Null deref under ViewGestureController::endSwipeGesture (navigationGestureDidEnd)
authortimothy_horton@apple.com <timothy_horton@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 16 Jun 2017 03:26:55 +0000 (03:26 +0000)
committertimothy_horton@apple.com <timothy_horton@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 16 Jun 2017 03:26:55 +0000 (03:26 +0000)
commit40442e02b377e830c6e511c61ea9d4c5111f6284
tree32dfa02e4db6261f918b07fce58248713afa3580
parent288167bb93bdf3234ac6ec1db7989ffcaf9fed27
Null deref under ViewGestureController::endSwipeGesture (navigationGestureDidEnd)
https://bugs.webkit.org/show_bug.cgi?id=173441
<rdar://problem/25876512>

Reviewed by Simon Fraser.

This is a speculative fix for a crash that we don't have repro steps for.

In a few places, ViewGestureController looks itself up by pageID (in cases
where we're in an asynchronous callback), and then calls some
function on it (endSwipeGesture, or something that will get there).
However, if in the meantime an API client has turned the swipe gesture
on and off, the page's ViewGestureController will be a different one
than the one that originally started this process, with fresh state,
and nullptrs in all sorts of places, ripe for dereferencing.

To fix this, instead of just looking ViewGestureController up by
pageID, also keep track of the current gestureID, process-wide (previously
the gestureID was per-ViewGestureController), and only return the
ViewGestureController if it's currently processing the same gesture
that started the asynchronous task.

* UIProcess/Cocoa/ViewGestureController.cpp:
(WebKit::ViewGestureController::controllerForGesture):
(WebKit::ViewGestureController::takeNextGestureID):
(WebKit::ViewGestureController::willBeginGesture):
(WebKit::ViewGestureController::didEndGesture):
(WebKit::ViewGestureController::gestureControllerForPage): Deleted.
* UIProcess/Cocoa/ViewGestureController.h:
Add helpers that set and reset activeGestureType and currentGestureID together.
Make gesture IDs process global, to avoid two ViewGestureControllers using the same IDs.

* UIProcess/ios/ViewGestureControllerIOS.mm:
(WebKit::ViewGestureController::beginSwipeGesture):
(WebKit::ViewGestureController::endSwipeGesture):
(WebKit::ViewGestureController::removeSwipeSnapshot):
* UIProcess/mac/ViewGestureControllerMac.mm:
(WebKit::ViewGestureController::didCollectGeometryForMagnificationGesture):
(WebKit::ViewGestureController::handleMagnificationGestureEvent):
(WebKit::ViewGestureController::endMagnificationGesture):
(WebKit::ViewGestureController::beginSwipeGesture):
(WebKit::ViewGestureController::forceRepaintIfNeeded):
(WebKit::ViewGestureController::removeSwipeSnapshot):
Adopt willBeginGesture/didEndGesture and controllerForGesture.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@218378 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/WebKit2/ChangeLog
Source/WebKit2/UIProcess/Cocoa/ViewGestureController.cpp
Source/WebKit2/UIProcess/Cocoa/ViewGestureController.h
Source/WebKit2/UIProcess/ios/ViewGestureControllerIOS.mm
Source/WebKit2/UIProcess/mac/ViewGestureControllerMac.mm