[iOS] Crash under WebPageProxy::navigationGestureSnapshotWasRemoved()
authorcdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 18 Sep 2018 22:05:51 +0000 (22:05 +0000)
committercdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 18 Sep 2018 22:05:51 +0000 (22:05 +0000)
commite188231974ad8904c9da79f84121b830a2ba6e8d
treeb0beec89fc81dad5a2d41c8bb5a1ae5b6294be26
parent0d2d1974763069543c205238c67b49151514b34b
[iOS] Crash under WebPageProxy::navigationGestureSnapshotWasRemoved()
https://bugs.webkit.org/show_bug.cgi?id=189714
<rdar://problem/32839498>

Reviewed by Tim Horton.

The ViewGestureController::removeSwipeSnapshot() implementation for iOS calls
navigationGestureSnapshotWasRemoved() on m_webPageProxyForBackForwardListForCurrentSwipe.
m_webPageProxyForBackForwardListForCurrentSwipe can differ from m_webPageProxy, and
is a RefPtr<>. This means that this WebPageProxy's WKWebView might have been deallocated,
in which case we'll crash when trying to use the pageClient in
WebPageProxy::navigationGestureSnapshotWasRemoved(). To address the issue, we now return
early in WebPageProxy::navigationGestureSnapshotWasRemoved() if m_isClosed is true,
after resetting m_isShowingNavigationGestureSnapshot to false but *before* trying to use
the pageClient. When a WKWebView is deallocated, it calls WebPageProxy::close(), which
sets m_isClosed to true.

* UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::navigationGestureSnapshotWasRemoved):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@236157 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/WebKit/ChangeLog
Source/WebKit/UIProcess/WebPageProxy.cpp