Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Crash under ~RenderMenuList due to CheckedPtr usage #24372

Merged
merged 1 commit into from
Feb 13, 2024
Merged

Crash under ~RenderMenuList due to CheckedPtr usage #24372

merged 1 commit into from
Feb 13, 2024

Conversation

cdumez
Copy link
Contributor

@cdumez cdumez commented Feb 13, 2024
edited by webkit-early-warning-system

35318b4

Crash under ~RenderMenuList due to CheckedPtr usage
https://bugs.webkit.org/show_bug.cgi?id=269322
rdar://119790256

Reviewed by Alan Baradlay.

From the crash trace, we can see that HTMLSelectElement::defaultEventHandler()
holds a CheckedPtr to its RenderMenuList renderer and calls showPopup() on
the renderer. This ends up running JS, which removes the select element from
the DOM and in turns destroys the renderer. The usage is currently safe since
nothing is using the renderer after the JS has run. However, it was tripping
the CheckedPtr assertion.

To address the issue, switch to using WeakPtr for now and add comments to
clarify lifetime. We should consider refactoring this in a follow up though.

* Source/WebCore/html/HTMLSelectElement.cpp:
(WebCore::HTMLSelectElement::platformHandleKeydownEvent):
(WebCore::HTMLSelectElement::menuListDefaultEventHandler):
(WebCore::HTMLSelectElement::showPicker):
* Source/WebCore/rendering/RenderMenuList.cpp:
(RenderMenuList::showPopup):

Canonical link: https://commits.webkit.org/274586@main

78fdddf

Misc iOS, tvOS & watchOS macOS Linux Windows
βœ… πŸ§ͺ style βœ… πŸ›  ios βœ… πŸ›  mac βœ… πŸ›  wpe   πŸ›  wincairo
βœ… πŸ§ͺ bindings βœ… πŸ›  ios-sim βœ… πŸ›  mac-AS-debug   πŸ§ͺ wpe-wk2
βœ… πŸ§ͺ webkitperl βœ… πŸ§ͺ ios-wk2 βœ… πŸ§ͺ api-mac   πŸ§ͺ api-wpe
  πŸ§ͺ ios-wk2-wpt βœ… πŸ§ͺ mac-wk1 βœ… πŸ›  gtk
βœ… πŸ§ͺ api-ios βœ… πŸ§ͺ mac-wk2   πŸ§ͺ gtk-wk2
  πŸ›  tv   πŸ§ͺ mac-AS-debug-wk2   πŸ§ͺ api-gtk
  πŸ›  tv-sim
  πŸ›  πŸ§ͺ merge   πŸ›  watch
βœ… πŸ›  πŸ§ͺ unsafe-merge   πŸ›  watch-sim

@cdumez cdumez requested a review from rniwa as a code owner February 13, 2024 22:37
@cdumez cdumez self-assigned this Feb 13, 2024
@cdumez cdumez added the Layout and Rendering For bugs with layout and rendering of Web pages. label Feb 13, 2024
@webkit-early-warning-system
Copy link
Collaborator

EWS run on current version of this PR (hash 78fdddf)

Misc iOS, tvOS & watchOS macOS Linux Windows
βœ… πŸ§ͺ style βœ… πŸ›  ios βœ… πŸ›  mac βœ… πŸ›  wpe   πŸ›  wincairo
βœ… πŸ§ͺ bindings βœ… πŸ›  ios-sim βœ… πŸ›  mac-AS-debug   πŸ§ͺ wpe-wk2
βœ… πŸ§ͺ webkitperl βœ… πŸ§ͺ ios-wk2 βœ… πŸ§ͺ api-mac   πŸ§ͺ api-wpe
  πŸ§ͺ ios-wk2-wpt βœ… πŸ§ͺ mac-wk1 βœ… πŸ›  gtk
βœ… πŸ§ͺ api-ios βœ… πŸ§ͺ mac-wk2   πŸ§ͺ gtk-wk2
  πŸ›  tv   πŸ§ͺ mac-AS-debug-wk2   πŸ§ͺ api-gtk
  πŸ›  tv-sim
  πŸ›  πŸ§ͺ merge   πŸ›  watch
βœ… πŸ›  πŸ§ͺ unsafe-merge   πŸ›  watch-sim

@cdumez cdumez added merge-queue Applied to send a pull request to merge-queue unsafe-merge-queue Applied to send a pull request to merge-queue, but skip building and testing and removed merge-queue Applied to send a pull request to merge-queue labels Feb 13, 2024
@cdumez
Crash under ~RenderMenuList due to CheckedPtr usage
35318b4 
https://bugs.webkit.org/show_bug.cgi?id=269322
rdar://119790256

Reviewed by Alan Baradlay.

From the crash trace, we can see that HTMLSelectElement::defaultEventHandler()
holds a CheckedPtr to its RenderMenuList renderer and calls showPopup() on
the renderer. This ends up running JS, which removes the select element from
the DOM and in turns destroys the renderer. The usage is currently safe since
nothing is using the renderer after the JS has run. However, it was tripping
the CheckedPtr assertion.

To address the issue, switch to using WeakPtr for now and add comments to
clarify lifetime. We should consider refactoring this in a follow up though.

* Source/WebCore/html/HTMLSelectElement.cpp:
(WebCore::HTMLSelectElement::platformHandleKeydownEvent):
(WebCore::HTMLSelectElement::menuListDefaultEventHandler):
(WebCore::HTMLSelectElement::showPicker):
* Source/WebCore/rendering/RenderMenuList.cpp:
(RenderMenuList::showPopup):

Canonical link: https://commits.webkit.org/274586@main
@webkit-commit-queue
Copy link
Collaborator

Committed 274586@main (35318b4): https://commits.webkit.org/274586@main

Reviewed commits have been landed. Closing PR #24372 and removing active labels.

@webkit-commit-queue webkit-commit-queue merged commit 35318b4 into WebKit:main Feb 13, 2024
@webkit-commit-queue webkit-commit-queue removed the unsafe-merge-queue Applied to send a pull request to merge-queue, but skip building and testing label Feb 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alanbaradlay alanbaradlay alanbaradlay approved these changes

@rniwa rniwa Awaiting requested review from rniwa rniwa is a code owner

@geoffreygaren geoffreygaren Awaiting requested review from geoffreygaren

@brentfulgham brentfulgham Awaiting requested review from brentfulgham

Assignees

@cdumez cdumez

Labels
Layout and Rendering For bugs with layout and rendering of Web pages.
Projects
None yet
Milestone
No milestone
4 participants
@cdumez @webkit-early-warning-system @webkit-commit-queue @alanbaradlay