Repro crash when swiping back from a NY Times article @ WebPageProxy::navigationGestu...
authortimothy_horton@apple.com <timothy_horton@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 17 Jun 2015 22:47:56 +0000 (22:47 +0000)
committertimothy_horton@apple.com <timothy_horton@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 17 Jun 2015 22:47:56 +0000 (22:47 +0000)
commit5c78a7e9d21a4e6fc990f7ec39e1d12ec7368f7b
treed167173ec0cc09f8cf08c36f6cbb4a57c7ec0b43
parentf05d8df77abdd6a7d49a611d114cf9dc23b7edb3
Repro crash when swiping back from a NY Times article @ WebPageProxy::navigationGestureDidEnd
https://bugs.webkit.org/show_bug.cgi?id=146083
<rdar://problem/20974232>

Reviewed by Darin Adler.

* UIProcess/ios/ViewGestureControllerIOS.mm:
(WebKit::ViewGestureController::didSameDocumentNavigationForMainFrame):
(WebKit::ViewGestureController::activeLoadMonitoringTimerFired):
It is possible to get didSameDocumentNavigationForMainFrame *before*
endSwipeGesture, while the user is still interactively swiping. We
cannot remove the snapshot in this case, nor should we start the active
load monitoring timer; all of these things should happen only after the
swipe is completed and we've performed the navigation.

This was particularly bad (a crash instead of just a disappearing snapshot)
because removing the snapshot also causes m_webPageProxyForBackForwardListForCurrentSwipe
to be nulled out, but then it is dereferenced during endSwipeGesture.

Make sure that we never call removeSwipeSnapshotIfReady unless we were actually
waiting to remove the swipe snapshot (because the gesture had completed).
Most callers already did ensure this, but these two did not.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@185673 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/WebKit2/ChangeLog
Source/WebKit2/UIProcess/ios/ViewGestureControllerIOS.mm