the middle of destruction. To address the issue, the setIsInProcessCache() setter now takes a WillShutDown flag that gets set in the CachedProcess destructor and which causes setIsInProcessCache() to return early right after setting the m_isInProcessCache flag, without trying to send IPC to the WebProcess or trying to ref the WebProcessPool. * UIProcess/WebProcessCache.cpp: (WebKit::WebProcessCache::CachedProcess::~CachedProcess): * UIProcess/WebProcessProxy.cpp: (WebKit::WebProcessProxy::setIsInProcessCache): * UIProcess/WebProcessProxy.h: Canonical link: https://commits.webkit.org/245040@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@286800 268f45cc-cd09-0410-ab3c-d52691b4dbfc
WebKit · Dec 9, 2021 · fdad234810878e66671759d1193c19e8d13a6094 · fdad234
1 parent a1e9467
commit fdad234810878e66671759d1193c19e8d13a6094
Showing 4 changed files with 34 additions and 3 deletions.
diff --git a/Source/WebKit/ChangeLog b/Source/WebKit/ChangeLog
@@ -1,3 +1,27 @@
+2021-12-09  Chris Dumez  <cdumez@apple.com>
+
+        [WPE] Crash under WebProcessProxy::setIsInProcessCache when closing web view in debug builds
+        https://bugs.webkit.org/show_bug.cgi?id=233933
+
+        Reviewed by Geoffrey Garen.
+
+        The crash would occur because the WebProcessPool destructor would call WebProcessCache::clear()
+        which would destroy WebProcessCache::CachedProcess objects, causing
+        WebProcessProxy::setIsInProcessCache(false) to get called. Previously, this call to
+        setIsInProcessCache() would convert the WeakPtr the WebProcessProxy held to its process pool
+        into a RefPtr, thus causing the WebProcessPool to get ref'd while in the middle of destruction.
+
+        To address the issue, the setIsInProcessCache() setter now takes a WillShutDown flag that gets
+        set in the CachedProcess destructor and which causes setIsInProcessCache() to return early
+        right after setting the m_isInProcessCache flag, without trying to send IPC to the WebProcess
+        or trying to ref the WebProcessPool.
+
+        * UIProcess/WebProcessCache.cpp:
+        (WebKit::WebProcessCache::CachedProcess::~CachedProcess):
+        * UIProcess/WebProcessProxy.cpp:
+        (WebKit::WebProcessProxy::setIsInProcessCache):
+        * UIProcess/WebProcessProxy.h:
+
 2021-12-08  BJ Burg  <bburg@apple.com>
 
         [Cocoa] Web Inspector: provide a way for _WKInspectorExtension clients to be to notified when an extension tab navigates

diff --git a/Source/WebKit/UIProcess/WebProcessCache.cpp b/Source/WebKit/UIProcess/WebProcessCache.cpp
@@ -294,7 +294,7 @@ WebProcessCache::CachedProcess::~CachedProcess()
     if (isSuspended())
         m_process->platformResumeProcess();
 #endif
-    m_process->setIsInProcessCache(false);
+    m_process->setIsInProcessCache(false, WebProcessProxy::WillShutDown::Yes);
     m_process->shutDown();
 }
 

diff --git a/Source/WebKit/UIProcess/WebProcessProxy.cpp b/Source/WebKit/UIProcess/WebProcessProxy.cpp
@@ -309,7 +309,7 @@ void WebProcessProxy::platformDestroy()
 }
 #endif
 
-void WebProcessProxy::setIsInProcessCache(bool value)
+void WebProcessProxy::setIsInProcessCache(bool value, WillShutDown willShutDown)
 {
     WEBPROCESSPROXY_RELEASE_LOG(Process, "setIsInProcessCache(%d)", value);
     if (value) {
@@ -321,6 +321,11 @@ void WebProcessProxy::setIsInProcessCache(bool value)
     ASSERT(m_isInProcessCache != value);
     m_isInProcessCache = value;
 
+    // No point in doing anything else if the process is about to shut down.
+    ASSERT(willShutDown == WillShutDown::No || !value);
+    if (willShutDown == WillShutDown::Yes)
+        return;
+
     send(Messages::WebProcess::SetIsInProcessCache(m_isInProcessCache), 0);
 
     if (m_isInProcessCache) {

diff --git a/Source/WebKit/UIProcess/WebProcessProxy.h b/Source/WebKit/UIProcess/WebProcessProxy.h
@@ -156,7 +156,9 @@ class WebProcessProxy : public AuxiliaryProcessProxy, private ProcessThrottlerCl
     bool isMatchingRegistrableDomain(const WebCore::RegistrableDomain& domain) const { return m_registrableDomain ? *m_registrableDomain == domain : false; }
     WebCore::RegistrableDomain registrableDomain() const { return m_registrableDomain.value_or(WebCore::RegistrableDomain { }); }
     const std::optional<WebCore::RegistrableDomain>& optionalRegistrableDomain() const { return m_registrableDomain; }
-    void setIsInProcessCache(bool);
+
+    enum class WillShutDown : bool { No, Yes };
+    void setIsInProcessCache(bool, WillShutDown = WillShutDown::No);
     bool isInProcessCache() const { return m_isInProcessCache; }
 
     void enableServiceWorkers(const UserContentControllerIdentifier&);